VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git) https://git.amelek.net/vyos/vyos-1x.git/atom?h=1.4.0 2024-04-02T16:33:59+00:00 2024-04-02T16:33:59+00:00 Christian Breunig christian@breunig.cc 2024-04-01T18:40:16+00:00 urn:sha1:cc208d74567e44d6cffa4fc9fd58bd9bcf050930 Currently VyOS only supports binding a service to one individual VRF. It might become handy to have the services (initially it will be VRF, NTP and SNMP) be bound to multiple VRFs. Changed VRF from leafNode to multi leafNode with defaultValue: default - which is the name of the default VRF. (cherry picked from commit e5af1f0905991103b12302892e6f0070bbb7b770) 2024-01-01T08:25:32+00:00 Christian Breunig christian@breunig.cc 2023-12-30T22:25:20+00:00 urn:sha1:c9eaafd9f808aba8d29be73054e11d37577e539a We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in (cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465) 2023-02-24T18:07:18+00:00 zsdc taras@vyos.io 2023-02-24T18:07:18+00:00 urn:sha1:32a4415191ca725be9b3ca4c5f664123a0e767eb MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS module for PAM does not like it, which makes them incompatible. This commit: * disables KbdInteractiveAuthentication * changes order for PAM modules - make it first, before `pam_unix` or `pam_radius_auth` * enables the `forward_pass` option for `pam_google_authenticator` to accept both password and MFA in a single input As a result, local, RADIUS, and MFA work together. Important change: MFA should be entered together with a password. Before: ``` vyos login: <USERNAME> Password: <PASSWORD> Verification code: <MFA> ``` Now: ``` vyos login: <USERNAME> Password & verification code: <PASSWORD><MFA> ``` 2022-10-17T12:15:22+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-10-17T12:15:22+00:00 urn:sha1:85f04237160a6ea98eea4ec58f1ccab9f6bfc31a Ability to configure SSH-server HostKeyAlgorithms. Specifies the host key signature algorithms that the server offers. Can accept multiple values. 2022-10-12T07:02:37+00:00 Christian Poessinger christian@poessinger.com 2022-10-12T07:02:37+00:00 urn:sha1:6951fa7ef6ea4a2715b9083d654f6cf3f3b60213 system login: T874: add 2FA support for local and ssh authentication 2022-10-11T23:56:45+00:00 goodNETnick pknet@ya.ru 2022-09-22T06:03:04+00:00 urn:sha1:765f84386b6e94984ff79db2eab36d51f759159b 2022-10-10T12:52:54+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-09-27T16:06:52+00:00 urn:sha1:b9de775a5b4f017f9d164a127d93f55ce9053756 Ability to configure SSH RekeyLimit data (in Megabytes) and time (in Minutes) set service ssh rekey data 1024 set service ssh rekey time 60 2022-07-22T21:16:13+00:00 Christian Poessinger christian@poessinger.com 2022-07-22T21:05:25+00:00 urn:sha1:8c7cd6f181a4bbb5aee99f50e6c32eb1f4f37c3d 2022-05-13T16:43:09+00:00 Christian Poessinger christian@poessinger.com 2022-05-13T16:43:07+00:00 urn:sha1:37a08888d103556326ecd13e4738301ac901c861 We do not only allow individual host addresses but also prefixes. 2022-05-12T17:27:38+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-05-10T15:14:19+00:00 urn:sha1:2e81f9e057f598a9a9e5c2d617e3d0818005d850 Sshguard protects hosts from brute-force attacks Can inspect logs and block "bad" addresses by threshold Auto-generate rules for nftables When service stopped all generated rules are deleted nft "type filter hook input priority filter - 10" set service ssh dynamic-protection set service ssh dynamic-protection block-time 120 set service ssh dynamic-protection detect-time 1800 set service ssh dynamic-protection threshold 30 set service ssh dynamic-protection whitelist-address 192.0.2.1