VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git) https://git.amelek.net/vyos/vyos-1x.git/atom?h=1.4.0-rc2 2024-01-01T08:25:32+00:00 2024-01-01T08:25:32+00:00 Christian Breunig christian@breunig.cc 2023-12-30T22:25:20+00:00 urn:sha1:c9eaafd9f808aba8d29be73054e11d37577e539a We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in (cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465) 2023-02-24T18:07:18+00:00 zsdc taras@vyos.io 2023-02-24T18:07:18+00:00 urn:sha1:32a4415191ca725be9b3ca4c5f664123a0e767eb MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS module for PAM does not like it, which makes them incompatible. This commit: * disables KbdInteractiveAuthentication * changes order for PAM modules - make it first, before `pam_unix` or `pam_radius_auth` * enables the `forward_pass` option for `pam_google_authenticator` to accept both password and MFA in a single input As a result, local, RADIUS, and MFA work together. Important change: MFA should be entered together with a password. Before: ``` vyos login: <USERNAME> Password: <PASSWORD> Verification code: <MFA> ``` Now: ``` vyos login: <USERNAME> Password & verification code: <PASSWORD><MFA> ``` 2022-10-17T12:15:22+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-10-17T12:15:22+00:00 urn:sha1:85f04237160a6ea98eea4ec58f1ccab9f6bfc31a Ability to configure SSH-server HostKeyAlgorithms. Specifies the host key signature algorithms that the server offers. Can accept multiple values. 2022-10-12T07:02:37+00:00 Christian Poessinger christian@poessinger.com 2022-10-12T07:02:37+00:00 urn:sha1:6951fa7ef6ea4a2715b9083d654f6cf3f3b60213 system login: T874: add 2FA support for local and ssh authentication 2022-10-11T23:56:45+00:00 goodNETnick pknet@ya.ru 2022-09-22T06:03:04+00:00 urn:sha1:765f84386b6e94984ff79db2eab36d51f759159b 2022-10-10T12:52:54+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-09-27T16:06:52+00:00 urn:sha1:b9de775a5b4f017f9d164a127d93f55ce9053756 Ability to configure SSH RekeyLimit data (in Megabytes) and time (in Minutes) set service ssh rekey data 1024 set service ssh rekey time 60 2022-07-22T21:16:13+00:00 Christian Poessinger christian@poessinger.com 2022-07-22T21:05:25+00:00 urn:sha1:8c7cd6f181a4bbb5aee99f50e6c32eb1f4f37c3d 2022-05-13T16:43:09+00:00 Christian Poessinger christian@poessinger.com 2022-05-13T16:43:07+00:00 urn:sha1:37a08888d103556326ecd13e4738301ac901c861 We do not only allow individual host addresses but also prefixes. 2022-05-12T17:27:38+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-05-10T15:14:19+00:00 urn:sha1:2e81f9e057f598a9a9e5c2d617e3d0818005d850 Sshguard protects hosts from brute-force attacks Can inspect logs and block "bad" addresses by threshold Auto-generate rules for nftables When service stopped all generated rules are deleted nft "type filter hook input priority filter - 10" set service ssh dynamic-protection set service ssh dynamic-protection block-time 120 set service ssh dynamic-protection detect-time 1800 set service ssh dynamic-protection threshold 30 set service ssh dynamic-protection whitelist-address 192.0.2.1 2022-04-14T19:34:52+00:00 Christian Poessinger christian@poessinger.com 2022-04-14T19:34:52+00:00 urn:sha1:dbfc2add3434638628b43ecfa097fbd166c85db7