vyos-1x.git/data/templates/ssh, branch current

ssh: T6013: rename trusted-user-ca-key -> truster-user-ca

2025-05-29T12:01:32+00:00

The current implementation for SSH CA based authentication uses "set service ssh trusted-user-ca-key ca-certificate " to define an X.509 certificate from "set pki ca ..." - fun fact, native OpenSSH does not support X.509 certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys. This commit changes the bahavior to support antive certificates generated using ssh-keygen and loaded to our PKI tree. As the previous implementation did not work at all, no migrations cript is used.

ssh: T6013: move principal name to "system login user authentication"

2025-05-29T11:57:48+00:00

We already support using per-user SSH public keys for system authentication. Instead of introducing a new CLI path to configure per-user principal names, we should continue using the existing CLI location and store the principal names alongside the corresponding SSH public keys. set system login user principal The certificate used for SSH authentication contains an embedded principal name, which is defined under this CLI node. Only users with matching principal names are permitted to log in.

ssh: T6013: support SSH AuthorizedPrincipalsFile in use with trusted-user-ca-key

2025-05-29T11:57:48+00:00

Thisc omplements commit e7cab89f9f81 ("T6013: Add support for configuring TrustedUserCAKeys in SSH service with local and remote CA keys"). It introduces a new CLI node per user to support defining the authorized principals used by any given PKI certificate. It is now possible to associate SSH login users with their respective principals. Authored-by: Takeru Hayasaka

T6013: Add support for configuring TrustedUserCAKeys in SSH service with local and remote CA keys

2024-12-23T09:13:14+00:00

ssh: T5878: Allow changing the PubkeyAcceptedAlgorithms option

2024-06-28T07:42:54+00:00

ssh: T6192: allow binding to multiple VRF instances

2024-04-01T19:26:16+00:00

Currently VyOS only supports binding a service to one individual VRF. It might become handy to have the services (initially it will be VRF, NTP and SNMP) be bound to multiple VRFs. Changed VRF from leafNode to multi leafNode with defaultValue: default - which is the name of the default VRF.

T5474: establish common file name pattern for XML conf mode commands

2023-12-31T22:49:48+00:00

We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in

login: T4943: Fixed 2FA + RADIUS compatibility

2023-02-24T18:07:18+00:00

MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS module for PAM does not like it, which makes them incompatible. This commit: * disables KbdInteractiveAuthentication * changes order for PAM modules - make it first, before `pam_unix` or `pam_radius_auth` * enables the `forward_pass` option for `pam_google_authenticator` to accept both password and MFA in a single input As a result, local, RADIUS, and MFA work together. Important change: MFA should be entered together with a password. Before: ``` vyos login: Password: Verification code: ``` Now: ``` vyos login: Password & verification code: ```

ssh: T4720: Ability to configure SSH-server HostKeyAlgorithms

2022-10-17T12:15:22+00:00

Ability to configure SSH-server HostKeyAlgorithms. Specifies the host key signature algorithms that the server offers. Can accept multiple values.

Merge pull request #1555 from goodNETnick/ssh_otp

2022-10-12T07:02:37+00:00

system login: T874: add 2FA support for local and ssh authentication