<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/src/conf_mode/system-login.py, branch feature/T9082-codeql-cpp</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=feature%2FT9082-codeql-cpp</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=feature%2FT9082-codeql-cpp'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2023-12-31T22:49:48+00:00</updated>
<entry>
<title>T5474: establish common file name pattern for XML conf mode commands</title>
<updated>2023-12-31T22:49:48+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2023-12-30T22:25:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=4ef110fd2c501b718344c72d495ad7e16d2bd465'/>
<id>urn:sha1:4ef110fd2c501b718344c72d495ad7e16d2bd465</id>
<content type='text'>
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.

Example:
set interfaces ethernet -&gt; interfaces_ethernet.xml.in
set interfaces bond -&gt; interfaces_bond.xml.in
set service dhcp-server -&gt; service_dhcp-server-xml.in
</content>
</entry>
<entry>
<title>login: T5875: restore home directory permissions when re-adding user account</title>
<updated>2023-12-29T20:03:07+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2023-12-29T19:54:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=3c990f49e2bf9347bd2cc478995baa995ee822fd'/>
<id>urn:sha1:3c990f49e2bf9347bd2cc478995baa995ee822fd</id>
<content type='text'>
After deleting a user account and working with a newly added account, we see
that after rebooting in the previously saved configuration, the user is
re-added but it's home directory might have an old UID set on the filesystem.

This is due to the fact that vyos config does not store UIDs. When adding a
user account to the system we now check if the home directory already exists
and adjust the ownership to the new UID.
</content>
</entry>
<entry>
<title>Merge pull request #1960 from sarthurdev/kea</title>
<updated>2023-12-09T20:35:50+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2023-12-09T20:35:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=2778f53cc1f9f03a6c145e45082ca95ba21a1a96'/>
<id>urn:sha1:2778f53cc1f9f03a6c145e45082ca95ba21a1a96</id>
<content type='text'>
dhcp: T3316: Migrate dhcp/dhcpv6 server to Kea</content>
</entry>
<entry>
<title>login: T4943: use pam-auth-update to enable/disable Google authenticator</title>
<updated>2023-12-08T06:46:21+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2023-12-07T20:30:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=e134dc4171b051d0f98c7151ef32a347bc4f87e2'/>
<id>urn:sha1:e134dc4171b051d0f98c7151ef32a347bc4f87e2</id>
<content type='text'>
The initial version always enabled Google authenticator (2FA/MFA) support by
hardcoding the PAM module for sshd and login.

This change only enables the PAM module on demand if any use has 2FA/MFA
configured. Enabling the module is done system wide via pam-auth-update by
using a predefined template.

Can be tested using:

set system login user vyos authentication plaintext-password vyos
set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O'

See https://docs.vyos.io/en/latest/configuration/system/login.html for additional
details.
</content>
</entry>
<entry>
<title>dhcp: T3316: Migrate dhcp/dhcpv6 server to Kea</title>
<updated>2023-12-07T23:29:38+00:00</updated>
<author>
<name>sarthurdev</name>
<email>965089+sarthurdev@users.noreply.github.com</email>
</author>
<published>2022-12-16T10:41:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=d95200e96763e4a7ed02577b1b177c84abb77838'/>
<id>urn:sha1:d95200e96763e4a7ed02577b1b177c84abb77838</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Revert "login: T5521: home directory owner changed during reboot"</title>
<updated>2023-10-04T07:40:45+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2023-10-04T07:40:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=53bc1627c09d7b6559aaafabfac69a7427e8e38c'/>
<id>urn:sha1:53bc1627c09d7b6559aaafabfac69a7427e8e38c</id>
<content type='text'>
This reverts commit 64d323299586da646ca847e78255ff2cd8464578.
</content>
</entry>
<entry>
<title>login: T5521: home directory owner changed during reboot</title>
<updated>2023-10-03T07:33:16+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2023-10-03T07:26:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=64d323299586da646ca847e78255ff2cd8464578'/>
<id>urn:sha1:64d323299586da646ca847e78255ff2cd8464578</id>
<content type='text'>
During system startup the system-login.py script is invoked by vyos-router
systemd service. As there is no complete configuration available at this
point in time - and the sole purpose of this call is to reset/re-render
the system NSS/PAM configs back to default - it accidently also deleted the
local useraccounts.

Once the VyOS configuration got mounted, users got recreated in alphabetical
order and thus UIDs flipped and the /home suddenely belonged to a different
account.

This commit prevents any mangling with the local userdatabase during VyOS
bootup phase.
</content>
</entry>
<entry>
<title>TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+</title>
<updated>2023-09-13T18:02:32+00:00</updated>
<author>
<name>zsdc</name>
<email>taras@vyos.io</email>
</author>
<published>2023-09-13T10:16:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=1c804685d05ad639bcb1a9ebce68a7a14268500f'/>
<id>urn:sha1:1c804685d05ad639bcb1a9ebce68a7a14268500f</id>
<content type='text'>
In CLI we can choose authentication logic:

  - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be
  stopped and access denied immediately.
  - `optional` (default) - if TACACS+ answers with `REJECT`, authentication
  continues using the next module.

In `mandatory` mode authentication will be stopped only if TACACS+ clearly
answered that access should be denied (no user in TACACS+ database, wrong
password, etc.). If TACACS+ is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
</content>
</entry>
<entry>
<title>RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUS</title>
<updated>2023-09-13T17:41:43+00:00</updated>
<author>
<name>zsdc</name>
<email>taras@vyos.io</email>
</author>
<published>2023-09-13T09:41:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=5181ab60bb6d936505967d6667adc12c5ecb9b64'/>
<id>urn:sha1:5181ab60bb6d936505967d6667adc12c5ecb9b64</id>
<content type='text'>
In CLI we can choose authentication logic:

  - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must
  be stopped and access denied immediately.
  - `optional` (default) - if RADIUS answers with `Access-Reject`,
  authentication continues using the next module.

In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
</content>
</entry>
<entry>
<title>T5319: remove workarounds for defaults in system-login.py</title>
<updated>2023-08-07T19:46:42+00:00</updated>
<author>
<name>John Estabrook</name>
<email>jestabro@vyos.io</email>
</author>
<published>2023-08-07T01:38:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=4b9e52aa5b9728a89715bf1f7f54063aa3e7aaef'/>
<id>urn:sha1:4b9e52aa5b9728a89715bf1f7f54063aa3e7aaef</id>
<content type='text'>
</content>
</entry>
</feed>
