vyos-1x.git/src/pam-configs, branch current-merge-commit-handling

vyos-1x.git/src/pam-configs, branch current-merge-commit-handling VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git) https://git.amelek.net/vyos/vyos-1x.git/atom?h=current-merge-commit-handling 2023-12-08T06:46:21+00:00 login: T4943: use pam-auth-update to enable/disable Google authenticator 2023-12-08T06:46:21+00:00 Christian Breunig christian@breunig.cc 2023-12-07T20:30:57+00:00 urn:sha1:e134dc4171b051d0f98c7151ef32a347bc4f87e2 The initial version always enabled Google authenticator (2FA/MFA) support by hardcoding the PAM module for sshd and login. This change only enables the PAM module on demand if any use has 2FA/MFA configured. Enabling the module is done system wide via pam-auth-update by using a predefined template. Can be tested using: set system login user vyos authentication plaintext-password vyos set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O' See https://docs.vyos.io/en/latest/configuration/system/login.html for additional details. pam: T5577: Improved PAM configs for RADIUS and TACACS+ 2023-09-19T18:03:51+00:00 zsdc taras@vyos.io 2023-09-19T18:03:51+00:00 urn:sha1:784fb7dc2ccc63789ed85d803e3ae41eef0e0253 After sources analysis, we found the next possible return statuses for PAM modules: 1. pam_tacplus Auth: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BUF_ERR - PAM_CRED_INSUFFICIENT - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Account: - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_PERM_DENIED - PAM_SUCCESS - PAM_USER_UNKNOWN Session: - PAM_AUTHINFO_UNAVAIL - PAM_SESSION_ERR - PAM_SUCCESS - PAM_USER_UNKNOWN 2. pam_radius_auth Auth: - PAM_ABORT - PAM_AUTH_ERR - PAM_AUTHINFO_UNAVAIL - PAM_AUTHTOK_ERR - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN Account: - PAM_SUCCESS Session: - PAM_ABORT - PAM_AUTHINFO_UNAVAIL - PAM_BAD_ITEM - PAM_BUF_ERR - PAM_CONV_AGAIN - PAM_CONV_ERR - PAM_IGNORE - PAM_NO_MODULE_DATA - PAM_PERM_DENIED - PAM_SUCCESS - PAM_SYSTEM_ERR - PAM_USER_UNKNOWN PAM configurations were replaced with tuned versions to take this into account. TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+ 2023-09-13T18:02:32+00:00 zsdc taras@vyos.io 2023-09-13T10:16:20+00:00 urn:sha1:1c804685d05ad639bcb1a9ebce68a7a14268500f In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode. RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUS 2023-09-13T17:41:43+00:00 zsdc taras@vyos.io 2023-09-13T09:41:04+00:00 urn:sha1:5181ab60bb6d936505967d6667adc12c5ecb9b64 In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode. T5554: Disable sudo for PAM RADIUS 2023-09-08T12:24:16+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2023-09-07T17:18:53+00:00 urn:sha1:01b30eb6d83cdb2ae43b956d29ac7ac1d4445776 Disable sudo for PAM RADIUS template that slows down the CLI commands To fix it add: session [default=ignore success=2] pam_succeed_if.so service = sudo tacacs: T141: initial implementation 2023-06-22T20:37:41+00:00 Christian Breunig christian@breunig.cc 2023-06-21T20:11:44+00:00 urn:sha1:3ec727670de02cac06321719a0323650046d54a1 tacacs: T141: create new UNIX group for aaa 2023-06-21T21:17:27+00:00 Christian Breunig christian@breunig.cc 2023-06-21T20:08:16+00:00 urn:sha1:edc753ad22c03a7e96c6e2323cd551f50588d686 radius: T3510: authenticated users must use /sbin/radius_shell as shell 2021-05-02T15:13:40+00:00 Christian Poessinger christian@poessinger.com 2021-05-02T13:53:32+00:00 urn:sha1:0e5a90ad70edbcc6334f1737a6855d02f8ffd130 login: radius: T2089: only query servers when uid matches ... 2020-03-01T19:03:45+00:00 Christian Poessinger christian@poessinger.com 2020-03-01T19:03:45+00:00 urn:sha1:fb3eba1d4623e63323c439682e2c7cc2dcb949e1 Do not query RADIUS servers when commit is running started from a non RADIUS user (localuser, root). This should reduce the overall system boot time. radius: T2022: support both local and radius login at the same time 2020-02-09T14:14:34+00:00 Christian Poessinger christian@poessinger.com 2020-02-09T14:14:34+00:00 urn:sha1:e76325e6902b9a857b9e544accd5b020439aa8e7