diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-05-02 15:53:32 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-05-02 17:13:40 +0200 |
| commit | 0e5a90ad70edbcc6334f1737a6855d02f8ffd130 (patch) | |
| tree | e6886fa149748f4cccfcafb0353776e112641140 | |
| parent | e17475f0237576c3b581daa7b8df1e48adfce8e9 (diff) | |
| download | vyos-1x-0e5a90ad70edbcc6334f1737a6855d02f8ffd130.tar.gz vyos-1x-0e5a90ad70edbcc6334f1737a6855d02f8ffd130.zip | |
radius: T3510: authenticated users must use /sbin/radius_shell as shell
| -rw-r--r-- | debian/vyos-1x.postinst | 11 | ||||
| -rw-r--r-- | src/pam-configs/radius | 12 |
2 files changed, 14 insertions, 9 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 5fadddc86..8acc87cc8 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -11,7 +11,8 @@ fi # Add minion user for salt-minion if ! grep -q '^minion' /etc/passwd; then - adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg --gecos "salt minion user" --shell /bin/vbash minion + adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg \ + --gecos "salt minion user" --shell /bin/vbash minion adduser --quiet minion frrvty adduser --quiet minion sudo adduser --quiet minion adm @@ -27,7 +28,9 @@ fi # Add RADIUS operator user for RADIUS authenticated users to map to if ! grep -q '^radius_user' /etc/passwd; then - adduser --quiet --firstuid 1001 --disabled-login --ingroup users --gecos "radius user" --shell /bin/vbash radius_user + adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattaop \ + --no-create-home --gecos "radius user" \ + --shell /sbin/radius_shell radius_user adduser --quiet radius_user frrvty adduser --quiet radius_user vyattaop adduser --quiet radius_user operator @@ -38,7 +41,9 @@ fi # Add RADIUS admin user for RADIUS authenticated users to map to if ! grep -q '^radius_priv_user' /etc/passwd; then - adduser --quiet --firstuid 1001 --disabled-login --ingroup vyattacfg --gecos "radius privileged user" --shell /bin/vbash radius_priv_user + adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattacfg \ + --no-create-home --gecos "radius privileged user" \ + --shell /sbin/radius_shell radius_priv_user adduser --quiet radius_priv_user frrvty adduser --quiet radius_priv_user vyattacfg adduser --quiet radius_priv_user sudo diff --git a/src/pam-configs/radius b/src/pam-configs/radius index 0e2c71e38..aaae6aeb0 100644 --- a/src/pam-configs/radius +++ b/src/pam-configs/radius @@ -3,18 +3,18 @@ Default: yes Priority: 257 Auth-Type: Primary Auth: - [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet - [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet + [default=ignore success=1] pam_succeed_if.so uid eq 1000 quiet + [default=ignore success=ignore] pam_succeed_if.so uid eq 1001 quiet [authinfo_unavail=ignore success=end default=ignore] pam_radius_auth.so Account-Type: Primary Account: - [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet - [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet + [default=ignore success=1] pam_succeed_if.so uid eq 1000 quiet + [default=ignore success=ignore] pam_succeed_if.so uid eq 1001 quiet [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so Session-Type: Additional Session: - [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet - [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet + [default=ignore success=1] pam_succeed_if.so uid eq 1000 quiet + [default=ignore success=ignore] pam_succeed_if.so uid eq 1001 quiet [authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so |