summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoraapostoliuk <a.apostoliuk@vyos.io>2022-11-03 17:58:54 +0200
committeraapostoliuk <a.apostoliuk@vyos.io>2022-12-08 22:23:46 +0200
commit1bde9ebee6812a1497f8b6d36e684235e41631f2 (patch)
treea38d1371f2c5307df1c6ce5d08dbca41d133c11f
parentf11b76ec56f9a94c4cfb435081c7b9a5986c060c (diff)
downloadvyos-1x-1bde9ebee6812a1497f8b6d36e684235e41631f2.tar.gz
vyos-1x-1bde9ebee6812a1497f8b6d36e684235e41631f2.zip
T4790: Added check of the sum of radius timeouts
Added check of the sum of radius timeouts. It has to be less or eq 50 sec. Default LOGIN_TIMEOUT from /etc/login.defs minus 10 sec Added check of number of radius servers. It has to be less or eq 25. 50 sec divided by 2sec (minimum recomended login timeout) Otherwise, log in to the device can be descarded.
-rwxr-xr-xsrc/conf_mode/system-login.py22
1 files changed, 18 insertions, 4 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index e26b81e3d..da6c3f775 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -43,6 +43,11 @@ airbag.enable()
autologout_file = "/etc/profile.d/autologout.sh"
radius_config_file = "/etc/pam_radius_auth.conf"
+# LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec
+MAX_RADIUS_TIMEOUT: int = 50
+# MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout)
+MAX_RADIUS_COUNT: int = 25
+
def get_local_users():
"""Return list of dynamically allocated users (see Debian Policy Manual)"""
local_users = []
@@ -118,18 +123,27 @@ def verify(login):
if 'radius' in login:
if 'server' not in login['radius']:
raise ConfigError('No RADIUS server defined!')
-
+ sum_timeout: int = 0
+ radius_servers_count: int = 0
fail = True
for server, server_config in dict_search('radius.server', login).items():
if 'key' not in server_config:
raise ConfigError(f'RADIUS server "{server}" requires key!')
-
- if 'disabled' not in server_config:
+ if 'disable' not in server_config:
+ sum_timeout += int(server_config['timeout'])
+ radius_servers_count += 1
fail = False
- continue
+
if fail:
raise ConfigError('All RADIUS servers are disabled')
+ if radius_servers_count > MAX_RADIUS_COUNT:
+ raise ConfigError('Number of RADIUS servers more than 25 ')
+
+ if sum_timeout > MAX_RADIUS_TIMEOUT:
+ raise ConfigError('Sum of RADIUS servers timeouts '
+ 'has to be less or eq 50 sec')
+
verify_vrf(login['radius'])
if 'source_address' in login['radius']: