diff options
| author | zsdc <taras@vyos.io> | 2023-09-13 12:41:04 +0300 |
|---|---|---|
| committer | zsdc <taras@vyos.io> | 2023-11-20 18:44:31 +0200 |
| commit | 2a023b878471500bd78962ca94d9174a328ce5c9 (patch) | |
| tree | 2d3ccd8d77cb6410d943395b72a963f07a0c5e70 | |
| parent | 9cf2f2c8019b0d0279d6af942a08b6bd829daa16 (diff) | |
| download | vyos-1x-2a023b878471500bd78962ca94d9174a328ce5c9.tar.gz vyos-1x-2a023b878471500bd78962ca94d9174a328ce5c9.zip | |
RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUS
In CLI we can choose authentication logic:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must
be stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`,
authentication continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
| -rw-r--r-- | debian/vyos-1x.postinst | 2 | ||||
| -rw-r--r-- | debian/vyos-1x.preinst | 1 | ||||
| -rw-r--r-- | interface-definitions/include/radius-server-ipv4-ipv6.xml.i | 20 | ||||
| -rwxr-xr-x | src/conf_mode/system-login.py | 14 | ||||
| -rw-r--r-- | src/pam-configs/radius | 20 | ||||
| -rw-r--r-- | src/pam-configs/radius-mandatory | 19 | ||||
| -rw-r--r-- | src/pam-configs/radius-optional | 19 |
7 files changed, 68 insertions, 27 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index e70db93b5..837fcf995 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -91,7 +91,6 @@ if ! grep -q '^radius_user' /etc/passwd; then adduser --quiet radius_user adm adduser --quiet radius_user dip adduser --quiet radius_user users - adduser --quiet radius_user aaa fi # Add RADIUS admin user for RADIUS authenticated users to map to @@ -107,7 +106,6 @@ if ! grep -q '^radius_priv_user' /etc/passwd; then adduser --quiet radius_priv_user disk adduser --quiet radius_priv_user users adduser --quiet radius_priv_user frr - adduser --quiet radius_priv_user aaa fi # add hostsd group for vyos-hostsd diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst index 12866cd55..df99661b1 100644 --- a/debian/vyos-1x.preinst +++ b/debian/vyos-1x.preinst @@ -2,7 +2,6 @@ dpkg-divert --package vyos-1x --add --no-rename /etc/securetty dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd -dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/radius dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc diff --git a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i index ac0950ae8..e454b9025 100644 --- a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i +++ b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i @@ -26,6 +26,26 @@ </children> </tagNode> #include <include/source-address-ipv4-ipv6-multi.xml.i> + <leafNode name="security-mode"> + <properties> + <help>Security mode for RADIUS authentication</help> + <completionHelp> + <list>mandatory optional</list> + </completionHelp> + <valueHelp> + <format>mandatory</format> + <description>Deny access immediately if RADIUS answers with Access-Reject</description> + </valueHelp> + <valueHelp> + <format>optional</format> + <description>Pass to the next authentication method if RADIUS answers with Access-Reject</description> + </valueHelp> + <constraint> + <regex>(mandatory|optional)</regex> + </constraint> + </properties> + <defaultValue>optional</defaultValue> + </leafNode> </children> </node> <!-- include end --> diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 02c97afaa..be5ff2d4c 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -104,6 +104,9 @@ def get_config(config=None): # prune TACACS global defaults if not set by user if login.from_defaults(['tacacs']): del login['tacacs'] + # same for RADIUS + if login.from_defaults(['radius']): + del login['radius'] # create a list of all users, cli and users all_users = list(set(local_users + cli_users)) @@ -377,11 +380,14 @@ def apply(login): except Exception as e: raise ConfigError(f'Deleting user "{user}" raised exception: {e}') - # Enable RADIUS in PAM configuration - pam_cmd = '--remove' + # Enable/disable RADIUS in PAM configuration + cmd('pam-auth-update --disable radius-mandatory radius-optional') if 'radius' in login: - pam_cmd = '--enable' - cmd(f'pam-auth-update --package {pam_cmd} radius') + if login['radius'].get('security_mode', '') == 'mandatory': + pam_profile = 'radius-mandatory' + else: + pam_profile = 'radius-optional' + cmd(f'pam-auth-update --enable {pam_profile}') # Enable/Disable TACACS in PAM configuration pam_cmd = '--remove' diff --git a/src/pam-configs/radius b/src/pam-configs/radius deleted file mode 100644 index eee9cb93e..000000000 --- a/src/pam-configs/radius +++ /dev/null @@ -1,20 +0,0 @@ -Name: RADIUS authentication -Default: no -Priority: 257 -Auth-Type: Primary -Auth: - [default=ignore success=2] pam_succeed_if.so service = sudo - [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet - [authinfo_unavail=ignore success=end default=ignore] pam_radius_auth.so - -Account-Type: Primary -Account: - [default=ignore success=2] pam_succeed_if.so service = sudo - [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet - [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so - -Session-Type: Additional -Session: - [default=ignore success=2] pam_succeed_if.so service = sudo - [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet - [authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so diff --git a/src/pam-configs/radius-mandatory b/src/pam-configs/radius-mandatory new file mode 100644 index 000000000..43b6bd3e0 --- /dev/null +++ b/src/pam-configs/radius-mandatory @@ -0,0 +1,19 @@ +Name: RADIUS authentication (mandatory mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end perm_denied=bad auth_err=bad] pam_radius_auth.so +Auth: + [default=ignore success=end perm_denied=bad auth_err=bad] pam_radius_auth.so use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_radius_auth.so + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore success=ok perm_denied=bad auth_err=bad] pam_radius_auth.so diff --git a/src/pam-configs/radius-optional b/src/pam-configs/radius-optional new file mode 100644 index 000000000..9f6d5f0ea --- /dev/null +++ b/src/pam-configs/radius-optional @@ -0,0 +1,19 @@ +Name: RADIUS authentication (optional mode) +Default: no +Priority: 576 + +Auth-Type: Primary +Auth-Initial: + [default=ignore success=end] pam_radius_auth.so +Auth: + [default=ignore success=end] pam_radius_auth.so use_first_pass + +Account-Type: Primary +Account: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore new_authtok_reqd=done success=end perm_denied=bad auth_err=bad] pam_radius_auth.so + +Session-Type: Additional +Session: + [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet + [default=ignore success=ok perm_denied=bad auth_err=bad] pam_radius_auth.so |