summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-06-21 22:08:16 +0200
committerChristian Breunig <christian@breunig.cc>2023-06-21 23:17:27 +0200
commitedc753ad22c03a7e96c6e2323cd551f50588d686 (patch)
treea075a811cd28f0862753792552c594dc9bbb2e11
parent2e46106fceae3701b40ecc945882ee57400404d3 (diff)
downloadvyos-1x-edc753ad22c03a7e96c6e2323cd551f50588d686.tar.gz
vyos-1x-edc753ad22c03a7e96c6e2323cd551f50588d686.zip
tacacs: T141: create new UNIX group for aaa
-rw-r--r--debian/vyos-1x.postinst10
-rw-r--r--src/pam-configs/radius11
2 files changed, 12 insertions, 9 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 6653cd585..a844cba65 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -29,10 +29,14 @@ do
sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
done
+if ! grep -q '^aaa' /etc/group; then
+ addgroup --firstgid 1000 --quiet aaa
+fi
+
# Add RADIUS operator user for RADIUS authenticated users to map to
if ! grep -q '^radius_user' /etc/passwd; then
adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattaop \
- --no-create-home --gecos "radius user" \
+ --no-create-home --gecos "RADIUS mapped user at privilege level operator" \
--shell /sbin/radius_shell radius_user
adduser --quiet radius_user frrvty
adduser --quiet radius_user vyattaop
@@ -40,12 +44,13 @@ if ! grep -q '^radius_user' /etc/passwd; then
adduser --quiet radius_user adm
adduser --quiet radius_user dip
adduser --quiet radius_user users
+ adduser --quiet radius_user aaa
fi
# Add RADIUS admin user for RADIUS authenticated users to map to
if ! grep -q '^radius_priv_user' /etc/passwd; then
adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattacfg \
- --no-create-home --gecos "radius privileged user" \
+ --no-create-home --gecos "RADIUS mapped user at privilege level admin" \
--shell /sbin/radius_shell radius_priv_user
adduser --quiet radius_priv_user frrvty
adduser --quiet radius_priv_user vyattacfg
@@ -55,6 +60,7 @@ if ! grep -q '^radius_priv_user' /etc/passwd; then
adduser --quiet radius_priv_user disk
adduser --quiet radius_priv_user users
adduser --quiet radius_priv_user frr
+ adduser --quiet radius_priv_user aaa
fi
# add hostsd group for vyos-hostsd
diff --git a/src/pam-configs/radius b/src/pam-configs/radius
index aaae6aeb0..08247f77c 100644
--- a/src/pam-configs/radius
+++ b/src/pam-configs/radius
@@ -1,20 +1,17 @@
Name: RADIUS authentication
-Default: yes
+Default: no
Priority: 257
Auth-Type: Primary
Auth:
- [default=ignore success=1] pam_succeed_if.so uid eq 1000 quiet
- [default=ignore success=ignore] pam_succeed_if.so uid eq 1001 quiet
+ [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
[authinfo_unavail=ignore success=end default=ignore] pam_radius_auth.so
Account-Type: Primary
Account:
- [default=ignore success=1] pam_succeed_if.so uid eq 1000 quiet
- [default=ignore success=ignore] pam_succeed_if.so uid eq 1001 quiet
+ [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
[authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so
Session-Type: Additional
Session:
- [default=ignore success=1] pam_succeed_if.so uid eq 1000 quiet
- [default=ignore success=ignore] pam_succeed_if.so uid eq 1001 quiet
+ [default=ignore success=ignore] pam_succeed_if.so user ingroup aaa quiet
[authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so