summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-05-02 15:53:32 +0200
committerChristian Poessinger <christian@poessinger.com>2021-05-02 17:13:40 +0200
commit0e5a90ad70edbcc6334f1737a6855d02f8ffd130 (patch)
treee6886fa149748f4cccfcafb0353776e112641140
parente17475f0237576c3b581daa7b8df1e48adfce8e9 (diff)
downloadvyos-1x-0e5a90ad70edbcc6334f1737a6855d02f8ffd130.tar.gz
vyos-1x-0e5a90ad70edbcc6334f1737a6855d02f8ffd130.zip
radius: T3510: authenticated users must use /sbin/radius_shell as shell
-rw-r--r--debian/vyos-1x.postinst11
-rw-r--r--src/pam-configs/radius12
2 files changed, 14 insertions, 9 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 5fadddc86..8acc87cc8 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -11,7 +11,8 @@ fi
# Add minion user for salt-minion
if ! grep -q '^minion' /etc/passwd; then
- adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg --gecos "salt minion user" --shell /bin/vbash minion
+ adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg \
+ --gecos "salt minion user" --shell /bin/vbash minion
adduser --quiet minion frrvty
adduser --quiet minion sudo
adduser --quiet minion adm
@@ -27,7 +28,9 @@ fi
# Add RADIUS operator user for RADIUS authenticated users to map to
if ! grep -q '^radius_user' /etc/passwd; then
- adduser --quiet --firstuid 1001 --disabled-login --ingroup users --gecos "radius user" --shell /bin/vbash radius_user
+ adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattaop \
+ --no-create-home --gecos "radius user" \
+ --shell /sbin/radius_shell radius_user
adduser --quiet radius_user frrvty
adduser --quiet radius_user vyattaop
adduser --quiet radius_user operator
@@ -38,7 +41,9 @@ fi
# Add RADIUS admin user for RADIUS authenticated users to map to
if ! grep -q '^radius_priv_user' /etc/passwd; then
- adduser --quiet --firstuid 1001 --disabled-login --ingroup vyattacfg --gecos "radius privileged user" --shell /bin/vbash radius_priv_user
+ adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattacfg \
+ --no-create-home --gecos "radius privileged user" \
+ --shell /sbin/radius_shell radius_priv_user
adduser --quiet radius_priv_user frrvty
adduser --quiet radius_priv_user vyattacfg
adduser --quiet radius_priv_user sudo
diff --git a/src/pam-configs/radius b/src/pam-configs/radius
index 0e2c71e38..aaae6aeb0 100644
--- a/src/pam-configs/radius
+++ b/src/pam-configs/radius
@@ -3,18 +3,18 @@ Default: yes
Priority: 257
Auth-Type: Primary
Auth:
- [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet
- [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet
+ [default=ignore success=1] pam_succeed_if.so uid eq 1000 quiet
+ [default=ignore success=ignore] pam_succeed_if.so uid eq 1001 quiet
[authinfo_unavail=ignore success=end default=ignore] pam_radius_auth.so
Account-Type: Primary
Account:
- [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet
- [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet
+ [default=ignore success=1] pam_succeed_if.so uid eq 1000 quiet
+ [default=ignore success=ignore] pam_succeed_if.so uid eq 1001 quiet
[authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so
Session-Type: Additional
Session:
- [default=ignore success=1] pam_succeed_if.so uid eq 1001 quiet
- [default=ignore success=ignore] pam_succeed_if.so uid eq 1002 quiet
+ [default=ignore success=1] pam_succeed_if.so uid eq 1000 quiet
+ [default=ignore success=ignore] pam_succeed_if.so uid eq 1001 quiet
[authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so