diff options
| author | John Estabrook <jestabro@vyos.io> | 2025-05-13 09:27:04 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-05-13 09:27:04 -0500 |
| commit | 572400156976a5fc36e1dbe2fcdaf12d61510e13 (patch) | |
| tree | 36fd9d25181dd22f83086dd0ee38328e7db85bea | |
| parent | cdffc31d8b717bee0b11cb94323e4ba8f934283c (diff) | |
| parent | 9cf35f96450263279aeed1affd37e907d71a3081 (diff) | |
| download | vyos-1x-572400156976a5fc36e1dbe2fcdaf12d61510e13.tar.gz vyos-1x-572400156976a5fc36e1dbe2fcdaf12d61510e13.zip | |
Merge pull request #4502 from c-po/pam-nologin
T7443: Un-restricting non-root logins after scheduled reboot/shutdown via pam_nologin
| -rw-r--r-- | debian/vyos-1x.postinst | 4 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_system_login.py | 29 |
2 files changed, 33 insertions, 0 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 798ecaa1b..9dd06d5e2 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -50,6 +50,10 @@ if [[ -e /usr/share/pam-configs/tacplus ]]; then rm /usr/share/pam-configs/tacplus fi +# Disable pam_nologin.so behavior for regular users +sed -i '/^auth[[:space:]]\+requisite[[:space:]]\+pam_nologin\.so$/s/^/#/' /etc/pam.d/login +sed -i '/^account[[:space:]]\+required[[:space:]]\+pam_nologin\.so$/s/^/#/' /etc/pam.d/sshd + # Add TACACS system users required for TACACS based system authentication if ! grep -q '^tacacs' /etc/passwd; then # Add the tacacs group and all 16 possible tacacs privilege-level users to diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py index 71dec68d8..fd5af12ba 100755 --- a/smoketest/scripts/cli/test_system_login.py +++ b/smoketest/scripts/cli/test_system_login.py @@ -548,5 +548,34 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase): self.cli_commit() self.cli_discard() + def test_pam_nologin(self): + # Testcase for T7443, test if we can login with a non-privileged user + # when there are only 5 minutes left until the system reboots + username = users[0] + password = f'{username}-pSWd-t3st' + + self.cli_set(base_path + ['user', username, 'authentication', 'plaintext-password', password]) + self.cli_commit() + + # Login with proper credentials + out, err = self.ssh_send_cmd(ssh_test_command, username, password) + # verify login + self.assertFalse(err) + self.assertEqual(out, self.ssh_test_command_result) + + # Request system reboot in 5 minutes - this will activate pam_nologin.so + # and prevent any login - but we have this disabled, so we must be able + # to login to the router + self.op_mode(['reboot', 'in', '4']) + + # verify login + # Login with proper credentials - after reboot is pending + out, err = self.ssh_send_cmd(ssh_test_command, username, password) + self.assertFalse(err) + self.assertEqual(out, self.ssh_test_command_result) + + # Cancel pending reboot - we do wan't to preceed with the remaining tests + self.op_mode(['reboot', 'cancel']) + if __name__ == '__main__': unittest.main(verbosity=2) |