diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-05-09 17:50:54 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-05-09 22:31:39 +0200 |
| commit | 9cf35f96450263279aeed1affd37e907d71a3081 (patch) | |
| tree | 5451248cc31136b0869912a21b8ad58772cfe115 | |
| parent | c8e468d4bf720f15e1c0232091399a45e8d9949b (diff) | |
| download | vyos-1x-9cf35f96450263279aeed1affd37e907d71a3081.tar.gz vyos-1x-9cf35f96450263279aeed1affd37e907d71a3081.zip | |
T7443: Un-restricting non-root logins after scheduled reboot/shutdown via pam_nologin
When using reboot in, reboot at, or shutdown in, non-root users are prevented
from logging in via SSH or console starting 5 minutes before the scheduled
shutdown or reboot time.
This behavior is intended by pam_nologin.so, which is included in the SSH and
login PAM stack (default on Debian). While expected, it may be inconvenient
and could be reconsidered.
| -rw-r--r-- | debian/vyos-1x.postinst | 4 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_system_login.py | 29 |
2 files changed, 33 insertions, 0 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 798ecaa1b..9dd06d5e2 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -50,6 +50,10 @@ if [[ -e /usr/share/pam-configs/tacplus ]]; then rm /usr/share/pam-configs/tacplus fi +# Disable pam_nologin.so behavior for regular users +sed -i '/^auth[[:space:]]\+requisite[[:space:]]\+pam_nologin\.so$/s/^/#/' /etc/pam.d/login +sed -i '/^account[[:space:]]\+required[[:space:]]\+pam_nologin\.so$/s/^/#/' /etc/pam.d/sshd + # Add TACACS system users required for TACACS based system authentication if ! grep -q '^tacacs' /etc/passwd; then # Add the tacacs group and all 16 possible tacacs privilege-level users to diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py index 71dec68d8..fd5af12ba 100755 --- a/smoketest/scripts/cli/test_system_login.py +++ b/smoketest/scripts/cli/test_system_login.py @@ -548,5 +548,34 @@ class TestSystemLogin(VyOSUnitTestSHIM.TestCase): self.cli_commit() self.cli_discard() + def test_pam_nologin(self): + # Testcase for T7443, test if we can login with a non-privileged user + # when there are only 5 minutes left until the system reboots + username = users[0] + password = f'{username}-pSWd-t3st' + + self.cli_set(base_path + ['user', username, 'authentication', 'plaintext-password', password]) + self.cli_commit() + + # Login with proper credentials + out, err = self.ssh_send_cmd(ssh_test_command, username, password) + # verify login + self.assertFalse(err) + self.assertEqual(out, self.ssh_test_command_result) + + # Request system reboot in 5 minutes - this will activate pam_nologin.so + # and prevent any login - but we have this disabled, so we must be able + # to login to the router + self.op_mode(['reboot', 'in', '4']) + + # verify login + # Login with proper credentials - after reboot is pending + out, err = self.ssh_send_cmd(ssh_test_command, username, password) + self.assertFalse(err) + self.assertEqual(out, self.ssh_test_command_result) + + # Cancel pending reboot - we do wan't to preceed with the remaining tests + self.op_mode(['reboot', 'cancel']) + if __name__ == '__main__': unittest.main(verbosity=2) |