diff options
author | aapostoliuk <a.apostoliuk@vyos.io> | 2022-11-03 17:58:54 +0200 |
---|---|---|
committer | aapostoliuk <a.apostoliuk@vyos.io> | 2022-12-08 22:23:46 +0200 |
commit | 1bde9ebee6812a1497f8b6d36e684235e41631f2 (patch) | |
tree | a38d1371f2c5307df1c6ce5d08dbca41d133c11f /src/conf_mode | |
parent | f11b76ec56f9a94c4cfb435081c7b9a5986c060c (diff) | |
download | vyos-1x-1bde9ebee6812a1497f8b6d36e684235e41631f2.tar.gz vyos-1x-1bde9ebee6812a1497f8b6d36e684235e41631f2.zip |
T4790: Added check of the sum of radius timeouts
Added check of the sum of radius timeouts.
It has to be less or eq 50 sec.
Default LOGIN_TIMEOUT from /etc/login.defs minus 10 sec
Added check of number of radius servers.
It has to be less or eq 25.
50 sec divided by 2sec (minimum recomended login timeout)
Otherwise, log in to the device can be descarded.
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/system-login.py | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index e26b81e3d..da6c3f775 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -43,6 +43,11 @@ airbag.enable() autologout_file = "/etc/profile.d/autologout.sh" radius_config_file = "/etc/pam_radius_auth.conf" +# LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec +MAX_RADIUS_TIMEOUT: int = 50 +# MAX_RADIUS_TIMEOUT divided by 2 sec (minimum recomended timeout) +MAX_RADIUS_COUNT: int = 25 + def get_local_users(): """Return list of dynamically allocated users (see Debian Policy Manual)""" local_users = [] @@ -118,18 +123,27 @@ def verify(login): if 'radius' in login: if 'server' not in login['radius']: raise ConfigError('No RADIUS server defined!') - + sum_timeout: int = 0 + radius_servers_count: int = 0 fail = True for server, server_config in dict_search('radius.server', login).items(): if 'key' not in server_config: raise ConfigError(f'RADIUS server "{server}" requires key!') - - if 'disabled' not in server_config: + if 'disable' not in server_config: + sum_timeout += int(server_config['timeout']) + radius_servers_count += 1 fail = False - continue + if fail: raise ConfigError('All RADIUS servers are disabled') + if radius_servers_count > MAX_RADIUS_COUNT: + raise ConfigError('Number of RADIUS servers more than 25 ') + + if sum_timeout > MAX_RADIUS_TIMEOUT: + raise ConfigError('Sum of RADIUS servers timeouts ' + 'has to be less or eq 50 sec') + verify_vrf(login['radius']) if 'source_address' in login['radius']: |