summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-10-14 20:00:25 +0200
committerChristian Poessinger <christian@poessinger.com>2022-10-14 20:00:25 +0200
commitda535ef5697f6ce87a7f34ff185e4df239e6af63 (patch)
tree4e074588462835ee16384c75c01fbc1058e2e905 /src
parent427ea592ae8d92d29aca245683832b5bd75b643d (diff)
downloadvyos-1x-da535ef5697f6ce87a7f34ff185e4df239e6af63.tar.gz
vyos-1x-da535ef5697f6ce87a7f34ff185e4df239e6af63.zip
login: 2fa: T874: fix Google authenticator issues
Move default values of TOTP configuration from a global to a per user setting. This makes the entire code easier as no global configuration must be blended into the per user config dict. Also it should be possible to set the authentication window "multiple concurrent keys" individual per user. set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq' set system login user vyos authentication plaintext-password 'vyos'
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/system-login.py36
1 files changed, 22 insertions, 14 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index bd9cc3b89..eea6c7413 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -64,6 +64,18 @@ def get_config(config=None):
login = conf.get_config_dict(base, key_mangling=('-', '_'),
no_tag_node_value_mangle=True, get_first_key=True)
+ # We have gathered the dict representation of the CLI, but there are default
+ # options which we need to update into the dictionary retrived.
+ default_values = defaults(base)
+ # XXX: T2665: we can not safely rely on the defaults() when there are
+ # tagNodes in place, it is better to blend in the defaults manually.
+ # defaults for RADIUS and USER will be added later down this function
+ if 'radius' in default_values:
+ del default_values['radius']
+ if 'user' in default_values:
+ del default_values['user']
+ login = dict_merge(default_values, login)
+
# users no longer existing in the running configuration need to be deleted
local_users = get_local_users()
cli_users = []
@@ -253,23 +265,19 @@ def apply(login):
user_config, permission=0o600,
formater=lambda _: _.replace("&quot;", '"'),
user=user, group='users')
- #OTP 2FA key file generation
- if dict_search('authentication.otp.key', user_config):
- user_config['authentication']['otp']['key'] = user_config['authentication']['otp']['key'].upper()
- user_config['authentication']['otp']['rate_limit'] = login['authentication']['otp']['rate_limit']
- user_config['authentication']['otp']['rate_time'] = login['authentication']['otp']['rate_time']
- user_config['authentication']['otp']['window_size'] = login['authentication']['otp']['window_size']
- render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2',
- user_config, permission=0o600,
- formater=lambda _: _.replace("&quot;", '"'),
- user=user, group='users')
- #OTP 2FA key file deletion
- elif os.path.exists(f'{home_dir}/.google_authenticator'):
- os.remove(f'{home_dir}/.google_authenticator')
-
+
except Exception as e:
raise ConfigError(f'Adding user "{user}" raised exception: "{e}"')
+ # Generate 2FA/MFA One-Time-Pad configuration
+ if dict_search('authentication.otp.key', user_config):
+ render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2',
+ user_config, permission=0o400, user=user, group='users')
+ else:
+ # delete configuration as it's not enabled for the user
+ if os.path.exists(f'{home_dir}/.google_authenticator'):
+ os.remove(f'{home_dir}/.google_authenticator')
+
if 'rm_users' in login:
for user in login['rm_users']:
try: