summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-01-30 21:45:51 +0100
committerChristian Poessinger <christian@poessinger.com>2020-02-02 17:05:09 +0100
commitb1bb4dcc8dd9d08e0845ecd4c568511e61c594d1 (patch)
treedbb2017f52d27d041c794fdd4562d28f59806cb9 /src
parenta717e1c802d958137cdc70adf44d614323438dce (diff)
downloadvyos-1x-b1bb4dcc8dd9d08e0845ecd4c568511e61c594d1.tar.gz
vyos-1x-b1bb4dcc8dd9d08e0845ecd4c568511e61c594d1.zip
login: T1948: initial support for RADIUS configuration
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/system-login.py47
1 files changed, 44 insertions, 3 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 8aa3991fd..3d29010b9 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -16,6 +16,7 @@
import sys
import os
+import jinja2
from pwd import getpwall, getpwnam
from grp import getgrnam
@@ -26,6 +27,21 @@ from vyos.config import Config
from vyos.configdict import list_diff
from vyos import ConfigError
+radius_config_file = "/etc/pam_radius_auth.conf"
+radius_config_tmpl = """
+# Automatically generated by VyOS
+# RADIUS configuration file
+# server[:port] shared_secret timeout (s) source_ip
+{% if radius_server -%}
+{% for s in radius_server -%}
+{{ s.address }}:{{ s.port }} {{ s.key }} {{ s.timeout }} {% if radius_source -%}{{ radius_source }}{% endif %}
+{% endfor -%}
+
+priv-lvl 15
+mapped_priv_user radius_priv_user
+{% endif %}
+
+"""
default_config_data = {
'deleted': False,
@@ -152,7 +168,6 @@ def get_config():
return login
def verify(login):
-
pass
def generate(login):
@@ -186,7 +201,7 @@ def generate(login):
if not os.path.isdir(key_dir):
os.mkdir(key_dir)
os.chown(key_dir, uid, gid)
- os.chmod(key_dir, S_IRWXU|S_IRGRP|S_IXGRP)
+ os.chmod(key_dir, S_IRWXU | S_IRGRP | S_IXGRP)
key_file = key_dir + '/authorized_keys';
with open(key_file, 'w') as f:
@@ -202,7 +217,23 @@ def generate(login):
f.write(line)
os.chown(key_file, uid, gid)
- os.chmod(key_file, S_IRUSR|S_IWUSR)
+ os.chmod(key_file, S_IRUSR | S_IWUSR)
+
+ #
+ # RADIUS
+ #
+ if len(login['radius_server']) > 0:
+ tmpl = jinja2.Template(radius_config_tmpl)
+ config_text = tmpl.render(login)
+ with open(radius_config_file, 'w') as f:
+ f.write(config_text)
+
+ uid = getpwnam('root').pw_uid
+ gid = getpwnam('root').pw_gid
+ os.chown(radius_config_file, uid, gid)
+ os.chmod(radius_config_file, S_IRUSR | S_IWUSR)
+ else:
+ os.unlink(radius_config_file)
pass
@@ -241,6 +272,16 @@ def apply(login):
except Exception as e:
print('Deleting user "{}" raised an exception'.format(user))
+ #
+ # RADIUS
+ #
+ if len(login['radius_server']) > 0:
+ # Enable RADIUS in PAM
+ os.system("DEBIAN_FRONTEND=noninteractive pam-auth-update --package --enable radius")
+ else:
+ # Disable RADIUS in PAM
+ os.system("DEBIAN_FRONTEND=noninteractive pam-auth-update --package --remove radius")
+
pass
if __name__ == '__main__':