diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-01-30 21:45:51 +0100 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-02-02 17:05:09 +0100 |
commit | b1bb4dcc8dd9d08e0845ecd4c568511e61c594d1 (patch) | |
tree | dbb2017f52d27d041c794fdd4562d28f59806cb9 /src | |
parent | a717e1c802d958137cdc70adf44d614323438dce (diff) | |
download | vyos-1x-b1bb4dcc8dd9d08e0845ecd4c568511e61c594d1.tar.gz vyos-1x-b1bb4dcc8dd9d08e0845ecd4c568511e61c594d1.zip |
login: T1948: initial support for RADIUS configuration
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/system-login.py | 47 |
1 files changed, 44 insertions, 3 deletions
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 8aa3991fd..3d29010b9 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -16,6 +16,7 @@ import sys import os +import jinja2 from pwd import getpwall, getpwnam from grp import getgrnam @@ -26,6 +27,21 @@ from vyos.config import Config from vyos.configdict import list_diff from vyos import ConfigError +radius_config_file = "/etc/pam_radius_auth.conf" +radius_config_tmpl = """ +# Automatically generated by VyOS +# RADIUS configuration file +# server[:port] shared_secret timeout (s) source_ip +{% if radius_server -%} +{% for s in radius_server -%} +{{ s.address }}:{{ s.port }} {{ s.key }} {{ s.timeout }} {% if radius_source -%}{{ radius_source }}{% endif %} +{% endfor -%} + +priv-lvl 15 +mapped_priv_user radius_priv_user +{% endif %} + +""" default_config_data = { 'deleted': False, @@ -152,7 +168,6 @@ def get_config(): return login def verify(login): - pass def generate(login): @@ -186,7 +201,7 @@ def generate(login): if not os.path.isdir(key_dir): os.mkdir(key_dir) os.chown(key_dir, uid, gid) - os.chmod(key_dir, S_IRWXU|S_IRGRP|S_IXGRP) + os.chmod(key_dir, S_IRWXU | S_IRGRP | S_IXGRP) key_file = key_dir + '/authorized_keys'; with open(key_file, 'w') as f: @@ -202,7 +217,23 @@ def generate(login): f.write(line) os.chown(key_file, uid, gid) - os.chmod(key_file, S_IRUSR|S_IWUSR) + os.chmod(key_file, S_IRUSR | S_IWUSR) + + # + # RADIUS + # + if len(login['radius_server']) > 0: + tmpl = jinja2.Template(radius_config_tmpl) + config_text = tmpl.render(login) + with open(radius_config_file, 'w') as f: + f.write(config_text) + + uid = getpwnam('root').pw_uid + gid = getpwnam('root').pw_gid + os.chown(radius_config_file, uid, gid) + os.chmod(radius_config_file, S_IRUSR | S_IWUSR) + else: + os.unlink(radius_config_file) pass @@ -241,6 +272,16 @@ def apply(login): except Exception as e: print('Deleting user "{}" raised an exception'.format(user)) + # + # RADIUS + # + if len(login['radius_server']) > 0: + # Enable RADIUS in PAM + os.system("DEBIAN_FRONTEND=noninteractive pam-auth-update --package --enable radius") + else: + # Disable RADIUS in PAM + os.system("DEBIAN_FRONTEND=noninteractive pam-auth-update --package --remove radius") + pass if __name__ == '__main__': |