summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/control2
-rwxr-xr-xsrc/conf_mode/system-login.py47
2 files changed, 45 insertions, 4 deletions
diff --git a/debian/control b/debian/control
index 6e59ea2fb..2901f792e 100644
--- a/debian/control
+++ b/debian/control
@@ -63,7 +63,7 @@ Depends: python3,
openvpn,
openvpn-auth-ldap,
openvpn-auth-radius,
- libpam-radius-auth,
+ libpam-radius-auth (>= 1.5.0),
mtr-tiny,
telnet,
traceroute,
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 8aa3991fd..3d29010b9 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -16,6 +16,7 @@
import sys
import os
+import jinja2
from pwd import getpwall, getpwnam
from grp import getgrnam
@@ -26,6 +27,21 @@ from vyos.config import Config
from vyos.configdict import list_diff
from vyos import ConfigError
+radius_config_file = "/etc/pam_radius_auth.conf"
+radius_config_tmpl = """
+# Automatically generated by VyOS
+# RADIUS configuration file
+# server[:port] shared_secret timeout (s) source_ip
+{% if radius_server -%}
+{% for s in radius_server -%}
+{{ s.address }}:{{ s.port }} {{ s.key }} {{ s.timeout }} {% if radius_source -%}{{ radius_source }}{% endif %}
+{% endfor -%}
+
+priv-lvl 15
+mapped_priv_user radius_priv_user
+{% endif %}
+
+"""
default_config_data = {
'deleted': False,
@@ -152,7 +168,6 @@ def get_config():
return login
def verify(login):
-
pass
def generate(login):
@@ -186,7 +201,7 @@ def generate(login):
if not os.path.isdir(key_dir):
os.mkdir(key_dir)
os.chown(key_dir, uid, gid)
- os.chmod(key_dir, S_IRWXU|S_IRGRP|S_IXGRP)
+ os.chmod(key_dir, S_IRWXU | S_IRGRP | S_IXGRP)
key_file = key_dir + '/authorized_keys';
with open(key_file, 'w') as f:
@@ -202,7 +217,23 @@ def generate(login):
f.write(line)
os.chown(key_file, uid, gid)
- os.chmod(key_file, S_IRUSR|S_IWUSR)
+ os.chmod(key_file, S_IRUSR | S_IWUSR)
+
+ #
+ # RADIUS
+ #
+ if len(login['radius_server']) > 0:
+ tmpl = jinja2.Template(radius_config_tmpl)
+ config_text = tmpl.render(login)
+ with open(radius_config_file, 'w') as f:
+ f.write(config_text)
+
+ uid = getpwnam('root').pw_uid
+ gid = getpwnam('root').pw_gid
+ os.chown(radius_config_file, uid, gid)
+ os.chmod(radius_config_file, S_IRUSR | S_IWUSR)
+ else:
+ os.unlink(radius_config_file)
pass
@@ -241,6 +272,16 @@ def apply(login):
except Exception as e:
print('Deleting user "{}" raised an exception'.format(user))
+ #
+ # RADIUS
+ #
+ if len(login['radius_server']) > 0:
+ # Enable RADIUS in PAM
+ os.system("DEBIAN_FRONTEND=noninteractive pam-auth-update --package --enable radius")
+ else:
+ # Disable RADIUS in PAM
+ os.system("DEBIAN_FRONTEND=noninteractive pam-auth-update --package --remove radius")
+
pass
if __name__ == '__main__':