diff options
-rw-r--r-- | debian/control | 2 | ||||
-rwxr-xr-x | src/conf_mode/system-login.py | 47 |
2 files changed, 45 insertions, 4 deletions
diff --git a/debian/control b/debian/control index 6e59ea2fb..2901f792e 100644 --- a/debian/control +++ b/debian/control @@ -63,7 +63,7 @@ Depends: python3, openvpn, openvpn-auth-ldap, openvpn-auth-radius, - libpam-radius-auth, + libpam-radius-auth (>= 1.5.0), mtr-tiny, telnet, traceroute, diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 8aa3991fd..3d29010b9 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -16,6 +16,7 @@ import sys import os +import jinja2 from pwd import getpwall, getpwnam from grp import getgrnam @@ -26,6 +27,21 @@ from vyos.config import Config from vyos.configdict import list_diff from vyos import ConfigError +radius_config_file = "/etc/pam_radius_auth.conf" +radius_config_tmpl = """ +# Automatically generated by VyOS +# RADIUS configuration file +# server[:port] shared_secret timeout (s) source_ip +{% if radius_server -%} +{% for s in radius_server -%} +{{ s.address }}:{{ s.port }} {{ s.key }} {{ s.timeout }} {% if radius_source -%}{{ radius_source }}{% endif %} +{% endfor -%} + +priv-lvl 15 +mapped_priv_user radius_priv_user +{% endif %} + +""" default_config_data = { 'deleted': False, @@ -152,7 +168,6 @@ def get_config(): return login def verify(login): - pass def generate(login): @@ -186,7 +201,7 @@ def generate(login): if not os.path.isdir(key_dir): os.mkdir(key_dir) os.chown(key_dir, uid, gid) - os.chmod(key_dir, S_IRWXU|S_IRGRP|S_IXGRP) + os.chmod(key_dir, S_IRWXU | S_IRGRP | S_IXGRP) key_file = key_dir + '/authorized_keys'; with open(key_file, 'w') as f: @@ -202,7 +217,23 @@ def generate(login): f.write(line) os.chown(key_file, uid, gid) - os.chmod(key_file, S_IRUSR|S_IWUSR) + os.chmod(key_file, S_IRUSR | S_IWUSR) + + # + # RADIUS + # + if len(login['radius_server']) > 0: + tmpl = jinja2.Template(radius_config_tmpl) + config_text = tmpl.render(login) + with open(radius_config_file, 'w') as f: + f.write(config_text) + + uid = getpwnam('root').pw_uid + gid = getpwnam('root').pw_gid + os.chown(radius_config_file, uid, gid) + os.chmod(radius_config_file, S_IRUSR | S_IWUSR) + else: + os.unlink(radius_config_file) pass @@ -241,6 +272,16 @@ def apply(login): except Exception as e: print('Deleting user "{}" raised an exception'.format(user)) + # + # RADIUS + # + if len(login['radius_server']) > 0: + # Enable RADIUS in PAM + os.system("DEBIAN_FRONTEND=noninteractive pam-auth-update --package --enable radius") + else: + # Disable RADIUS in PAM + os.system("DEBIAN_FRONTEND=noninteractive pam-auth-update --package --remove radius") + pass if __name__ == '__main__': |