summaryrefslogtreecommitdiff
path: root/debian/vyos-1x.postinst
diff options
context:
space:
mode:
Diffstat (limited to 'debian/vyos-1x.postinst')
-rw-r--r--debian/vyos-1x.postinst122
1 files changed, 112 insertions, 10 deletions
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index d92fd8233..b43416152 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -1,4 +1,4 @@
-#!/bin/sh -e
+#!/bin/bash
# Turn off Debian default for %sudo
sed -i -e '/^%sudo/d' /etc/sudoers || true
@@ -24,15 +24,71 @@ fi
# Enable 2FA/MFA support for SSH and local logins
for file in /etc/pam.d/sshd /etc/pam.d/login
do
- PAM_CONFIG="auth required pam_google_authenticator.so nullok"
- grep -qF -- "${PAM_CONFIG}" $file || \
- sed -i "/^@include common-auth/a # Check 2FA/MFA authentication token if enabled (per user)\n${PAM_CONFIG}" $file
+ PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth required pam_google_authenticator.so nullok forward_pass\n"
+ grep -qF -- "pam_google_authenticator.so" $file || \
+ sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
done
+# We do not make use of a TACACS UNIX group - drop it
+if grep -q '^tacacs' /etc/group; then
+ delgroup tacacs
+fi
+
+# Both RADIUS and TACACS users belong to aaa group - this must be added first
+if ! grep -q '^aaa' /etc/group; then
+ addgroup --firstgid 1000 --quiet aaa
+fi
+
+# Remove TACACS user added by base package - we use our own UID range and group
+# assignments - see below
+if grep -q '^tacacs' /etc/passwd; then
+ if [ $(id -u tacacs0) -ge 1000 ]; then
+ level=0
+ vyos_group=vyattaop
+ while [ $level -lt 16 ]; do
+ userdel tacacs${level} || true
+ rm -rf /home/tacacs${level} || true
+ level=$(( level+1 ))
+ done 2>&1
+ fi
+fi
+
+# Add TACACS system users required for TACACS based system authentication
+if ! grep -q '^tacacs' /etc/passwd; then
+ # Add the tacacs group and all 16 possible tacacs privilege-level users to
+ # the password file, home directories, etc. The accounts are not enabled
+ # for local login, since they are only used to provide uid/gid/homedir for
+ # the mapped TACACS+ logins (and lookups against them). The tacacs15 user
+ # is also added to the sudo group, and vyattacfg group rather than vyattaop
+ # (used for tacacs0-14).
+ level=0
+ vyos_group=vyattaop
+ while [ $level -lt 16 ]; do
+ adduser --quiet --system --firstuid 900 --disabled-login --ingroup users \
+ --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \
+ --shell /bin/vbash tacacs${level}
+ adduser --quiet tacacs${level} frrvty
+ adduser --quiet tacacs${level} adm
+ adduser --quiet tacacs${level} dip
+ adduser --quiet tacacs${level} users
+ adduser --quiet tacacs${level} aaa
+ if [ $level -lt 15 ]; then
+ adduser --quiet tacacs${level} vyattaop
+ adduser --quiet tacacs${level} operator
+ else
+ adduser --quiet tacacs${level} vyattacfg
+ adduser --quiet tacacs${level} sudo
+ adduser --quiet tacacs${level} disk
+ adduser --quiet tacacs${level} frr
+ fi
+ level=$(( level+1 ))
+ done 2>&1 | grep -v 'User tacacs${level} already exists'
+fi
+
# Add RADIUS operator user for RADIUS authenticated users to map to
if ! grep -q '^radius_user' /etc/passwd; then
- adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattaop \
- --no-create-home --gecos "radius user" \
+ adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+ --no-create-home --gecos "RADIUS mapped user at privilege level operator" \
--shell /sbin/radius_shell radius_user
adduser --quiet radius_user frrvty
adduser --quiet radius_user vyattaop
@@ -40,12 +96,13 @@ if ! grep -q '^radius_user' /etc/passwd; then
adduser --quiet radius_user adm
adduser --quiet radius_user dip
adduser --quiet radius_user users
+ adduser --quiet radius_user aaa
fi
# Add RADIUS admin user for RADIUS authenticated users to map to
if ! grep -q '^radius_priv_user' /etc/passwd; then
- adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattacfg \
- --no-create-home --gecos "radius privileged user" \
+ adduser --quiet --firstuid 1000 --disabled-login --ingroup users \
+ --no-create-home --gecos "RADIUS mapped user at privilege level admin" \
--shell /sbin/radius_shell radius_priv_user
adduser --quiet radius_priv_user frrvty
adduser --quiet radius_priv_user vyattacfg
@@ -55,6 +112,7 @@ if ! grep -q '^radius_priv_user' /etc/passwd; then
adduser --quiet radius_priv_user disk
adduser --quiet radius_priv_user users
adduser --quiet radius_priv_user frr
+ adduser --quiet radius_priv_user aaa
fi
# add hostsd group for vyos-hostsd
@@ -68,9 +126,24 @@ if ! grep -q '^dhcpd' /etc/passwd; then
adduser --quiet dhcpd hostsd
fi
-# ensure hte proxy user has a proper shell
+# ensure the proxy user has a proper shell
chsh -s /bin/sh proxy
+# create /opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
+PRECONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
+if [ ! -x $PRECONFIG_SCRIPT ]; then
+ mkdir -p $(dirname $PRECONFIG_SCRIPT)
+ touch $PRECONFIG_SCRIPT
+ chmod 755 $PRECONFIG_SCRIPT
+ cat <<EOF >>$PRECONFIG_SCRIPT
+#!/bin/sh
+# This script is executed at boot time before VyOS configuration is applied.
+# Any modifications required to work around unfixed bugs or use
+# services not available through the VyOS CLI system can be placed here.
+
+EOF
+fi
+
# create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
if [ ! -x $POSTCONFIG_SCRIPT ]; then
@@ -103,7 +176,8 @@ DELETE="/etc/logrotate.d/conntrackd.distrib /etc/init.d/conntrackd /etc/default/
/etc/default/pmacctd /etc/pmacct
/etc/networks_list /etc/networks_whitelist /etc/fastnetmon.conf
/etc/ntp.conf /etc/default/ssh
- /etc/powerdns /etc/default/pdns-recursor"
+ /etc/powerdns /etc/default/pdns-recursor
+ /etc/ppp/ip-up.d/0000usepeerdns /etc/ppp/ip-down.d/0000usepeerdns"
for tmp in $DELETE; do
if [ -e ${tmp} ]; then
rm -rf ${tmp}
@@ -113,3 +187,31 @@ done
# Remove logrotate items controlled via CLI and VyOS defaults
sed -i '/^\/var\/log\/messages$/d' /etc/logrotate.d/rsyslog
sed -i '/^\/var\/log\/auth.log$/d' /etc/logrotate.d/rsyslog
+
+# Fix FRR pam.d "vtysh_pam" vtysh_pam: Failed in account validation T5110
+if test -f /etc/pam.d/frr; then
+ if grep -q 'pam_rootok.so' /etc/pam.d/frr; then
+ sed -i -re 's/rootok/permit/' /etc/pam.d/frr
+ fi
+fi
+
+# Enable Cloud-init pre-configuration service
+systemctl enable vyos-config-cloud-init.service
+
+# Generate API GraphQL schema
+/usr/libexec/vyos/services/api/graphql/generate/generate_schema.py
+
+# Update XML cache
+python3 /usr/lib/python3/dist-packages/vyos/xml_ref/update_cache.py
+
+# T1797: disable VPP support for rolling release, should be used by developers
+# only (in the initial phase). If you wan't to enable VPP use the below command
+# on your VyOS installation:
+#
+# sudo mv /opt/vyatta/share/vyatta-cfg/vpp /opt/vyatta/share/vyatta-cfg/templates/vpp
+if [ -d /opt/vyatta/share/vyatta-cfg/templates/vpp ]; then
+ if [ -d /opt/vyatta/share/vyatta-cfg/vpp ]; then
+ rm -rf /opt/vyatta/share/vyatta-cfg/vpp
+ fi
+ mv /opt/vyatta/share/vyatta-cfg/templates/vpp /opt/vyatta/share/vyatta-cfg/vpp
+fi