summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/control5
-rw-r--r--debian/vyos-1x.postinst56
-rw-r--r--debian/vyos-1x.preinst1
3 files changed, 59 insertions, 3 deletions
diff --git a/debian/control b/debian/control
index 797c01acf..40920cadc 100644
--- a/debian/control
+++ b/debian/control
@@ -26,6 +26,10 @@ Standards-Version: 3.9.6
Package: vyos-1x
Architecture: amd64 arm64
+Pre-Depends:
+ libnss-tacplus [amd64],
+ libpam-tacplus [amd64],
+ libpam-radius-auth [amd64]
Depends:
${python3:Depends} (>= 3.10),
aardvark-dns,
@@ -83,7 +87,6 @@ Depends:
libndp-tools,
libnetfilter-conntrack3,
libnfnetlink0,
- libpam-radius-auth (>= 1.5.0),
libqmi-utils,
libstrongswan-extra-plugins (>=5.9),
libstrongswan-standard-plugins (>=5.9),
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 6653cd585..9822ce286 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -29,10 +29,60 @@ do
sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
done
+# Remove TACACS user added by base package - we use our own UID range and group
+# assignments - see below
+if grep -q '^tacacs' /etc/passwd; then
+ if [ $(id -u tacacs0) -ge 1000 ]; then
+ level=0
+ vyos_group=vyattaop
+ while [ $level -lt 16 ]; do
+ userdel tacacs${level} || true
+ level=$(( level+1 ))
+ done 2>&1
+ fi
+fi
+
+# Add TACACS system users required for TACACS based system authentication
+if ! grep -q '^tacacs' /etc/passwd; then
+ # Add the tacacs group and all 16 possible tacacs privilege-level users to
+ # the password file, home directories, etc. The accounts are not enabled
+ # for local login, since they are only used to provide uid/gid/homedir for
+ # the mapped TACACS+ logins (and lookups against them). The tacacs15 user
+ # is also added to the sudo group, and vyattacfg group rather than vyattaop
+ # (used for tacacs0-14).
+ level=0
+ vyos_group=vyattaop
+ while [ $level -lt 16 ]; do
+ adduser --quiet --system --firstuid 900 --disabled-login --ingroup ${vyos_group} \
+ --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \
+ --shell /bin/vbash tacacs${level}
+ adduser --quiet tacacs${level} frrvty
+ adduser --quiet tacacs${level} adm
+ adduser --quiet tacacs${level} dip
+ adduser --quiet tacacs${level} users
+ adduser --quiet tacacs${level} aaa
+ if [ $level -lt 15 ]; then
+ adduser --quiet tacacs${level} vyattaop
+ adduser --quiet tacacs${level} operator
+ else
+ adduser --quiet tacacs${level} vyattacfg
+ adduser --quiet tacacs${level} sudo
+ adduser --quiet tacacs${level} disk
+ adduser --quiet tacacs${level} frr
+ fi
+ level=$(( level+1 ))
+ done 2>&1 | grep -v 'User tacacs${level} already exists'
+fi
+
+
+if ! grep -q '^aaa' /etc/group; then
+ addgroup --firstgid 1000 --quiet aaa
+fi
+
# Add RADIUS operator user for RADIUS authenticated users to map to
if ! grep -q '^radius_user' /etc/passwd; then
adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattaop \
- --no-create-home --gecos "radius user" \
+ --no-create-home --gecos "RADIUS mapped user at privilege level operator" \
--shell /sbin/radius_shell radius_user
adduser --quiet radius_user frrvty
adduser --quiet radius_user vyattaop
@@ -40,12 +90,13 @@ if ! grep -q '^radius_user' /etc/passwd; then
adduser --quiet radius_user adm
adduser --quiet radius_user dip
adduser --quiet radius_user users
+ adduser --quiet radius_user aaa
fi
# Add RADIUS admin user for RADIUS authenticated users to map to
if ! grep -q '^radius_priv_user' /etc/passwd; then
adduser --quiet --firstuid 1000 --disabled-login --ingroup vyattacfg \
- --no-create-home --gecos "radius privileged user" \
+ --no-create-home --gecos "RADIUS mapped user at privilege level admin" \
--shell /sbin/radius_shell radius_priv_user
adduser --quiet radius_priv_user frrvty
adduser --quiet radius_priv_user vyattacfg
@@ -55,6 +106,7 @@ if ! grep -q '^radius_priv_user' /etc/passwd; then
adduser --quiet radius_priv_user disk
adduser --quiet radius_priv_user users
adduser --quiet radius_priv_user frr
+ adduser --quiet radius_priv_user aaa
fi
# add hostsd group for vyos-hostsd
diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst
index 949ffcbc4..bfbeb112c 100644
--- a/debian/vyos-1x.preinst
+++ b/debian/vyos-1x.preinst
@@ -3,6 +3,7 @@ dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf
dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service
dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd
dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/radius
+dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus
dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf
dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc
dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile