diff options
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/control | 12 | ||||
| -rw-r--r-- | debian/vyos-1x.links | 1 | ||||
| -rw-r--r-- | debian/vyos-1x.postinst | 49 | ||||
| -rw-r--r-- | debian/vyos-1x.preinst | 5 |
4 files changed, 21 insertions, 46 deletions
diff --git a/debian/control b/debian/control index ee45a5fe3..871a1f0f7 100644 --- a/debian/control +++ b/debian/control @@ -39,6 +39,7 @@ Depends: beep, bmon, bsdmainutils, + certbot, charon-systemd, conntrack, conntrackd, @@ -48,7 +49,8 @@ Depends: cron, curl, dbus, - ddclient (>= 3.9.1), + ddclient (>= 3.11.1), + dmidecode, dropbear, easy-rsa, etherwake, @@ -62,6 +64,7 @@ Depends: frr-snmp, fuse-overlayfs, libpam-google-authenticator, + git, grc, haproxy, hostapd, @@ -78,6 +81,7 @@ Depends: isc-dhcp-relay, isc-dhcp-server, iw, + jool, keepalived (>=2.0.5), lcdproc, lcdproc-extra-drivers, @@ -91,7 +95,6 @@ Depends: libqmi-utils, libstrongswan-extra-plugins (>=5.9), libstrongswan-standard-plugins (>=5.9), - libvppinfra [amd64], libvyosconfig0, linux-cpupower, lldpd, @@ -126,7 +129,6 @@ Depends: pppoe, procps, python3, - python3-certbot-nginx, python3-cryptography, python3-hurry.filesize, python3-inotify, @@ -145,7 +147,6 @@ Depends: python3-tabulate, python3-vici (>= 5.7.2), python3-voluptuous, - python3-vpp-api [amd64], python3-xmltodict, python3-zmq, qrencode, @@ -180,9 +181,6 @@ Depends: uidmap, usb-modeswitch, usbutils, - vpp [amd64], - vpp-plugin-core [amd64], - vpp-plugin-dpdk [amd64], vyatta-bash, vyatta-cfg, vyos-http-api-tools, diff --git a/debian/vyos-1x.links b/debian/vyos-1x.links index 0e2d1b841..402c91306 100644 --- a/debian/vyos-1x.links +++ b/debian/vyos-1x.links @@ -1 +1,2 @@ /etc/netplug/linkup.d/vyos-python-helper /etc/netplug/linkdown.d/vyos-python-helper +/usr/libexec/vyos/system/standalone_root_pw_reset /opt/vyatta/sbin/standalone_root_pw_reset diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index b43416152..f7ebec8bc 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -21,22 +21,9 @@ if ! grep -q '^openvpn' /etc/passwd; then adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn fi -# Enable 2FA/MFA support for SSH and local logins -for file in /etc/pam.d/sshd /etc/pam.d/login -do - PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth required pam_google_authenticator.so nullok forward_pass\n" - grep -qF -- "pam_google_authenticator.so" $file || \ - sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file -done - -# We do not make use of a TACACS UNIX group - drop it -if grep -q '^tacacs' /etc/group; then - delgroup tacacs -fi - -# Both RADIUS and TACACS users belong to aaa group - this must be added first -if ! grep -q '^aaa' /etc/group; then - addgroup --firstgid 1000 --quiet aaa +# We need to have a group for RADIUS service users to use it inside PAM rules +if ! grep -q '^radius' /etc/group; then + addgroup --firstgid 1000 --quiet radius fi # Remove TACACS user added by base package - we use our own UID range and group @@ -53,6 +40,11 @@ if grep -q '^tacacs' /etc/passwd; then fi fi +# Remove TACACS+ PAM default profile +if [[ -e /usr/share/pam-configs/tacplus ]]; then + rm /usr/share/pam-configs/tacplus +fi + # Add TACACS system users required for TACACS based system authentication if ! grep -q '^tacacs' /etc/passwd; then # Add the tacacs group and all 16 possible tacacs privilege-level users to @@ -64,14 +56,13 @@ if ! grep -q '^tacacs' /etc/passwd; then level=0 vyos_group=vyattaop while [ $level -lt 16 ]; do - adduser --quiet --system --firstuid 900 --disabled-login --ingroup users \ + adduser --quiet --system --firstuid 900 --disabled-login --ingroup tacacs \ --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \ --shell /bin/vbash tacacs${level} adduser --quiet tacacs${level} frrvty adduser --quiet tacacs${level} adm adduser --quiet tacacs${level} dip adduser --quiet tacacs${level} users - adduser --quiet tacacs${level} aaa if [ $level -lt 15 ]; then adduser --quiet tacacs${level} vyattaop adduser --quiet tacacs${level} operator @@ -82,12 +73,12 @@ if ! grep -q '^tacacs' /etc/passwd; then adduser --quiet tacacs${level} frr fi level=$(( level+1 )) - done 2>&1 | grep -v 'User tacacs${level} already exists' + done 2>&1 | grep -v "User tacacs${level} already exists" fi # Add RADIUS operator user for RADIUS authenticated users to map to if ! grep -q '^radius_user' /etc/passwd; then - adduser --quiet --firstuid 1000 --disabled-login --ingroup users \ + adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \ --no-create-home --gecos "RADIUS mapped user at privilege level operator" \ --shell /sbin/radius_shell radius_user adduser --quiet radius_user frrvty @@ -96,12 +87,11 @@ if ! grep -q '^radius_user' /etc/passwd; then adduser --quiet radius_user adm adduser --quiet radius_user dip adduser --quiet radius_user users - adduser --quiet radius_user aaa fi # Add RADIUS admin user for RADIUS authenticated users to map to if ! grep -q '^radius_priv_user' /etc/passwd; then - adduser --quiet --firstuid 1000 --disabled-login --ingroup users \ + adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \ --no-create-home --gecos "RADIUS mapped user at privilege level admin" \ --shell /sbin/radius_shell radius_priv_user adduser --quiet radius_priv_user frrvty @@ -112,7 +102,6 @@ if ! grep -q '^radius_priv_user' /etc/passwd; then adduser --quiet radius_priv_user disk adduser --quiet radius_priv_user users adduser --quiet radius_priv_user frr - adduser --quiet radius_priv_user aaa fi # add hostsd group for vyos-hostsd @@ -175,7 +164,7 @@ fi DELETE="/etc/logrotate.d/conntrackd.distrib /etc/init.d/conntrackd /etc/default/conntrackd /etc/default/pmacctd /etc/pmacct /etc/networks_list /etc/networks_whitelist /etc/fastnetmon.conf - /etc/ntp.conf /etc/default/ssh + /etc/ntp.conf /etc/default/ssh /etc/avahi/avahi-daemon.conf /etc/avahi/hosts /etc/powerdns /etc/default/pdns-recursor /etc/ppp/ip-up.d/0000usepeerdns /etc/ppp/ip-down.d/0000usepeerdns" for tmp in $DELETE; do @@ -203,15 +192,3 @@ systemctl enable vyos-config-cloud-init.service # Update XML cache python3 /usr/lib/python3/dist-packages/vyos/xml_ref/update_cache.py - -# T1797: disable VPP support for rolling release, should be used by developers -# only (in the initial phase). If you wan't to enable VPP use the below command -# on your VyOS installation: -# -# sudo mv /opt/vyatta/share/vyatta-cfg/vpp /opt/vyatta/share/vyatta-cfg/templates/vpp -if [ -d /opt/vyatta/share/vyatta-cfg/templates/vpp ]; then - if [ -d /opt/vyatta/share/vyatta-cfg/vpp ]; then - rm -rf /opt/vyatta/share/vyatta-cfg/vpp - fi - mv /opt/vyatta/share/vyatta-cfg/templates/vpp /opt/vyatta/share/vyatta-cfg/vpp -fi diff --git a/debian/vyos-1x.preinst b/debian/vyos-1x.preinst index e355ffa84..fbfc85566 100644 --- a/debian/vyos-1x.preinst +++ b/debian/vyos-1x.preinst @@ -2,11 +2,10 @@ dpkg-divert --package vyos-1x --add --no-rename /etc/securetty dpkg-divert --package vyos-1x --add --no-rename /etc/security/capability.conf dpkg-divert --package vyos-1x --add --no-rename /lib/systemd/system/lcdproc.service dpkg-divert --package vyos-1x --add --no-rename /etc/logrotate.d/conntrackd -dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/radius -dpkg-divert --package vyos-1x --add --no-rename /usr/share/pam-configs/tacplus dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.conf dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.bashrc dpkg-divert --package vyos-1x --add --no-rename /etc/skel/.profile -dpkg-divert --package vyos-1x --add --no-rename /etc/sysctl.d/80-vpp.conf dpkg-divert --package vyos-1x --add --no-rename /etc/netplug/netplugd.conf dpkg-divert --package vyos-1x --add --no-rename /etc/netplug/netplug +dpkg-divert --package vyos-1x --add --no-rename /etc/rsyslog.d/45-frr.conf +dpkg-divert --package vyos-1x --add --no-rename /lib/udev/rules.d/99-systemd.rules |