summaryrefslogtreecommitdiff
path: root/interface-definitions/system_login.xml.in
diff options
context:
space:
mode:
Diffstat (limited to 'interface-definitions/system_login.xml.in')
-rw-r--r--interface-definitions/system_login.xml.in302
1 files changed, 302 insertions, 0 deletions
diff --git a/interface-definitions/system_login.xml.in b/interface-definitions/system_login.xml.in
new file mode 100644
index 000000000..672c4afc8
--- /dev/null
+++ b/interface-definitions/system_login.xml.in
@@ -0,0 +1,302 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="system">
+ <children>
+ <node name="login" owner="${vyos_conf_scripts_dir}/system_login.py">
+ <properties>
+ <help>System User Login Configuration</help>
+ <priority>400</priority>
+ </properties>
+ <children>
+ <tagNode name="user">
+ <properties>
+ <help>Local user account information</help>
+ <constraint>
+ #include <include/constraint/login-username.xml.i>
+ </constraint>
+ <constraintErrorMessage>Username contains illegal characters or\nexceeds 100 character limitation.</constraintErrorMessage>
+ </properties>
+ <children>
+ <node name="authentication">
+ <properties>
+ <help>Authentication settings</help>
+ </properties>
+ <children>
+ <leafNode name="encrypted-password">
+ <properties>
+ <help>Encrypted password</help>
+ <constraint>
+ <regex>(\*|\!)</regex>
+ <regex>[a-zA-Z0-9\.\/]{13}</regex>
+ <regex>\$1\$[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{22}</regex>
+ <regex>\$5\$(rounds=[0-9]+\$)?[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{43}</regex>
+ <regex>\$6\$(rounds=[0-9]+\$)?[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{86}</regex>
+ </constraint>
+ <constraintErrorMessage>Invalid encrypted password for $VAR(../../@).</constraintErrorMessage>
+ </properties>
+ <defaultValue>!</defaultValue>
+ </leafNode>
+ <node name="otp">
+ <properties>
+ <help>One-Time-Pad (two-factor) authentication parameters</help>
+ </properties>
+ <children>
+ <leafNode name="rate-limit">
+ <properties>
+ <help>Limit number of logins (rate-limit) per rate-time</help>
+ <valueHelp>
+ <format>u32:1-10</format>
+ <description>Number of attempts</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-10"/>
+ </constraint>
+ <constraintErrorMessage>Number of login attempts must me between 1 and 10</constraintErrorMessage>
+ </properties>
+ <defaultValue>3</defaultValue>
+ </leafNode>
+ <leafNode name="rate-time">
+ <properties>
+ <help>Limit number of logins (rate-limit) per rate-time</help>
+ <valueHelp>
+ <format>u32:15-600</format>
+ <description>Time interval</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 15-600"/>
+ </constraint>
+ <constraintErrorMessage>Rate limit time interval must be between 15 and 600 seconds</constraintErrorMessage>
+ </properties>
+ <defaultValue>30</defaultValue>
+ </leafNode>
+ <leafNode name="window-size">
+ <properties>
+ <help>Set window of concurrently valid codes</help>
+ <valueHelp>
+ <format>u32:1-21</format>
+ <description>Window size</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-21"/>
+ </constraint>
+ <constraintErrorMessage>Window of concurrently valid codes must be between 1 and 21</constraintErrorMessage>
+ </properties>
+ <defaultValue>3</defaultValue>
+ </leafNode>
+ <leafNode name="key">
+ <properties>
+ <help>Key/secret the token algorithm (see RFC4226)</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Base32 encoded key/token</description>
+ </valueHelp>
+ <constraint>
+ <regex>[a-zA-Z2-7]{26,10000}</regex>
+ </constraint>
+ <constraintErrorMessage>Key must only include base32 characters and be at least 26 characters long</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="plaintext-password">
+ <properties>
+ <help>Plaintext password used for encryption</help>
+ </properties>
+ </leafNode>
+ <tagNode name="public-keys">
+ <properties>
+ <help>Remote access public keys</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Key identifier used by ssh-keygen (usually of form user@host)</description>
+ </valueHelp>
+ </properties>
+ <children>
+ <leafNode name="key">
+ <properties>
+ <help>Public key value (Base64 encoded)</help>
+ <constraint>
+ <validator name="base64"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="options">
+ <properties>
+ <help>Optional public key options</help>
+ </properties>
+ </leafNode>
+ <leafNode name="type">
+ <properties>
+ <help>SSH public key type</help>
+ <completionHelp>
+ <list>ssh-dss ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519 sk-ecdsa-sha2-nistp256@openssh.com sk-ssh-ed25519@openssh.com</list>
+ </completionHelp>
+ <valueHelp>
+ <format>ssh-dss</format>
+ <description>Digital Signature Algorithm (DSA) key support</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ssh-rsa</format>
+ <description>Key pair based on RSA algorithm</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ecdsa-sha2-nistp256</format>
+ <description>Elliptic Curve DSA with NIST P-256 curve</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ecdsa-sha2-nistp384</format>
+ <description>Elliptic Curve DSA with NIST P-384 curve</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ecdsa-sha2-nistp521</format>
+ <description>Elliptic Curve DSA with NIST P-521 curve</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ssh-ed25519</format>
+ <description>Edwards-curve DSA with elliptic curve 25519</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sk-ecdsa-sha2-nistp256@openssh.com</format>
+ <description>Elliptic Curve DSA security key</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sk-ssh-ed25519@openssh.com</format>
+ <description>Elliptic curve 25519 security key</description>
+ </valueHelp>
+ <constraint>
+ <regex>(ssh-dss|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|ssh-ed25519|sk-ecdsa-sha2-nistp256@openssh.com|sk-ssh-ed25519@openssh.com)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ <leafNode name="full-name">
+ <properties>
+ <help>Full name of the user (use quotes for names with spaces)</help>
+ <constraint>
+ <regex>[^:]*</regex>
+ </constraint>
+ <constraintErrorMessage>Cannot use ':' in full name</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ <leafNode name="home-directory">
+ <properties>
+ <help>Home directory</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Path to home directory</description>
+ </valueHelp>
+ <constraint>
+ <regex>\/$|(\/[a-zA-Z_0-9-.]+)+</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ #include <include/radius-server-ipv4-ipv6.xml.i>
+ <node name="radius">
+ <children>
+ <tagNode name="server">
+ <children>
+ #include <include/radius-timeout.xml.i>
+ <leafNode name="priority">
+ <properties>
+ <help>Server priority</help>
+ <valueHelp>
+ <format>u32:1-255</format>
+ <description>Server priority</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-255"/>
+ </constraint>
+ </properties>
+ <defaultValue>255</defaultValue>
+ </leafNode>
+ </children>
+ </tagNode>
+ #include <include/interface/vrf.xml.i>
+ </children>
+ </node>
+ <node name="tacacs">
+ <properties>
+ <help>TACACS+ based user authentication</help>
+ </properties>
+ <children>
+ <tagNode name="server">
+ <properties>
+ <help>TACACS+ server configuration</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>TACACS+ server IPv4 address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ <children>
+ #include <include/generic-disable-node.xml.i>
+ #include <include/radius-server-key.xml.i>
+ #include <include/port-number.xml.i>
+ <leafNode name="port">
+ <defaultValue>49</defaultValue>
+ </leafNode>
+ </children>
+ </tagNode>
+ <leafNode name="security-mode">
+ <properties>
+ <help>Security mode for TACACS+ authentication</help>
+ <completionHelp>
+ <list>mandatory optional</list>
+ </completionHelp>
+ <valueHelp>
+ <format>mandatory</format>
+ <description>Deny access immediately if TACACS+ answers with REJECT</description>
+ </valueHelp>
+ <valueHelp>
+ <format>optional</format>
+ <description>Pass to the next authentication method if TACACS+ answers with REJECT</description>
+ </valueHelp>
+ <constraint>
+ <regex>(mandatory|optional)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>optional</defaultValue>
+ </leafNode>
+ #include <include/source-address-ipv4.xml.i>
+ #include <include/radius-timeout.xml.i>
+ #include <include/interface/vrf.xml.i>
+ </children>
+ </node>
+ <leafNode name="max-login-session">
+ <properties>
+ <help>Maximum number of all login sessions</help>
+ <valueHelp>
+ <format>u32:1-65536</format>
+ <description>Maximum number of all login sessions</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65536"/>
+ </constraint>
+ <constraintErrorMessage>Maximum logins must be between 1 and 65536</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ <leafNode name="timeout">
+ <properties>
+ <help>Session timeout</help>
+ <valueHelp>
+ <format>u32:5-604800</format>
+ <description>Session timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 5-604800"/>
+ </constraint>
+ <constraintErrorMessage>Timeout must be between 5 and 604800 seconds</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>