diff options
Diffstat (limited to 'interface-definitions/system_login.xml.in')
-rw-r--r-- | interface-definitions/system_login.xml.in | 302 |
1 files changed, 302 insertions, 0 deletions
diff --git a/interface-definitions/system_login.xml.in b/interface-definitions/system_login.xml.in new file mode 100644 index 000000000..672c4afc8 --- /dev/null +++ b/interface-definitions/system_login.xml.in @@ -0,0 +1,302 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="system"> + <children> + <node name="login" owner="${vyos_conf_scripts_dir}/system_login.py"> + <properties> + <help>System User Login Configuration</help> + <priority>400</priority> + </properties> + <children> + <tagNode name="user"> + <properties> + <help>Local user account information</help> + <constraint> + #include <include/constraint/login-username.xml.i> + </constraint> + <constraintErrorMessage>Username contains illegal characters or\nexceeds 100 character limitation.</constraintErrorMessage> + </properties> + <children> + <node name="authentication"> + <properties> + <help>Authentication settings</help> + </properties> + <children> + <leafNode name="encrypted-password"> + <properties> + <help>Encrypted password</help> + <constraint> + <regex>(\*|\!)</regex> + <regex>[a-zA-Z0-9\.\/]{13}</regex> + <regex>\$1\$[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{22}</regex> + <regex>\$5\$(rounds=[0-9]+\$)?[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{43}</regex> + <regex>\$6\$(rounds=[0-9]+\$)?[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{86}</regex> + </constraint> + <constraintErrorMessage>Invalid encrypted password for $VAR(../../@).</constraintErrorMessage> + </properties> + <defaultValue>!</defaultValue> + </leafNode> + <node name="otp"> + <properties> + <help>One-Time-Pad (two-factor) authentication parameters</help> + </properties> + <children> + <leafNode name="rate-limit"> + <properties> + <help>Limit number of logins (rate-limit) per rate-time</help> + <valueHelp> + <format>u32:1-10</format> + <description>Number of attempts</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-10"/> + </constraint> + <constraintErrorMessage>Number of login attempts must me between 1 and 10</constraintErrorMessage> + </properties> + <defaultValue>3</defaultValue> + </leafNode> + <leafNode name="rate-time"> + <properties> + <help>Limit number of logins (rate-limit) per rate-time</help> + <valueHelp> + <format>u32:15-600</format> + <description>Time interval</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 15-600"/> + </constraint> + <constraintErrorMessage>Rate limit time interval must be between 15 and 600 seconds</constraintErrorMessage> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="window-size"> + <properties> + <help>Set window of concurrently valid codes</help> + <valueHelp> + <format>u32:1-21</format> + <description>Window size</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-21"/> + </constraint> + <constraintErrorMessage>Window of concurrently valid codes must be between 1 and 21</constraintErrorMessage> + </properties> + <defaultValue>3</defaultValue> + </leafNode> + <leafNode name="key"> + <properties> + <help>Key/secret the token algorithm (see RFC4226)</help> + <valueHelp> + <format>txt</format> + <description>Base32 encoded key/token</description> + </valueHelp> + <constraint> + <regex>[a-zA-Z2-7]{26,10000}</regex> + </constraint> + <constraintErrorMessage>Key must only include base32 characters and be at least 26 characters long</constraintErrorMessage> + </properties> + </leafNode> + </children> + </node> + <leafNode name="plaintext-password"> + <properties> + <help>Plaintext password used for encryption</help> + </properties> + </leafNode> + <tagNode name="public-keys"> + <properties> + <help>Remote access public keys</help> + <valueHelp> + <format>txt</format> + <description>Key identifier used by ssh-keygen (usually of form user@host)</description> + </valueHelp> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>Public key value (Base64 encoded)</help> + <constraint> + <validator name="base64"/> + </constraint> + </properties> + </leafNode> + <leafNode name="options"> + <properties> + <help>Optional public key options</help> + </properties> + </leafNode> + <leafNode name="type"> + <properties> + <help>SSH public key type</help> + <completionHelp> + <list>ssh-dss ssh-rsa ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-ed25519 sk-ecdsa-sha2-nistp256@openssh.com sk-ssh-ed25519@openssh.com</list> + </completionHelp> + <valueHelp> + <format>ssh-dss</format> + <description>Digital Signature Algorithm (DSA) key support</description> + </valueHelp> + <valueHelp> + <format>ssh-rsa</format> + <description>Key pair based on RSA algorithm</description> + </valueHelp> + <valueHelp> + <format>ecdsa-sha2-nistp256</format> + <description>Elliptic Curve DSA with NIST P-256 curve</description> + </valueHelp> + <valueHelp> + <format>ecdsa-sha2-nistp384</format> + <description>Elliptic Curve DSA with NIST P-384 curve</description> + </valueHelp> + <valueHelp> + <format>ecdsa-sha2-nistp521</format> + <description>Elliptic Curve DSA with NIST P-521 curve</description> + </valueHelp> + <valueHelp> + <format>ssh-ed25519</format> + <description>Edwards-curve DSA with elliptic curve 25519</description> + </valueHelp> + <valueHelp> + <format>sk-ecdsa-sha2-nistp256@openssh.com</format> + <description>Elliptic Curve DSA security key</description> + </valueHelp> + <valueHelp> + <format>sk-ssh-ed25519@openssh.com</format> + <description>Elliptic curve 25519 security key</description> + </valueHelp> + <constraint> + <regex>(ssh-dss|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|ssh-ed25519|sk-ecdsa-sha2-nistp256@openssh.com|sk-ssh-ed25519@openssh.com)</regex> + </constraint> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + <leafNode name="full-name"> + <properties> + <help>Full name of the user (use quotes for names with spaces)</help> + <constraint> + <regex>[^:]*</regex> + </constraint> + <constraintErrorMessage>Cannot use ':' in full name</constraintErrorMessage> + </properties> + </leafNode> + <leafNode name="home-directory"> + <properties> + <help>Home directory</help> + <valueHelp> + <format>txt</format> + <description>Path to home directory</description> + </valueHelp> + <constraint> + <regex>\/$|(\/[a-zA-Z_0-9-.]+)+</regex> + </constraint> + </properties> + </leafNode> + </children> + </tagNode> + #include <include/radius-server-ipv4-ipv6.xml.i> + <node name="radius"> + <children> + <tagNode name="server"> + <children> + #include <include/radius-timeout.xml.i> + <leafNode name="priority"> + <properties> + <help>Server priority</help> + <valueHelp> + <format>u32:1-255</format> + <description>Server priority</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-255"/> + </constraint> + </properties> + <defaultValue>255</defaultValue> + </leafNode> + </children> + </tagNode> + #include <include/interface/vrf.xml.i> + </children> + </node> + <node name="tacacs"> + <properties> + <help>TACACS+ based user authentication</help> + </properties> + <children> + <tagNode name="server"> + <properties> + <help>TACACS+ server configuration</help> + <valueHelp> + <format>ipv4</format> + <description>TACACS+ server IPv4 address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + <children> + #include <include/generic-disable-node.xml.i> + #include <include/radius-server-key.xml.i> + #include <include/port-number.xml.i> + <leafNode name="port"> + <defaultValue>49</defaultValue> + </leafNode> + </children> + </tagNode> + <leafNode name="security-mode"> + <properties> + <help>Security mode for TACACS+ authentication</help> + <completionHelp> + <list>mandatory optional</list> + </completionHelp> + <valueHelp> + <format>mandatory</format> + <description>Deny access immediately if TACACS+ answers with REJECT</description> + </valueHelp> + <valueHelp> + <format>optional</format> + <description>Pass to the next authentication method if TACACS+ answers with REJECT</description> + </valueHelp> + <constraint> + <regex>(mandatory|optional)</regex> + </constraint> + </properties> + <defaultValue>optional</defaultValue> + </leafNode> + #include <include/source-address-ipv4.xml.i> + #include <include/radius-timeout.xml.i> + #include <include/interface/vrf.xml.i> + </children> + </node> + <leafNode name="max-login-session"> + <properties> + <help>Maximum number of all login sessions</help> + <valueHelp> + <format>u32:1-65536</format> + <description>Maximum number of all login sessions</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-65536"/> + </constraint> + <constraintErrorMessage>Maximum logins must be between 1 and 65536</constraintErrorMessage> + </properties> + </leafNode> + <leafNode name="timeout"> + <properties> + <help>Session timeout</help> + <valueHelp> + <format>u32:5-604800</format> + <description>Session timeout in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 5-604800"/> + </constraint> + <constraintErrorMessage>Timeout must be between 5 and 604800 seconds</constraintErrorMessage> + </properties> + </leafNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> |