Age | Commit message (Collapse) | Author |
|
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS
module for PAM does not like it, which makes them incompatible.
This commit:
* disables KbdInteractiveAuthentication
* changes order for PAM modules - make it first, before `pam_unix` or
`pam_radius_auth`
* enables the `forward_pass` option for `pam_google_authenticator` to accept
both password and MFA in a single input
As a result, local, RADIUS, and MFA work together.
Important change: MFA should be entered together with a password.
Before:
```
vyos login: <USERNAME>
Password: <PASSWORD>
Verification code: <MFA>
```
Now:
```
vyos login: <USERNAME>
Password & verification code: <PASSWORD><MFA>
```
|
|
ipsec: T4985: Changed 'reset vpn ipsec-peer' to use vici library
|
|
1. Changed reset IPSEC, IKE SAs to use vici library.
2. Created package vyos.ipsec to communicate with vici library.
|
|
T5027: Enable legacy provider to support current ciphers
|
|
T5013: Extend accelppp op-mode script to get statistic
|
|
T5017: Add interface ifbX to constraint interface-name
|
|
|
|
|
|
|
|
* We will need to remove insecure ciphers as a long-term solution (BF-CBC, DES...)
|
|
|
|
|
|
|
|
T5025: Fix timezones and validator use timedatectl
|
|
Fix timezones completion help and validotor
Use 'timedatectl' insted of find zoneinfo
|
|
openconnect: T5023: Conf script missing optional config parameter
|
|
|
|
ipsec: T4593: Remove references to deleted variables
|
|
|
|
T5020: Extend openvpn op-mode to get list of configured clients
|
|
T5007: Fix multicast implementation for the tunnel interfaces
|
|
T4978: Default values of port rewrite default container values
|
|
As we have the same variable name 'default_values' for container
name, port and volume, it rewrites default container parameters
with default port parameters
Fix it
|
|
Extend openvpn.py op-mode script to get list of configured clients
for the '--raw' output
|
|
Multicast has not been implemented for the tunnel interfaces.
We have only configuration CLI commands that do anything.
Fix it.
ip link set dev <tag> multicast on
ip link set dev <tag> multicast off
|
|
T4886: allow connection-mark 0 value, which is acceptable
|
|
|
|
T5011: Set default values for min_mtu max_mtu
|
|
Some interface drivers don't support/provide min_mtu and max_mtu values
For example VyOS in docker container with 'veth' driver on some
platforms
As a workarund add default values for min/max MTU for calculations
and pass function "verify_mtu(config)"
|
|
Change op-mode raw statistics for accel_ppp.py
dict key 'cpu' to 'cpu_load_percentage' and value to integer
|
|
Extend accelppp.py op-mode script to get
subnet/start/stop/gateway/client_ip_pool/ etc
info from the configuration
|
|
qos: classes: helptext: T5015: Escape % in printf
|
|
|
|
macsec: T5008: Changed length of CKN to (2..64 hex-digits)
|
|
T5005: PPPoE server allow any login with option noauth
|
|
Disabling authentication is useful in emergency situations
(e.g. RADIUS server is down) or testing purposes.
Clients can connect with any login and username.
set service pppoe-server authentication mode 'noauth'
|
|
Based on wpa_supplicant documentation.
mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit)
hex-string (2..64 hex-digits)
Changed allowable length of CKN from strong 64 hex-digits
to the range (2..64 hex-digits)
|
|
T5002: Add uk United Kindom keymap
|
|
set system option keyboard-layout uk
|
|
debian: T5003: Upgrade base system to Debian 12 "Bookworm"
|
|
config_mgmt: T4991: use configtree.show_diff instead of Python difflib
|
|
ipsec: T4593: Migrate and remove legacy `include-ipsec` nodes
|
|
T4971: Accel-ppp verify if client_ip_pool key exists in config
|
|
http-api: T5006: add explicit async to retrieve/configure methods for REST
|
|
If 'client_ip_pool' not exists in config we cannot search it
in the dictionary
dict_search_recursive(config, 'gateway_address', ['client_ip_pool', 'name'])
Add check
|
|
Not supported with swanctl
|
|
|
|
|
|
ipsec: T4985: Fixed 'reset vpn ipsec-peer {peer}' command
|
|
Fixed 'reset vpn ipsec-peer {peer}' command.
The op-mode script uses value 'None' in the 'tunnel' parameter
to clear all CHILD SAs.
|