Age | Commit message (Collapse) | Author |
|
(cherry picked from commit 06e6e011cdf12e8d10cf1f6d4d848fd5db51720d)
|
|
Currently VyOS only supports binding a service to one individual VRF. It might
become handy to have the services (initially it will be VRF, NTP and SNMP) be
bound to multiple VRFs.
Changed VRF from leafNode to multi leafNode with defaultValue: default - which
is the name of the default VRF.
|
|
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.
Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in
|
|
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS
module for PAM does not like it, which makes them incompatible.
This commit:
* disables KbdInteractiveAuthentication
* changes order for PAM modules - make it first, before `pam_unix` or
`pam_radius_auth`
* enables the `forward_pass` option for `pam_google_authenticator` to accept
both password and MFA in a single input
As a result, local, RADIUS, and MFA work together.
Important change: MFA should be entered together with a password.
Before:
```
vyos login: <USERNAME>
Password: <PASSWORD>
Verification code: <MFA>
```
Now:
```
vyos login: <USERNAME>
Password & verification code: <PASSWORD><MFA>
```
|
|
Ability to configure SSH-server HostKeyAlgorithms.
Specifies the host key signature algorithms that the server
offers. Can accept multiple values.
|
|
system login: T874: add 2FA support for local and ssh authentication
|
|
|
|
Ability to configure SSH RekeyLimit data (in Megabytes) and
time (in Minutes)
set service ssh rekey data 1024
set service ssh rekey time 60
|
|
|
|
We do not only allow individual host addresses but also prefixes.
|
|
Sshguard protects hosts from brute-force attacks
Can inspect logs and block "bad" addresses by threshold
Auto-generate rules for nftables
When service stopped all generated rules are deleted
nft "type filter hook input priority filter - 10"
set service ssh dynamic-protection
set service ssh dynamic-protection block-time 120
set service ssh dynamic-protection detect-time 1800
set service ssh dynamic-protection threshold 30
set service ssh dynamic-protection whitelist-address 192.0.2.1
|
|
|
|
|
|
Disable distribution-specified extra version suffix is included
during initial protocol handshake
SSH-2.0-OpenSSH_8.4p1 Debian-5 => SSH-2.0-OpenSSH_8.4p1
|
|
When configuring SSH to only run inside a given VRF the system can not start
SSHd on bootup as the Kernel will report EPERM (Operation not permitted) when
loading the VRF BPF program. This returns the exit code 255 which is marked
in the systemd unit file to stop restarting the service forever.
Removing this limitation will restart the SSHd on startup and it will live
inside the VRF till the end of days.
|
|
|
|
|
|
|
|
Now that b40c52682a256 ("config: T2636: get_config_dict() returns a list on
multi node by default") is implemented the workarounds can be removed.
|
|
Move sshd_config file to /run so it must be generated on every boot and is
not stored accidently.
|
|
When migrating the conf from VyOS 1.2 to 1.3 a configuration error could appear
if the user specified "info" as loglevel instead of "INFO". There was no input
validation done in 1.2 but this is now enforced in 1.3.
In VyOS 1.3 loglevel will be always lowercase on the CLI and when migrating the
config this is transformed. Also VyOS 1.2 accpeted any arbitrary loglevel. If
an invalid loglevel is found it will be set to info.
|
|
Linux tries to bind sshd to the VRF but it is yet not ready - for any arbitrary
reason. After restarting SSH to often (rate-limiting) it is blocked by systemd.
Using Restart/RestartSec is not enough - systemd services use start rate
limiting (enabled by default). If service is started more than StartLimitBurst
times in StartLimitIntervalSec seconds is it not permitted to start any more.
Parameters are inherited from DefaultStartLimitIntervalSec (default 10s) and
DefaultStartLimitBurst (default 5).
|
|
|
|
Commit 1d7f88b459d ("ssh: T2635: migrate to get_config_dict()") used a wrong
loop iterator on the rendered ListenAddress statement.
|
|
Jinja template contains some workarounds like {% if port is string %}, this
depends of the resolution of https://phabricator.vyos.net/T2636
|
|
|
|
|
|
|