summaryrefslogtreecommitdiff
path: root/debian/vyos-1x.postinst
AgeCommit message (Collapse)Author
2023-12-08login: T4943: use pam-auth-update to enable/disable Google authenticatorChristian Breunig
The initial version always enabled Google authenticator (2FA/MFA) support by hardcoding the PAM module for sshd and login. This change only enables the PAM module on demand if any use has 2FA/MFA configured. Enabling the module is done system wide via pam-auth-update by using a predefined template. Can be tested using: set system login user vyos authentication plaintext-password vyos set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O' See https://docs.vyos.io/en/latest/configuration/system/login.html for additional details.
2023-12-01mdns: T5793: Cleanup avahi-daemon configuration in `/etc`Indrajit Raychaudhuri
`/etc/avahi` technically can be deleted since we operate with avahi-daemon configuration in `/run/avahi-daemon`. But we still need to keep `/etc/avahi/services` because avahi-daemon `chroot` to that location at startup. This is setup at build time via `AVAHI_CONFIG_DIR` and there is no way to change it at runtime.
2023-12-01mdns: T5793: Cleanup avahi-daemon configuration in `/etc`Indrajit Raychaudhuri
`/etc/avahi` can be deleted since we operate with avahi-daemon configuration in `/run/avahi-daemon`.
2023-10-17T1797: Delete VPP from vyos-1x as it is implemented in addonViacheslav Hletenko
2023-09-13TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+zsdc
In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-09-13RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUSzsdc
In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-09-13groups: T5577: Added `radius` and `tacacs` groupszsdc
We need separated groups for RADIUS and TACACS+ system users because they need to be used in PAM rules independently.
2023-08-29Debian: T5521: remove unused tacacs UNIX groupChristian Breunig
2023-08-29Debian: T5521: use bash over dash for postinstall scriptChristian Breunig
2023-08-28Debian: T5521: use --no-create-home for TACACS usersChristian Breunig
2023-08-28Debian: T5521: place AAA users in users group (besides aaa group)Christian Breunig
2023-08-28Debian: T5521: both RADIUS and TACACS users belong to aaa group, add group firstChristian Breunig
2023-08-04T5436: Add missing preconfig-scriptApachez
2023-07-27xml: T5403: add support for supplemental xml cacheJohn Estabrook
2023-07-08vpp: T1797:: support re-installation of vyos-1x packageChristian Breunig
2023-06-29vpp: T1797: disable CLI in rolling releasesChristian Breunig
2023-06-22tacacs: T141: initial implementationChristian Breunig
2023-06-21tacacs: T141: create new UNIX group for aaaChristian Breunig
2023-05-04cloud-init: T5190: Added Cloud-init pre-configuratorzsdc
Added a new service that starts before Cloud-init, waits for all network interfaces initialization, and if requested by config, checks which interfaces can get configuration via DHCP server and creates a corresponding Cloud-init network configuration. This protects from two situations: * when Cloud-init tries to get meta-data via eth0 (default and fallback variant for any data source which depends on network), but the real network is connected to another interface * when Cloud-init starts simultaneously with udev and initializes the first interface to get meta-data before it is renamed to eth0 by udev
2023-03-29T5110: Fix op-mode FRR vtysh_pam account validationViacheslav Hletenko
With FRR 8.5 there is exists file /etc/pam.d/frr With this file by default we have cosmtetic error for any op-mode command $ show ip bgp vtysh_pam: Failed in account validation: Success(0)No BGP prefixes displayed, 0 exist Fix it
2023-03-01graphql: T5040: generate schema in vyos-1x.postinstJohn Estabrook
2023-02-24login: T4943: Fixed 2FA + RADIUS compatibilityzsdc
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS module for PAM does not like it, which makes them incompatible. This commit: * disables KbdInteractiveAuthentication * changes order for PAM modules - make it first, before `pam_unix` or `pam_radius_auth` * enables the `forward_pass` option for `pam_google_authenticator` to accept both password and MFA in a single input As a result, local, RADIUS, and MFA work together. Important change: MFA should be entered together with a password. Before: ``` vyos login: <USERNAME> Password: <PASSWORD> Verification code: <MFA> ``` Now: ``` vyos login: <USERNAME> Password & verification code: <PASSWORD><MFA> ```
2022-11-14T4815: Fix various name server config issuesYuxiang Zhu
1. When a PPPoE session is connected, `pppd` will update `/etc/resolv.conf` regardless of `system name-server` option unless `no-peer-dns` is set. This is because `pppd` vendors scripts `/etc/ppp/ip-up.d/0000usepeerdns` and `/etc/ppp/ip-down.d/0000usepeerdns`, which updates `/etc/resolv.conf` on PPPoE connection and reverts the change on disconnection. This PR removes those scripts and adds custom scripts to update name server entries through `vyos-hostsd` instead. 2. There is a typo in `/etc/dhcp/dhclient-enter-hooks.d/04-vyos-resolvconf, which misspells variable name `new_dhcp6_name_servers` as `new_dhcpv6_name_servers`. This causes IPv6 name server entries in `vyos-hostsd` not updated when dhclient receives nameservers from DHCPv6. 3. Regular expressions in scripts under `/etc/dhcp/dhclient-enter-hooks.d` and `/etc/dhcp/dhclient-exit-hooks.d/` are not enclosed in `^$`, so those IPv4 related branches (like `BOUND`) could be mistakenly executed when an IPv6 reason (like `BOUND6`) is given.
2022-10-17login: 2fa: T874: fix PAM string during ISO buildChristian Poessinger
Turns out a local installation of a package using "dpkg -i" differs when assembling an ISO using live-build. The previous version worked when using "dpkg -i" but it failed hard (no login possible) during ISO build. This has been fixed by using double quotes.
2022-10-16login: 2fa: T874: fix PAM string generation on multiple package installationsChristian Poessinger
Commit da535ef5 ("login: 2fa: T874: fix Google authenticator issues") used different strings for grep and sed resulting in the same line beeing added on every installation of the package. This is only disturbing during development not during ISO build.
2022-10-14login: 2fa: T874: fix Google authenticator issuesChristian Poessinger
Move default values of TOTP configuration from a global to a per user setting. This makes the entire code easier as no global configuration must be blended into the per user config dict. Also it should be possible to set the authentication window "multiple concurrent keys" individual per user. set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq' set system login user vyos authentication plaintext-password 'vyos'
2022-10-12system login: T874: add 2FA support for local and ssh authentication. BugfixgoodNETnick
2022-10-11system login: T874: add 2FA support for local and ssh authenticationgoodNETnick
2022-07-22ssh: T3212: cleanup deprecated /etc/default/ssh fileChristian Poessinger
2022-07-22dns-forwarding: T2185: cleanup deprecated /etc/powerdns files - now living ↵Christian Poessinger
in /run/powerdns
2022-07-22ntp: T2185: cleanup deprecated /etc/ntp.conf - now living in /run/ntpdChristian Poessinger
2022-07-22fastnetmon: T2659: also clean /etc/networks_whitelistChristian Poessinger
2022-07-21fastnetmon: T2659: move configuration files to /runChristian Poessinger
2022-07-17login: T4536: add all accounts to frr groupChristian Poessinger
2022-03-07logrotate: T4250: Fixed logrotate config generationzsdc
* Removed `/var/log/auth.log` and `/var/log/messages` from `/etc/logrotate.d/rsyslog`, because they conflict with VyOS-controlled items what leads to service error. * Removed generation config file for `/var/log/messages` from `system-syslog.py` - this should be done from `syslom logs` now. * Generate each logfile from `system syslog file` to a dedicated logrotate config file. * Fixed logrotate config file names in `/etc/rsyslog.d/vyos-rsyslog.conf`. * Added default logrotate settins for `/var/log/messages`
2022-03-05flow-accounting: T4277: delete Debian common configsChristian Poessinger
2022-03-05conntrackd: T4259: fix daemon configuration pathChristian Poessinger
2021-08-08Debian: T3641: drop dead symlink file in /etc/init.dChristian Poessinger
2021-07-03ipsec: T2816: Remove legacy vyatta code that references Openswansarthurdev
2021-06-26Debian: disable systemd salt-minion configuration - all handled in vyos-buildChristian Poessinger
2021-06-26Debian: ensure path for vyos-postconfig-bootup.script existsChristian Poessinger
2021-06-26Debian: drop ipsec key removal from postinst script - done on every system bootChristian Poessinger
2021-06-26Import vyos-postconfig-bootup.script from vyatta-cfg-systemChristian Poessinger
2021-06-26Debian: no need to disable salt-minion in postinst scriptChristian Poessinger
This is already done in systemd service disable hook from vyos-build.
2021-06-26Import sudoers configuration from vyatta-cfg-systemChristian Poessinger
2021-05-28ipsec: T2816: IPSec python rework, includes DMVPN and VTI supportSimon
2021-05-02radius: T3510: authenticated users must use /sbin/radius_shell as shellChristian Poessinger
2021-01-20Debian: add openvpn user via postinstallChristian Poessinger
Migrated from vyatta-cfg-system.
2021-01-20Debian: add radius_user and radius_priv_user via postinstallChristian Poessinger
2020-12-28webproxy: T563: squidguard: support default rulesetChristian Poessinger