Age | Commit message (Collapse) | Author |
|
In CLI we can choose authentication logic:
- `mandatory` - if TACACS+ answered with `REJECT`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if TACACS+ answers with `REJECT`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if TACACS+ clearly
answered that access should be denied (no user in TACACS+ database, wrong
password, etc.). If TACACS+ is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
In CLI we can choose authentication logic:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must
be stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`,
authentication continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
We need separated groups for RADIUS and TACACS+ system users because they need
to be used in PAM rules independently.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Added a new service that starts before Cloud-init, waits for all network
interfaces initialization, and if requested by config, checks which interfaces
can get configuration via DHCP server and creates a corresponding Cloud-init
network configuration.
This protects from two situations:
* when Cloud-init tries to get meta-data via eth0 (default and fallback variant
for any data source which depends on network), but the real network is connected
to another interface
* when Cloud-init starts simultaneously with udev and initializes the first
interface to get meta-data before it is renamed to eth0 by udev
|
|
With FRR 8.5 there is exists file /etc/pam.d/frr
With this file by default we have cosmtetic error for any op-mode
command
$ show ip bgp
vtysh_pam: Failed in account validation: Success(0)No BGP prefixes displayed, 0 exist
Fix it
|
|
|
|
MFA requires KbdInteractiveAuthentication to ask a second factor, and the RADIUS
module for PAM does not like it, which makes them incompatible.
This commit:
* disables KbdInteractiveAuthentication
* changes order for PAM modules - make it first, before `pam_unix` or
`pam_radius_auth`
* enables the `forward_pass` option for `pam_google_authenticator` to accept
both password and MFA in a single input
As a result, local, RADIUS, and MFA work together.
Important change: MFA should be entered together with a password.
Before:
```
vyos login: <USERNAME>
Password: <PASSWORD>
Verification code: <MFA>
```
Now:
```
vyos login: <USERNAME>
Password & verification code: <PASSWORD><MFA>
```
|
|
1. When a PPPoE session is connected, `pppd` will update
`/etc/resolv.conf` regardless of `system name-server` option unless `no-peer-dns` is set.
This is because `pppd` vendors scripts `/etc/ppp/ip-up.d/0000usepeerdns` and `/etc/ppp/ip-down.d/0000usepeerdns`,
which updates `/etc/resolv.conf` on PPPoE connection and reverts the change on disconnection.
This PR removes those scripts and adds custom scripts to update name server entries through `vyos-hostsd` instead.
2. There is a typo in `/etc/dhcp/dhclient-enter-hooks.d/04-vyos-resolvconf, which misspells variable name `new_dhcp6_name_servers` as `new_dhcpv6_name_servers`.
This causes IPv6 name server entries in `vyos-hostsd` not updated
when dhclient receives nameservers from DHCPv6.
3. Regular expressions in scripts under `/etc/dhcp/dhclient-enter-hooks.d` and
`/etc/dhcp/dhclient-exit-hooks.d/` are not enclosed in `^$`, so those
IPv4 related branches (like `BOUND`) could be mistakenly executed when an IPv6
reason (like `BOUND6`) is given.
|
|
Turns out a local installation of a package using "dpkg -i" differs when
assembling an ISO using live-build. The previous version worked when using
"dpkg -i" but it failed hard (no login possible) during ISO build.
This has been fixed by using double quotes.
|
|
Commit da535ef5 ("login: 2fa: T874: fix Google authenticator issues") used
different strings for grep and sed resulting in the same line beeing added on
every installation of the package.
This is only disturbing during development not during ISO build.
|
|
Move default values of TOTP configuration from a global to a per user setting.
This makes the entire code easier as no global configuration must be blended
into the per user config dict.
Also it should be possible to set the authentication window "multiple concurrent
keys" individual per user.
set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq'
set system login user vyos authentication plaintext-password 'vyos'
|
|
|
|
|
|
|
|
in /run/powerdns
|
|
|
|
|
|
|
|
|
|
* Removed `/var/log/auth.log` and `/var/log/messages` from
`/etc/logrotate.d/rsyslog`, because they conflict with VyOS-controlled
items what leads to service error.
* Removed generation config file for `/var/log/messages` from
`system-syslog.py` - this should be done from `syslom logs` now.
* Generate each logfile from `system syslog file` to a dedicated
logrotate config file.
* Fixed logrotate config file names in
`/etc/rsyslog.d/vyos-rsyslog.conf`.
* Added default logrotate settins for `/var/log/messages`
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This is already done in systemd service disable hook from vyos-build.
|
|
|
|
|
|
|
|
Migrated from vyatta-cfg-system.
|
|
|
|
|
|
Add a 'dhcpd' system user that is a member of hostsd group and can
connect to vyos-hostsd.
Run dhcpd as this user.
|
|
To better control access from other daemons that may not be running as root,
create a new group 'hostsd' to which the other daemons running users can be
added.
Run vyos-hostsd as root:hostsd to create the socket file with correct user and
group.
|
|
|