summaryrefslogtreecommitdiff
path: root/interface-definitions/system-login.xml.in
AgeCommit message (Collapse)Author
2023-09-13TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+zsdc
In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-08-18login: T5490: allow . (dot) in user home-directory pathChristian Breunig
his extends commit b9655365b ("login: T5490: add stricter validation for home-directory path") by adding a dot to the REGEX allow list. This was previously allowed and covered in out smoketests which failed.
2023-08-17login: T5490: add stricter validation for home-directory pathChristian Breunig
2023-06-22tacacs: T141: initial implementationChristian Breunig
2023-05-05syslog: T2769: xml: provide common constraint for system usernamesChristian Breunig
2023-04-04T5145: Add maximum number of all logins on systemViacheslav Hletenko
maxsyslogins maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with uid=0) set system login max-login-session 2
2023-03-02login: T5039: Support hashing rounds in `encrypted-password` valuessarthurdev
Since glibc 2.7, the SHA-256 and SHA-512 implementations support a user-supplied number of hashing rounds, defaulting to 5000. If the "$id$" characters in the salt are followed by "rounds=xxx$", where xxx is an integer, then the result has the form $id$rounds=yyy$salt$encrypted where yyy is the number of hashing rounds actually used. The number of rounds actually used is 1000 if xxx is less than 1000, 999999999 if xxx is greater than 999999999, and is equal to xxx otherwise.
2022-11-18T4826: Fix login pubkey key type ed25519-sk ecdsa-skViacheslav Hletenko
Requires full key type name like sk-ecdsa-sha2-nistp256@openssh.com and sk-ssh-ed25519@openssh.com
2022-11-01login: T4750: add ecdsa-sk and ed25519-sk as supported public key typeChristian Poessinger
2022-10-14login: 2fa: T874: fix Google authenticator issuesChristian Poessinger
Move default values of TOTP configuration from a global to a per user setting. This makes the entire code easier as no global configuration must be blended into the per user config dict. Also it should be possible to set the authentication window "multiple concurrent keys" individual per user. set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq' set system login user vyos authentication plaintext-password 'vyos'
2022-10-12Merge pull request #1555 from goodNETnick/ssh_otpChristian Poessinger
system login: T874: add 2FA support for local and ssh authentication
2022-10-11system login: T874: add 2FA support for local and ssh authenticationgoodNETnick
2022-09-28login: T4715: Auto logout user after inactivityViacheslav Hletenko
Ability to terminate interactive sessions (TTY/PTS) after a period of inactivity. set system login timeout '300'
2022-04-29xml: T4047: use full string match in the regex validatorChristian Poessinger
2022-02-24scripts: T4269: node.def generator should automatically add default valuesChristian Poessinger
Since introducing the XML <defaultValue> node it was common, but redundant, practice to also add a help string indicating which value would be used as default if the node is unset. This makes no sense b/c it's duplicated code/value/characters and prone to error. The node.def scripts should be extended to automatically render the appropriate default value into the CLI help string. For e.g. SSH the current PoC renders: $ cat templates-cfg/service/ssh/port/node.def multi: type: txt help: Port for SSH service (default: 22) val_help: u32:1-65535; Numeric IP port ... Not all subsystems are already migrated to get_config_dict() and make use of the defaults() call - those subsystems need to be migrated, first before the new default is added to the CLI help.
2021-09-23T3850: Revert "login: T1948: add missing ssh-public key name regex"Christian Poessinger
This reverts commit 514da738173696c70440c959b9d7ec9afd77fbae.
2021-09-01login: T1948: add missing ssh-public key name regexChristian Poessinger
2021-09-01login: T1948: fix username regex - add missing start ^ and end $Christian Poessinger
2021-08-31ssh: T3789: add custom validator for base64 encoded CLI dataChristian Poessinger
SSH keys used for remote login are supplied as base64 encoded data on the CLI. The key is not validated, thus an invalid copy/pasted key will render the login useless. This commit adds a custom and re-usable validator which check if the data is properly base64 encoded.
2021-08-20xml: remove superfluous "interface" prefix from interface includesChristian Poessinger
2021-03-14xml: T1579: re-arrange xml interface include building blocksChristian Poessinger
As the amount of include files now has reached a certain amount, it is getting more and more crowsded, thuse introducing "per topic" subdirectories on the filesystem to keep a clean structure makes sense.
2021-01-08xml: convert tab to space in "system login"Christian Poessinger
2021-01-07login: radius: T3192: migrate to get_config_dict()Christian Poessinger
2021-01-07login: radius: T3192: support IPv6 server(s) and source-addressChristian Poessinger
2021-01-07xml: radius: T3192: split individual nodes to discrete includesChristian Poessinger
Provide more re-usable nodes for future implementations.
2020-06-17login: radius: T2299: Move RADIUS priority XML definitions to system-login.xmlDmitriyEshenko
2020-04-25login: radius: T2304: add VRF supportChristian Poessinger
This allows the radius client to work when a management VRF is in use.
2020-03-08radius: T2110: move timeout back to system-loginChristian Poessinger
... as e.g. wireless interfaces can not have a timeout specified.
2020-03-08radius: T2110: provide uniform XML include file for server configurationChristian Poessinger
2020-02-25login: T1948: sync banner and login node.def fileChristian Poessinger
2020-02-25login: T1948: migrade local and radius configurationsChristian Poessinger
Splitting was not a good idea. By combining both we can create a RADIUS server XML include file which can be reused by multiple implementations to get a uniformed CLI for the users.