Age | Commit message (Collapse) | Author |
|
maxsyslogins
maximum number of all logins on system; user is not
allowed to log-in if total number of all user logins is
greater than specified number (this limit does not apply
to user with uid=0)
set system login max-login-session 2
|
|
|
|
T4790: Added check of the sum of radius timeouts
|
|
DeprecationWarning: 'crypt' is deprecated and slated for removal in Python 3.13
DeprecationWarning: 'spwd' is deprecated and slated for removal in Python 3.13
|
|
|
|
This reverts commit 3a6e77d479da4321b851163490a9b79ef2cef7b8.
A general solution is implemented in Commit 29a44a73 ("T4975: always sync()
filesystem after commit").
|
|
User profile files are not saved to disk after configuration is fully applied.
Because of this, after a fast system reset, profile files can be empty, and CLI
is broken.
This fix adds a `sync()` call after the user's configuration, which should
protect from data loss and fix the problem with profiles.
|
|
Added check of the sum of radius timeouts.
It has to be less or eq 50 sec.
Default LOGIN_TIMEOUT from /etc/login.defs minus 10 sec
Added check of number of radius servers.
It has to be less or eq 25.
50 sec divided by 2sec (minimum recomended login timeout)
Otherwise, log in to the device can be descarded.
|
|
|
|
Move default values of TOTP configuration from a global to a per user setting.
This makes the entire code easier as no global configuration must be blended
into the per user config dict.
Also it should be possible to set the authentication window "multiple concurrent
keys" individual per user.
set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq'
set system login user vyos authentication plaintext-password 'vyos'
|
|
system login: T874: add 2FA support for local and ssh authentication
|
|
|
|
Ability to terminate interactive sessions (TTY/PTS) after a period
of inactivity.
set system login timeout '300'
|
|
|
|
|
|
|
|
|
|
This patch allows the use of `"` in ssh public-key options which
unlocks the ability to set the `from` option in a way that sshd will
accept to limit what hosts a user can connect from.
|
|
While migrating to get_config_dict() in commit e8a1c291b1 ("login: radius:
T3192: migrate to get_config_dict()") the user-name was not excluded
from mangling (no_tag_node_value_mangle=True).
This resulted in a username "vyos-user" from CLI to be actually created as
"vyos_user" on the system.
This commit also adds respective Smoketests to prevent this in the future.
|
|
The workaround is no longer required, as the issue was resolved in
get_config_dict() so if it is a <multi/> node, a list is always returned.
|
|
(cherry picked from commit 7292631373ea50f9908796ef2eda32e672d1df2e)
|
|
... just to make it easier for users to read the commandline.
|
|
|
|
Commit e8a1c291 ("login: radius: T3192: migrate to get_config_dict()") did an
invalid forward of the newly encrypted passwort to my_set to store it inside
the config.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fix for https://phabricator.vyos.net/T2725
T2492 / a07e22377ab83104ac925e13d1824f241f0f8d4a
introduced a change which broke the initialization of
the user dict. In case the config contained an user
without an encrypted-password set, the property would
be missing and the commit would crash with
`KeyError: 'password_encrypted'`
|
|
|
|
airbag must now be explicitly installed.
the patch also allow to fully disables the installation of the logging
code at setup (and not just installing and doing nothing)
|
|
|
|
|
|
|
|
|
|
|
|
This allows the radius client to work when a management VRF is in use.
|
|
|
|
convert all call to jinja to use template.render
|
|
|
|
os.system does print the ouput of the command, run() does not.
A new function called call() does the printing and return the error code.
|
|
Previously failures of mkpasswd would not be reported to users
|
|
|
|
* A type must be present for any one public-key element
* A key must be present for any one public-key element
|
|
We should not rely on the home dir value stored in user['home_dir'] as if a
crazy user will choose username root or any other system user this will fail.
Should be deny using root at all?
|
|
Splitting was not a good idea. By combining both we can create a RADIUS server
XML include file which can be reused by multiple implementations to get a
uniformed CLI for the users.
|