summaryrefslogtreecommitdiff
path: root/src/conf_mode/system-login.py
AgeCommit message (Collapse)Author
2023-12-08login: T4943: use pam-auth-update to enable/disable Google authenticatorChristian Breunig
The initial version always enabled Google authenticator (2FA/MFA) support by hardcoding the PAM module for sshd and login. This change only enables the PAM module on demand if any use has 2FA/MFA configured. Enabling the module is done system wide via pam-auth-update by using a predefined template. Can be tested using: set system login user vyos authentication plaintext-password vyos set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O' See https://docs.vyos.io/en/latest/configuration/system/login.html for additional details. (cherry picked from commit e134dc4171b051d0f98c7151ef32a347bc4f87e2)
2023-11-20TACACS: T5577: Added `mandatory` and `optional` modes for TACACS+zsdc
In CLI we can choose authentication logic: - `mandatory` - if TACACS+ answered with `REJECT`, authentication must be stopped and access denied immediately. - `optional` (default) - if TACACS+ answers with `REJECT`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if TACACS+ clearly answered that access should be denied (no user in TACACS+ database, wrong password, etc.). If TACACS+ is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-11-20RADIUS: T5577: Added `mandatory` and `optional` modes for RADIUSzsdc
In CLI we can choose authentication logic: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode.
2023-10-04Revert "login: T5521: home directory owner changed during reboot"Christian Breunig
This reverts commit 074870dad33d80e78128736f9e89bdfa1a0e08fd.
2023-10-03login: T5521: home directory owner changed during rebootChristian Breunig
During system startup the system-login.py script is invoked by vyos-router systemd service. As there is no complete configuration available at this point in time - and the sole purpose of this call is to reset/re-render the system NSS/PAM configs back to default - it accidently also deleted the local useraccounts. Once the VyOS configuration got mounted, users got recreated in alphabetical order and thus UIDs flipped and the /home suddenely belonged to a different account. This commit prevents any mangling with the local userdatabase during VyOS bootup phase. (cherry picked from commit 64d323299586da646ca847e78255ff2cd8464578)
2023-08-07T5319: remove workarounds for defaults in system-login.pyJohn Estabrook
2023-07-31login: T4790: sync number of max RADIUS servers with equuleus branch (8)Christian Breunig
2023-07-21login: T5363: keep home when user is deletedChristian Breunig
Comply with the code comment and not remove the users home directory. This also fixes the issue that user homes get cleaned on system reboot
2023-07-14T5195: vyos.util -> vyos.utils package refactoring (#2093)Christian Breunig
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io
2023-06-24tacacs: T141: check upper bound on dynamically allocated user accountsJohn Estabrook
Check upper bound as defined in Debian Policy Manual. Without this check, user 'nobody' will not be available.
2023-06-22tacacs: T141: initial implementationChristian Breunig
2023-06-21tacacs: T141: support calling system-login.py from vyos-router startup scriptChristian Breunig
2023-04-04T5145: Add maximum number of all logins on systemViacheslav Hletenko
maxsyslogins maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with uid=0) set system login max-login-session 2
2023-03-02login: T5039: catch error on 'my_set' for auth plaintext-passwordJohn Estabrook
2023-02-27Merge pull request #1644 from aapostoliuk/T4790-sagittaViacheslav Hletenko
T4790: Added check of the sum of radius timeouts
2023-02-25python: T5026: Replace deprecated Python modules crypt, spwdsarthurdev
DeprecationWarning: 'crypt' is deprecated and slated for removal in Python 3.13 DeprecationWarning: 'spwd' is deprecated and slated for removal in Python 3.13
2023-02-24login: T1948: drop absolut path to /usr/libexec/vyos, re-use vyos.defaultsChristian Breunig
2023-02-04Revert "login: T4975: Fixed broken CLI commands"Christian Breunig
This reverts commit 3a6e77d479da4321b851163490a9b79ef2cef7b8. A general solution is implemented in Commit 29a44a73 ("T4975: always sync() filesystem after commit").
2023-02-02login: T4975: Fixed broken CLI commandszsdc
User profile files are not saved to disk after configuration is fully applied. Because of this, after a fast system reset, profile files can be empty, and CLI is broken. This fix adds a `sync()` call after the user's configuration, which should protect from data loss and fix the problem with profiles.
2022-12-08T4790: Added check of the sum of radius timeoutsaapostoliuk
Added check of the sum of radius timeouts. It has to be less or eq 50 sec. Default LOGIN_TIMEOUT from /etc/login.defs minus 10 sec Added check of number of radius servers. It has to be less or eq 25. 50 sec divided by 2sec (minimum recomended login timeout) Otherwise, log in to the device can be descarded.
2022-10-14login: 2fa: T874: remove unused code path for global 1fa settingsChristian Poessinger
2022-10-14login: 2fa: T874: fix Google authenticator issuesChristian Poessinger
Move default values of TOTP configuration from a global to a per user setting. This makes the entire code easier as no global configuration must be blended into the per user config dict. Also it should be possible to set the authentication window "multiple concurrent keys" individual per user. set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq' set system login user vyos authentication plaintext-password 'vyos'
2022-10-12Merge pull request #1555 from goodNETnick/ssh_otpChristian Poessinger
system login: T874: add 2FA support for local and ssh authentication
2022-10-11system login: T874: add 2FA support for local and ssh authenticationgoodNETnick
2022-09-28login: T4715: Auto logout user after inactivityViacheslav Hletenko
Ability to terminate interactive sessions (TTY/PTS) after a period of inactivity. set system login timeout '300'
2022-07-17login: T4536: add all accounts to frr groupChristian Poessinger
2022-05-01login: T4353: fix Jinja2 linting errorsChristian Poessinger
2022-04-04login: T4341: busy wait on userdel(8) until the account was deleted successfullyChristian Poessinger
2022-04-04login: T4341: disable user account prior to deletionChristian Poessinger
2021-09-03login: T971 allow quoting in public-keys optionsPaul Lettington
This patch allows the use of `"` in ssh public-key options which unlocks the ability to set the `from` option in a way that sshd will accept to limit what hosts a user can connect from.
2021-09-02login: T3792: bugfix for usernames containing a hyphenChristian Poessinger
While migrating to get_config_dict() in commit e8a1c291b1 ("login: radius: T3192: migrate to get_config_dict()") the user-name was not excluded from mangling (no_tag_node_value_mangle=True). This resulted in a username "vyos-user" from CLI to be actually created as "vyos_user" on the system. This commit also adds respective Smoketests to prevent this in the future.
2021-09-02login: radius: T3192: drop workaround required by get_config_dict()Christian Poessinger
The workaround is no longer required, as the issue was resolved in get_config_dict() so if it is a <multi/> node, a list is always returned.
2021-07-23login: T3699: verify system username does not conflict with Linux base usersChristian Poessinger
(cherry picked from commit 7292631373ea50f9908796ef2eda32e672d1df2e)
2021-05-02login: T1948: use long options when calling adduserChristian Poessinger
... just to make it easier for users to read the commandline.
2021-04-13login: T3455: Fix edit level configuration for usersever-sever
2021-01-11login: T3208: fix wrong string formatting on my_setvyos/1.4dev0Christian Poessinger
Commit e8a1c291 ("login: radius: T3192: migrate to get_config_dict()") did an invalid forward of the newly encrypted passwort to my_set to store it inside the config.
2021-01-09login: radius: T3192: remove debug print()Christian Poessinger
2021-01-07login: radius: T3192: migrate to get_config_dict()Christian Poessinger
2021-01-07login: radius: T3192: support IPv6 server(s) and source-addressChristian Poessinger
2020-11-27vyos.template: T2720: always enable Jinja2 trim_blocks featureChristian Poessinger
2020-10-09login: T2492: remove empty plaintext-password nodeChristian Poessinger
2020-08-31configd: T2582: add scripts to include list for daemonJohn Estabrook
2020-07-22T2725: Fix config parse for users without passwordsEsa Varemo
Fix for https://phabricator.vyos.net/T2725 T2492 / a07e22377ab83104ac925e13d1824f241f0f8d4a introduced a change which broke the initialization of the user dict. In case the config contained an user without an encrypted-password set, the property would be missing and the commit would crash with `KeyError: 'password_encrypted'`
2020-06-17login: radius: T2299: Implement RADIUS servers priorityDmitriyEshenko
2020-05-29airbag: T2088: explicit enabling of the featureThomas Mangin
airbag must now be explicitly installed. the patch also allow to fully disables the installation of the logging code at setup (and not just installing and doing nothing)
2020-05-22login: T2492: must use try/except when adding user for the first timeChristian Poessinger
2020-05-22login: T2492: re-use code from vyos.utilChristian Poessinger
2020-05-22login: T2492: force setting of encrypted password on first bootChristian Poessinger
2020-05-22login: T2492: fix flake8 warningsChristian Poessinger
2020-05-22login: T2492: do not set encrypted user password when it is not changedChristian Poessinger