Age | Commit message (Collapse) | Author |
|
The initial version always enabled Google authenticator (2FA/MFA) support by
hardcoding the PAM module for sshd and login.
This change only enables the PAM module on demand if any use has 2FA/MFA
configured. Enabling the module is done system wide via pam-auth-update by
using a predefined template.
Can be tested using:
set system login user vyos authentication plaintext-password vyos
set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O'
See https://docs.vyos.io/en/latest/configuration/system/login.html for additional
details.
(cherry picked from commit e134dc4171b051d0f98c7151ef32a347bc4f87e2)
|
|
In CLI we can choose authentication logic:
- `mandatory` - if TACACS+ answered with `REJECT`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if TACACS+ answers with `REJECT`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if TACACS+ clearly
answered that access should be denied (no user in TACACS+ database, wrong
password, etc.). If TACACS+ is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
In CLI we can choose authentication logic:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must
be stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`,
authentication continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
This reverts commit 074870dad33d80e78128736f9e89bdfa1a0e08fd.
|
|
During system startup the system-login.py script is invoked by vyos-router
systemd service. As there is no complete configuration available at this
point in time - and the sole purpose of this call is to reset/re-render
the system NSS/PAM configs back to default - it accidently also deleted the
local useraccounts.
Once the VyOS configuration got mounted, users got recreated in alphabetical
order and thus UIDs flipped and the /home suddenely belonged to a different
account.
This commit prevents any mangling with the local userdatabase during VyOS
bootup phase.
(cherry picked from commit 64d323299586da646ca847e78255ff2cd8464578)
|
|
|
|
|
|
Comply with the code comment and not remove the users home directory.
This also fixes the issue that user homes get cleaned on system reboot
|
|
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process
* T5195: use read_file and write_file implementation from vyos.utils.file
Changed code automatically using:
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} +
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} +
* T5195: move chmod* helpers to vyos.utils.permission
* T5195: use colon_separated_to_dict from vyos.utils.dict
* T5195: move is_systemd_service_* to vyos.utils.process
* T5195: fix boot issues with missing imports
* T5195: move dict_search_* helpers to vyos.utils.dict
* T5195: move network helpers to vyos.utils.network
* T5195: move commit_* helpers to vyos.utils.commit
* T5195: move user I/O helpers to vyos.utils.io
|
|
Check upper bound as defined in Debian Policy Manual. Without this
check, user 'nobody' will not be available.
|
|
|
|
|
|
maxsyslogins
maximum number of all logins on system; user is not
allowed to log-in if total number of all user logins is
greater than specified number (this limit does not apply
to user with uid=0)
set system login max-login-session 2
|
|
|
|
T4790: Added check of the sum of radius timeouts
|
|
DeprecationWarning: 'crypt' is deprecated and slated for removal in Python 3.13
DeprecationWarning: 'spwd' is deprecated and slated for removal in Python 3.13
|
|
|
|
This reverts commit 3a6e77d479da4321b851163490a9b79ef2cef7b8.
A general solution is implemented in Commit 29a44a73 ("T4975: always sync()
filesystem after commit").
|
|
User profile files are not saved to disk after configuration is fully applied.
Because of this, after a fast system reset, profile files can be empty, and CLI
is broken.
This fix adds a `sync()` call after the user's configuration, which should
protect from data loss and fix the problem with profiles.
|
|
Added check of the sum of radius timeouts.
It has to be less or eq 50 sec.
Default LOGIN_TIMEOUT from /etc/login.defs minus 10 sec
Added check of number of radius servers.
It has to be less or eq 25.
50 sec divided by 2sec (minimum recomended login timeout)
Otherwise, log in to the device can be descarded.
|
|
|
|
Move default values of TOTP configuration from a global to a per user setting.
This makes the entire code easier as no global configuration must be blended
into the per user config dict.
Also it should be possible to set the authentication window "multiple concurrent
keys" individual per user.
set system login user vyos authentication otp key 'gzkmajid7na2oltajs4kbuq7lq'
set system login user vyos authentication plaintext-password 'vyos'
|
|
system login: T874: add 2FA support for local and ssh authentication
|
|
|
|
Ability to terminate interactive sessions (TTY/PTS) after a period
of inactivity.
set system login timeout '300'
|
|
|
|
|
|
|
|
|
|
This patch allows the use of `"` in ssh public-key options which
unlocks the ability to set the `from` option in a way that sshd will
accept to limit what hosts a user can connect from.
|
|
While migrating to get_config_dict() in commit e8a1c291b1 ("login: radius:
T3192: migrate to get_config_dict()") the user-name was not excluded
from mangling (no_tag_node_value_mangle=True).
This resulted in a username "vyos-user" from CLI to be actually created as
"vyos_user" on the system.
This commit also adds respective Smoketests to prevent this in the future.
|
|
The workaround is no longer required, as the issue was resolved in
get_config_dict() so if it is a <multi/> node, a list is always returned.
|
|
(cherry picked from commit 7292631373ea50f9908796ef2eda32e672d1df2e)
|
|
... just to make it easier for users to read the commandline.
|
|
|
|
Commit e8a1c291 ("login: radius: T3192: migrate to get_config_dict()") did an
invalid forward of the newly encrypted passwort to my_set to store it inside
the config.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fix for https://phabricator.vyos.net/T2725
T2492 / a07e22377ab83104ac925e13d1824f241f0f8d4a
introduced a change which broke the initialization of
the user dict. In case the config contained an user
without an encrypted-password set, the property would
be missing and the commit would crash with
`KeyError: 'password_encrypted'`
|
|
|
|
airbag must now be explicitly installed.
the patch also allow to fully disables the installation of the logging
code at setup (and not just installing and doing nothing)
|
|
|
|
|
|
|
|
|
|
|