| Age | Commit message (Collapse) | Author |
|
|
|
Replace two-word "can not" / "Can not" with "cannot" across comments,
ConfigError messages, CLI help text, and op-mode output.
Standard SNMP MIB files under mibs/ are left unchanged.
|
|
Fix typos and mistakes in the commands and comments
No functional changes
|
|
When performing an image installation and the user chooses vyos as the default
password, a warning is emitted.
The combination vyos/vyos is used in brute force lists and have been seen
multiple times in the wild. When adding the user via:
set system login user vyos authentication plaintext-password vyos
a warning should be shown!
|
|
Switch to our custom implementation to avoid NSS/TACACS timeouts as explained
in commit 4c9eaaa96e06 ("login: replace getpwall() user enumeration to avoid
NSS/TACACS timeouts").
|
|
Switch to our custom implementation to avoid NSS/TACACS timeouts as explained
in commit 4c9eaaa96e06 ("login: replace getpwall() user enumeration to avoid
NSS/TACACS timeouts").
|
|
Add a commit-time check and warning to the user if the TACACS source-address is
not configured on the system or the given VRF.
|
|
Add a commit-time check and warning to the user if the RADIUS source-address
(IPv4 or IPv6) is not configured on the system or the given VRF.
|
|
|
|
To allow call VPP api without sudo
- Get op-mode commands without sudo
- Use API call in smoke-tests
|
|
During upgrade, the script now checks if any `known_hosts` files exist.
If so, it prompts the user to save these SSH fingerprints, and upon
confirmation, copies the files to the new image persistence directory.
|
|
OpenSSH in Debian Trixie has removed support for ssh-dss (DSA) keys, which will
prevent users with such keys from logging in after upgrade. To avoid lockouts,
add a loud deprecation warning when users log in using a DSA key. This warning
advises affected users to replace their keys with a supported algorithm (e.g.,
ed25519 or RSA) before the upgrade.
Deprecation warning will be displayed during "commit" but also as MOTD to inform
on this issue during every login.
DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will
be removed in VyOS 1.6. Please update affected keys to a supported
algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication
failures after the upgrade. The following hostkey-algorithms are in
use: ssh-dss, ssh-dss-cert-v01@openssh.com
|
|
OpenSSH in Debian Trixie has removed support for ssh-dss (DSA) keys, which will
prevent users with such keys from logging in after upgrade. To avoid lockouts,
add a loud deprecation warning when users log in using a DSA key. This warning
advises affected users to replace their keys with a supported algorithm (e.g.,
ed25519 or RSA) before the upgrade.
Deprecation warning will be displayed during "commit" but also as MOTD to inform
on this issue during every login.
DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will
be removed in VyOS 1.6. Please update affected keys to a supported
algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication
failures after the upgrade. The following users are using SSH-DSS keys
for authentication.
User "vyos" with deprecated public-key named: foo
|
|
|
|
Remove duplicate function definition vyos.utils.file.chown which was also
provided by vyos.utils.permission.chown.
|
|
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.
Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g'
In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
|
|
The current implementation for SSH CA based authentication uses "set service
ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate
from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509
certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys.
This commit changes the bahavior to support antive certificates generated using
ssh-keygen and loaded to our PKI tree. As the previous implementation
did not work at all, no migrations cript is used.
|
|
We need to establish proper dependencies on "system login" and "pki ca" for
the SSH subsystem. If the CA is updated or user principal names are modified,
we must also ensure that the SSH daemon is restarted accordingly.
|
|
We already support using per-user SSH public keys for system authentication.
Instead of introducing a new CLI path to configure per-user principal names,
we should continue using the existing CLI location and store the principal
names alongside the corresponding SSH public keys.
set system login user <name> principal <principal>
The certificate used for SSH authentication contains an embedded principal
name, which is defined under this CLI node. Only users with matching principal
names are permitted to log in.
|
|
Some unused import statements sneaked into the codebase.
This is about cleaning them up
|
|
|
|
|
|
There is no need to send local base OS accounts like root or daemon to the
tacacs server. This will only make the CLI experience sluggish.
Build up a dynamic list of user accounts to exclude from TACACS lookup.
|
|
filesystem
|
|
|
|
my_set/my_delete
|
|
Commit 1b364428f ("login: T5875: restore home directory permissions only when
needed") added logic to chown the users home directory if it's UID changes.
This might happen when a user account is deleted and re-added to the system.
Under rar e circumstances it was possible that the implementation triggered
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
KeyError: 'getpwuid(): uid not found: XXXX'
This has been fixed by re-arranging the code path with an additional try/except
if the PW database information could not be retrieved leading to an implicit
chown() of the home directory to the user beeing added.
|
|
* set system login user <name> disable
|
|
This improves commit 3c990f49e ("login: T5875: restore home directory
permissions when re-adding user account") in a way that the home directory
owner is only altered if it differs from the expected owner.
Without this change on every boot we would alter the owner which could increase
the boot time if the home of a user is cluttered.
|
|
We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.
Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in
|