summaryrefslogtreecommitdiff
path: root/src/conf_mode/system_login.py
AgeCommit message (Collapse)Author
2026-06-16template: T8923: fix typo in function argument "formater" -> "formatter"Christian Breunig
2026-06-16T8923: normalize "can not" to "cannot"Christian Breunig
Replace two-word "can not" / "Can not" with "cannot" across comments, ConfigError messages, CLI help text, and op-mode output. Standard SNMP MIB files under mibs/ are left unchanged.
2026-03-24T8410: Fix typos and mistakes for operational and configuration commandsViacheslav Hletenko
Fix typos and mistakes in the commands and comments No functional changes
2026-03-20login: T8415: show Warning() if default password is used when adding userChristian Breunig
When performing an image installation and the user chooses vyos as the default password, a warning is emitted. The combination vyos/vyos is used in brute force lists and have been seen multiple times in the wild. When adding the user via: set system login user vyos authentication plaintext-password vyos a warning should be shown!
2025-12-17login: T8086: replace getpwnam()/getpwuid() with get_local_passwd_entries()Christian Breunig
Switch to our custom implementation to avoid NSS/TACACS timeouts as explained in commit 4c9eaaa96e06 ("login: replace getpwall() user enumeration to avoid NSS/TACACS timeouts").
2025-12-17login: T8086: replace getpwall() occurances with get_local_passwd_entries()Christian Breunig
Switch to our custom implementation to avoid NSS/TACACS timeouts as explained in commit 4c9eaaa96e06 ("login: replace getpwall() user enumeration to avoid NSS/TACACS timeouts").
2025-11-19login: T8024: show user warning for unconfigured TACACS source-addressChristian Breunig
Add a commit-time check and warning to the user if the TACACS source-address is not configured on the system or the given VRF.
2025-11-19login: T8024: show user warning for unconfigured RADIUS source-addressChristian Breunig
Add a commit-time check and warning to the user if the RADIUS source-address (IPv4 or IPv6) is not configured on the system or the given VRF.
2025-11-19login: T8024: fix typo in TACACS error message if all servers are disabledChristian Breunig
2025-11-19T8012: Add user vpp to user groupsViacheslav Hletenko
To allow call VPP api without sudo - Get op-mode commands without sudo - Use API call in smoke-tests
2025-09-26image: T5455: Add migration of SSH `known_hosts` files during image upgradeOleksandr Kuchmystyi
During upgrade, the script now checks if any `known_hosts` files exist. If so, it prompts the user to save these SSH fingerprints, and upon confirmation, copies the files to the new image persistence directory.
2025-09-17ssh: T7839: add deprecation warning for DSA hostkey-algorithm usageChristian Breunig
OpenSSH in Debian Trixie has removed support for ssh-dss (DSA) keys, which will prevent users with such keys from logging in after upgrade. To avoid lockouts, add a loud deprecation warning when users log in using a DSA key. This warning advises affected users to replace their keys with a supported algorithm (e.g., ed25519 or RSA) before the upgrade. Deprecation warning will be displayed during "commit" but also as MOTD to inform on this issue during every login. DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will be removed in VyOS 1.6. Please update affected keys to a supported algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication failures after the upgrade. The following hostkey-algorithms are in use: ssh-dss, ssh-dss-cert-v01@openssh.com
2025-09-17login: T7839: add deprecation warning for DSS public-key usageChristian Breunig
OpenSSH in Debian Trixie has removed support for ssh-dss (DSA) keys, which will prevent users with such keys from logging in after upgrade. To avoid lockouts, add a loud deprecation warning when users log in using a DSA key. This warning advises affected users to replace their keys with a supported algorithm (e.g., ed25519 or RSA) before the upgrade. Deprecation warning will be displayed during "commit" but also as MOTD to inform on this issue during every login. DEPRECATION WARNING: Support for SSH-DSA keys is deprecated and will be removed in VyOS 1.6. Please update affected keys to a supported algorithm (e.g., RSA, ECDSA or ED25519) to avoid authentication failures after the upgrade. The following users are using SSH-DSS keys for authentication. User "vyos" with deprecated public-key named: foo
2025-08-26op-mode: T7745: add a CLI for operator user command permissionsDaniil Baturin
2025-07-21vyos.utils: T7648: only provide one chown functionChristian Breunig
Remove duplicate function definition vyos.utils.file.chown which was also provided by vyos.utils.permission.chown.
2025-06-28T7591: remove copyright years from source filesChristian Breunig
The legal team says years are not necessary so we can go ahead with it, since it will simplify backporting. Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \ 's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors <maintainers@vyos.io>/g' In addition we will error-out during "make" if someone re-adds a legacy copyright notice
2025-05-29ssh: T6013: rename trusted-user-ca-key -> truster-user-caChristian Breunig
The current implementation for SSH CA based authentication uses "set service ssh trusted-user-ca-key ca-certificate <foo>" to define an X.509 certificate from "set pki ca <foo> ..." - fun fact, native OpenSSH does not support X.509 certificates and only runs with OpenSSH ssh-keygen generated RSA or EC keys. This commit changes the bahavior to support antive certificates generated using ssh-keygen and loaded to our PKI tree. As the previous implementation did not work at all, no migrations cript is used.
2025-05-29pki: T6013: add proper dependencies for SSH CAChristian Breunig
We need to establish proper dependencies on "system login" and "pki ca" for the SSH subsystem. If the CA is updated or user principal names are modified, we must also ensure that the SSH daemon is restarted accordingly.
2025-05-29ssh: T6013: move principal name to "system login user <name> authentication"Christian Breunig
We already support using per-user SSH public keys for system authentication. Instead of introducing a new CLI path to configure per-user principal names, we should continue using the existing CLI location and store the principal names alongside the corresponding SSH public keys. set system login user <name> principal <principal> The certificate used for SSH authentication contains an embedded principal name, which is defined under this CLI node. Only users with matching principal names are permitted to log in.
2025-04-13T7355: cleanup unused Python3 importsChristian Breunig
Some unused import statements sneaked into the codebase. This is about cleaning them up
2025-03-25T7278: Remove cracklib hack from postinstall script templateoniko94
2025-03-18T6353: Add password strength check and user warningoniko94
2024-12-15tacacs: T6613: dynamically build exclude_users list to avoid TACACS trafficChristian Breunig
There is no need to send local base OS accounts like root or daemon to the tacacs server. This will only make the CLI experience sluggish. Build up a dynamic list of user accounts to exclude from TACACS lookup.
2024-06-15T6489: add abstraction vyos.utils.configfs to work natively with the config ↵Christian Breunig
filesystem
2024-06-15T6489: add abstraction vyos.utils.auth.get_current_user()Christian Breunig
2024-06-15login: T6489: add smarter way to interact with the working config instead of ↵Christian Breunig
my_set/my_delete
2024-04-06login: T5875: fix corner case for KeyError: 'getpwuid(): uid not found: XXXX'Christian Breunig
Commit 1b364428f ("login: T5875: restore home directory permissions only when needed") added logic to chown the users home directory if it's UID changes. This might happen when a user account is deleted and re-added to the system. Under rar e circumstances it was possible that the implementation triggered Traceback (most recent call last): File "<stdin>", line 1, in <module> KeyError: 'getpwuid(): uid not found: XXXX' This has been fixed by re-arranging the code path with an additional try/except if the PW database information could not be retrieved leading to an implicit chown() of the home directory to the user beeing added.
2024-02-16login: T5972: add possibility to disable individual local user accountsChristian Breunig
* set system login user <name> disable
2024-01-01login: T5875: restore home directory permissions only when neededChristian Breunig
This improves commit 3c990f49e ("login: T5875: restore home directory permissions when re-adding user account") in a way that the home directory owner is only altered if it differs from the expected owner. Without this change on every boot we would alter the owner which could increase the boot time if the home of a user is cluttered.
2023-12-31T5474: establish common file name pattern for XML conf mode commandsChristian Breunig
We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in