| Age | Commit message (Collapse) | Author |
|---|
|
The initial version always enabled Google authenticator (2FA/MFA) support by
hardcoding the PAM module for sshd and login.
This change only enables the PAM module on demand if any use has 2FA/MFA
configured. Enabling the module is done system wide via pam-auth-update by
using a predefined template.
Can be tested using:
set system login user vyos authentication plaintext-password vyos
set system login user vyos authentication otp key 'QY735IG5HDHBFHS5W7Y2A4EM274SMT3O'
See https://docs.vyos.io/en/latest/configuration/system/login.html for additional
details.
|
|
After sources analysis, we found the next possible return statuses for PAM
modules:
1. pam_tacplus
Auth:
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_AUTHTOK_ERR
- PAM_BUF_ERR
- PAM_CRED_INSUFFICIENT
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_USER_UNKNOWN
Account:
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_USER_UNKNOWN
Session:
- PAM_AUTHINFO_UNAVAIL
- PAM_SESSION_ERR
- PAM_SUCCESS
- PAM_USER_UNKNOWN
2. pam_radius_auth
Auth:
- PAM_ABORT
- PAM_AUTH_ERR
- PAM_AUTHINFO_UNAVAIL
- PAM_AUTHTOK_ERR
- PAM_BAD_ITEM
- PAM_BUF_ERR
- PAM_CONV_AGAIN
- PAM_CONV_ERR
- PAM_IGNORE
- PAM_NO_MODULE_DATA
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_SYSTEM_ERR
- PAM_USER_UNKNOWN
Account:
- PAM_SUCCESS
Session:
- PAM_ABORT
- PAM_AUTHINFO_UNAVAIL
- PAM_BAD_ITEM
- PAM_BUF_ERR
- PAM_CONV_AGAIN
- PAM_CONV_ERR
- PAM_IGNORE
- PAM_NO_MODULE_DATA
- PAM_PERM_DENIED
- PAM_SUCCESS
- PAM_SYSTEM_ERR
- PAM_USER_UNKNOWN
PAM configurations were replaced with tuned versions to take this into account.
|
|
In CLI we can choose authentication logic:
- `mandatory` - if TACACS+ answered with `REJECT`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if TACACS+ answers with `REJECT`, authentication
continues using the next module.
In `mandatory` mode authentication will be stopped only if TACACS+ clearly
answered that access should be denied (no user in TACACS+ database, wrong
password, etc.). If TACACS+ is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
In CLI we can choose authentication logic:
- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must
be stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`,
authentication continues using the next module.
In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
|
|
Disable sudo for PAM RADIUS template that slows down the CLI commands
To fix it add:
session [default=ignore success=2] pam_succeed_if.so service = sudo
|
|
|
|
|
|
|
|
Do not query RADIUS servers when commit is running started from a non RADIUS
user (localuser, root). This should reduce the overall system boot time.
|
|
|
|
|
