From 96f5fae930b8213c199069c7aab079c6fb9cd334 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 27 Jan 2020 20:57:45 +0100
Subject: login: T1948: initial rewrite in XML/Python

---
 debian/control | 1 +
 1 file changed, 1 insertion(+)

(limited to 'debian')

diff --git a/debian/control b/debian/control
index 9df421977..6e59ea2fb 100644
--- a/debian/control
+++ b/debian/control
@@ -63,6 +63,7 @@ Depends: python3,
   openvpn,
   openvpn-auth-ldap,
   openvpn-auth-radius,
+  libpam-radius-auth,
   mtr-tiny,
   telnet,
   traceroute,
-- 
cgit v1.2.3


From b1bb4dcc8dd9d08e0845ecd4c568511e61c594d1 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Thu, 30 Jan 2020 21:45:51 +0100
Subject: login: T1948: initial support for RADIUS configuration

---
 debian/control                |  2 +-
 src/conf_mode/system-login.py | 47 ++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 45 insertions(+), 4 deletions(-)

(limited to 'debian')

diff --git a/debian/control b/debian/control
index 6e59ea2fb..2901f792e 100644
--- a/debian/control
+++ b/debian/control
@@ -63,7 +63,7 @@ Depends: python3,
   openvpn,
   openvpn-auth-ldap,
   openvpn-auth-radius,
-  libpam-radius-auth,
+  libpam-radius-auth (>= 1.5.0),
   mtr-tiny,
   telnet,
   traceroute,
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 8aa3991fd..3d29010b9 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -16,6 +16,7 @@
 
 import sys
 import os
+import jinja2
 
 from pwd import getpwall, getpwnam
 from grp import getgrnam
@@ -26,6 +27,21 @@ from vyos.config import Config
 from vyos.configdict import list_diff
 from vyos import ConfigError
 
+radius_config_file = "/etc/pam_radius_auth.conf"
+radius_config_tmpl = """
+# Automatically generated by VyOS
+# RADIUS configuration file
+# server[:port]         shared_secret                           timeout (s)     source_ip
+{% if radius_server -%}
+{% for s in radius_server -%}
+{{ s.address }}:{{ s.port }} {{ s.key }} {{ s.timeout }} {% if radius_source -%}{{ radius_source }}{% endif %}
+{% endfor -%}
+
+priv-lvl 15
+mapped_priv_user radius_priv_user
+{% endif %}
+
+"""
 
 default_config_data = {
     'deleted': False,
@@ -152,7 +168,6 @@ def get_config():
     return login
 
 def verify(login):
-
     pass
 
 def generate(login):
@@ -186,7 +201,7 @@ def generate(login):
         if not os.path.isdir(key_dir):
             os.mkdir(key_dir)
             os.chown(key_dir, uid, gid)
-            os.chmod(key_dir, S_IRWXU|S_IRGRP|S_IXGRP)
+            os.chmod(key_dir, S_IRWXU | S_IRGRP | S_IXGRP)
 
         key_file = key_dir + '/authorized_keys';
         with open(key_file, 'w') as f:
@@ -202,7 +217,23 @@ def generate(login):
                 f.write(line)
 
         os.chown(key_file, uid, gid)
-        os.chmod(key_file, S_IRUSR|S_IWUSR)
+        os.chmod(key_file, S_IRUSR | S_IWUSR)
+
+    #
+    # RADIUS
+    #
+    if len(login['radius_server']) > 0:
+        tmpl = jinja2.Template(radius_config_tmpl)
+        config_text = tmpl.render(login)
+        with open(radius_config_file, 'w') as f:
+            f.write(config_text)
+
+        uid = getpwnam('root').pw_uid
+        gid = getpwnam('root').pw_gid
+        os.chown(radius_config_file, uid, gid)
+        os.chmod(radius_config_file, S_IRUSR | S_IWUSR)
+    else:
+        os.unlink(radius_config_file)
 
     pass
 
@@ -241,6 +272,16 @@ def apply(login):
         except Exception as e:
             print('Deleting user "{}" raised an exception'.format(user))
 
+    #
+    # RADIUS
+    #
+    if len(login['radius_server']) > 0:
+        # Enable RADIUS in PAM
+        os.system("DEBIAN_FRONTEND=noninteractive pam-auth-update --package --enable radius")
+    else:
+        # Disable RADIUS in PAM
+        os.system("DEBIAN_FRONTEND=noninteractive pam-auth-update --package --remove radius")
+
     pass
 
 if __name__ == '__main__':
-- 
cgit v1.2.3


From 74329734d3c465675ec3650cb2b8d1cbe8ec0885 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Wed, 5 Feb 2020 19:33:18 +0100
Subject: radius: T1948: supply PAM configuration template

---
 debian/rules           |  4 ++++
 src/pam-configs/radius | 14 ++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 src/pam-configs/radius

(limited to 'debian')

diff --git a/debian/rules b/debian/rules
index d529c9b4e..144132389 100755
--- a/debian/rules
+++ b/debian/rules
@@ -74,6 +74,10 @@ override_dh_auto_install:
 	mkdir -p $(DIR)/etc
 	cp -r src/etc/* $(DIR)/etc
 
+	# Install PAM configuration snippets
+	mkdir -p $(DIR)/usr/share/pam-configs
+	cp -r src/pam-configs/* $(DIR)/usr/share/pam-configs
+
 	# Install systemd service units
 	mkdir -p $(DIR)/lib/systemd/system
 	cp -r src/systemd/* $(DIR)/lib/systemd/system
diff --git a/src/pam-configs/radius b/src/pam-configs/radius
new file mode 100644
index 000000000..9353de458
--- /dev/null
+++ b/src/pam-configs/radius
@@ -0,0 +1,14 @@
+Name: RADIUS authentication
+Default: no
+Priority: 257
+Auth-Type: Primary
+Auth:
+        [authinfo_unavail=ignore success=end auth_err=bad default=ignore] pam_radius_auth.so
+
+Account-Type: Primary
+Account:
+        [authinfo_unavail=ignore success=end perm_denied=bad default=ignore] pam_radius_auth.so
+
+Session-Type: Additional
+Session:
+        [authinfo_unavail=ignore success=ok default=ignore] pam_radius_auth.so
-- 
cgit v1.2.3