From d2745a7b60a7fef88958bd52b3876c105da87e77 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Tue, 20 May 2025 19:54:59 +0200 Subject: pki: T6013: add proper dependencies for SSH CA We need to establish proper dependencies on "system login" and "pki ca" for the SSH subsystem. If the CA is updated or user principal names are modified, we must also ensure that the SSH daemon is restarted accordingly. --- src/conf_mode/pki.py | 4 ++++ src/conf_mode/system_login.py | 4 ++++ 2 files changed, 8 insertions(+) (limited to 'src') diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py index 869518dd9..14fe86d56 100755 --- a/src/conf_mode/pki.py +++ b/src/conf_mode/pki.py @@ -63,6 +63,10 @@ sync_search = [ 'keys': ['certificate'], 'path': ['service', 'https'], }, + { + 'keys': ['ca_certificate'], + 'path': ['service', 'ssh'], + }, { 'keys': ['certificate', 'ca_certificate'], 'path': ['interfaces', 'ethernet'], diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py index fa866c0ce..481fdd16e 100755 --- a/src/conf_mode/system_login.py +++ b/src/conf_mode/system_login.py @@ -26,6 +26,8 @@ from time import sleep from vyos.base import Warning from vyos.config import Config +from vyos.configdep import set_dependents +from vyos.configdep import call_dependents from vyos.configverify import verify_vrf from vyos.template import render from vyos.template import is_ipv4 @@ -129,6 +131,7 @@ def get_config(config=None): max_uid=MIN_TACACS_UID) + cli_users login['tacacs_min_uid'] = MIN_TACACS_UID + set_dependents('ssh', conf) return login def verify(login): @@ -433,6 +436,7 @@ def apply(login): if enable_otp: cmd('pam-auth-update --enable mfa-google-authenticator') + call_dependents() return None -- cgit v1.2.3