T5145: Add maximum number of all logins on system

maxsyslogins maximum number of all logins on system; user is not allowed to log-in if total number of all user logins is greater than specified number (this limit does not apply to user with uid=0) set system login max-login-session 2
vyos · Apr 4, 2023 · 66ab065 · 66ab065
1 parent 94b65bb
commit 66ab065
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/data/templates/login/limits.j2 b/data/templates/login/limits.j2
@@ -0,0 +1,5 @@
+# Generated by /usr/libexec/vyos/conf_mode/system-login.py
+
+{% if max_login_session is vyos_defined %}
+* - maxsyslogins {{ max_login_session }}
+{% endif %}
diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in
@@ -225,6 +225,19 @@
               #include <include/interface/vrf.xml.i>
             </children>
           </node>
+          <leafNode name="max-login-session">
+            <properties>
+              <help>Maximum number of all login sessions</help>
+              <valueHelp>
+                <format>u32:1-65536</format>
+                <description>Maximum number of all login sessions</description>
+              </valueHelp>
+              <constraint>
+                <validator name="numeric" argument="--range 1-65536"/>
+              </constraint>
+              <constraintErrorMessage>Maximum logins must be between 1 and 65536</constraintErrorMessage>
+            </properties>
+          </leafNode>
           <leafNode name="timeout">
             <properties>
               <help>Session timeout</help>

diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2020-2022 VyOS maintainers and contributors
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -40,6 +40,7 @@
 airbag.enable()
 
 autologout_file = "/etc/profile.d/autologout.sh"
+limits_file = "/etc/security/limits.d/10-vyos.conf"
 radius_config_file = "/etc/pam_radius_auth.conf"
 
 # LOGIN_TIMEOUT from /etc/loign.defs minus 10 sec
@@ -164,6 +165,9 @@ def verify(login):
             if ipv6_count > 1:
                 raise ConfigError('Only one IPv6 source-address can be set!')
 
+    if 'max_login_session' in login and 'timeout' not in login:
+        raise ConfigError('"login timeout" must be configured!')
+
     return None
 
 
@@ -226,6 +230,14 @@ def generate(login):
         if os.path.isfile(radius_config_file):
             os.unlink(radius_config_file)
 
+    # /etc/security/limits.d/10-vyos.conf
+    if 'max_login_session' in login:
+        render(limits_file, 'login/limits.j2', login,
+                   permission=0o644, user='root', group='root')
+    else:
+        if os.path.isfile(limits_file):
+            os.unlink(limits_file)
+
     if 'timeout' in login:
         render(autologout_file, 'login/autologout.j2', login,
                    permission=0o755, user='root', group='root')