Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PAM: T5577: Optimized RADIUS PAM config (backport from circinus) #2513

Merged
merged 1 commit into from Nov 21, 2023
Merged

PAM: T5577: Optimized RADIUS PAM config (backport from circinus) #2513

merged 1 commit into from Nov 21, 2023

Conversation

zdc
Copy link
Contributor

@zdc zdc commented Nov 20, 2023

Change Summary

Optimized RADIUS PAM config

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

PAM, RADIUS

Proposed changes

  • Added system radius group
  • Added mandatory and optional modes for RADIUS
  • Improved PAM config for RADIUS

New modes:

  • mandatory - if RADIUS answered with Access-Reject, authentication must be stopped and access denied immediately.
  • optional (default) - if RADIUS answers with Access-Reject, authentication continues using the next module.

In mandatory mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in optional mode.

How to test

Smoketest result

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@zdc
PAM: T5577: Optimized RADIUS PAM config
d745726 
- Added system `radius` group
- Added `mandatory` and `optional` modes for RADIUS
- Improved PAM config for RADIUS

New modes:

- `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be
stopped and access denied immediately.
- `optional` (default) - if RADIUS answers with `Access-Reject`, authentication
continues using the next module.

In `mandatory` mode authentication will be stopped only if RADIUS clearly
answered that access should be denied (no user in RADIUS database, wrong
password, etc.). If RADIUS is not available or other errors happen, it will be
skipped and authentication will continue with the next module, like in
`optional` mode.
@vyosbot vyosbot requested review from a team, dmbaturin, sarthurdev, jestabro, sever-sever and c-po and removed request for a team November 20, 2023 17:14
@c-po c-po merged commit bdf0a3b into vyos:equuleus Nov 21, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sever-sever sever-sever sever-sever approved these changes

@c-po c-po c-po approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin was automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

Assignees

@zdc zdc

Labels
None yet
Milestone
No milestone
3 participants
@zdc @sever-sever @c-po