PAM: T5577: Optimized RADIUS PAM config (backport from circinus)

debian/vyos-1x.postinst

@@ -45,3 +45,12 @@ done
 
 # Enable Cloud-init pre-configuration service
 systemctl enable vyos-config-cloud-init.service
+
+# We need to have a group for RADIUS service users to use it inside PAM rules
+if ! grep -q '^radius' /etc/group; then
+    addgroup --quiet radius
+fi
+
+# And add RADIUS users to this group
+usermod -aG radius radius_user
+usermod -aG radius radius_priv_user

interface-definitions/include/radius-server-ipv4-ipv6.xml.i

@@ -47,6 +47,26 @@
         <multi/>
       </properties>
     </leafNode>
+    <leafNode name="security-mode">
+      <properties>
+        <help>Security mode for RADIUS authentication</help>
+        <completionHelp>
+          <list>mandatory optional</list>
+        </completionHelp>
+        <valueHelp>
+          <format>mandatory</format>
+          <description>Deny access immediately if RADIUS answers with Access-Reject</description>
+        </valueHelp>
+        <valueHelp>
+          <format>optional</format>
+          <description>Pass to the next authentication method if RADIUS answers with Access-Reject</description>
+        </valueHelp>
+        <constraint>
+          <regex>(mandatory|optional)</regex>
+        </constraint>
+      </properties>
+      <defaultValue>optional</defaultValue>
+    </leafNode>
   </children>
 </node>
 <!-- include end -->

src/conf_mode/system-login.py

@@ -299,9 +299,15 @@ def apply(login):
     env = os.environ.copy()
     env['DEBIAN_FRONTEND'] = 'noninteractive'
     try:
+        # Disable PAM before enabling or modifying anything
+        cmd('pam-auth-update --disable radius-mandatory radius-optional', env=env)
         if 'radius' in login:
             # Enable RADIUS in PAM
-            cmd('pam-auth-update --package --enable radius', env=env)
+            if login['radius'].get('security_mode', '') == 'mandatory':
+                pam_profile = 'radius-mandatory'
+            else:
+                pam_profile = 'radius-optional'
+            cmd(f'pam-auth-update --enable {pam_profile}', env=env)
             # Make NSS system aware of RADIUS
             # This fancy snipped was copied from old Vyatta code
             command = "sed -i -e \'/\smapname/b\' \
@@ -312,8 +318,6 @@ def apply(login):
                           -e \'/^group:[^#]*$/s/: */&mapname /\' \
                           /etc/nsswitch.conf"
         else:
-            # Disable RADIUS in PAM
-            cmd('pam-auth-update --package --remove radius', env=env)
             # Drop RADIUS from NSS NSS system
             # This fancy snipped was copied from old Vyatta code
             command = "sed -i -e \'/^passwd:.*mapuid[ \t]/s/mapuid[ \t]//\' \

src/pam-configs/radius-mandatory

@@ -0,0 +1,19 @@
+Name: RADIUS authentication (mandatory mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+    [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so
+Auth:
+    [default=ignore success=end auth_err=die perm_denied=die user_unknown=die] pam_radius_auth.so use_first_pass
+
+Account-Type: Primary
+Account:
+    [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+    [default=ignore success=end] pam_radius_auth.so
+
+Session-Type: Additional
+Session:
+    [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+    [default=bad success=ok] pam_radius_auth.so

src/pam-configs/radius-optional

@@ -0,0 +1,19 @@
+Name: RADIUS authentication (optional mode)
+Default: no
+Priority: 576
+
+Auth-Type: Primary
+Auth-Initial:
+    [default=ignore success=end] pam_radius_auth.so
+Auth:
+    [default=ignore success=end] pam_radius_auth.so use_first_pass
+
+Account-Type: Primary
+Account:
+    [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+    [default=ignore success=end] pam_radius_auth.so
+
+Session-Type: Additional
+Session:
+    [default=ignore success=1] pam_succeed_if.so user notingroup radius quiet
+    [default=ignore success=ok perm_denied=bad user_unknown=bad] pam_radius_auth.so