Merge pull request #4502 from c-po/pam-nologin

jestabro · web-flow · commit 572400156976 · 2025-05-13T09:27:04.000-05:00
T7443: Un-restricting non-root logins after scheduled reboot/shutdown via pam_nologin
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
@@ -50,6 +50,10 @@ if [[ -e /usr/share/pam-configs/tacplus ]]; then
     rm /usr/share/pam-configs/tacplus
 fi
 
+# Disable pam_nologin.so behavior for regular users
+sed -i '/^auth[[:space:]]\+requisite[[:space:]]\+pam_nologin\.so$/s/^/#/' /etc/pam.d/login
+sed -i '/^account[[:space:]]\+required[[:space:]]\+pam_nologin\.so$/s/^/#/' /etc/pam.d/sshd
+
 # Add TACACS system users required for TACACS based system authentication
 if ! grep -q '^tacacs' /etc/passwd; then
     # Add the tacacs group and all 16 possible tacacs privilege-level users to
diff --git a/smoketest/scripts/cli/test_system_login.py b/smoketest/scripts/cli/test_system_login.py
@@ -548,5 +548,34 @@ def test_delete_current_user(self):
             self.cli_commit()
         self.cli_discard()
 
+    def test_pam_nologin(self):
+        # Testcase for T7443, test if we can login with a non-privileged user
+        # when there are only 5 minutes left until the system reboots
+        username = users[0]
+        password = f'{username}-pSWd-t3st'
+
+        self.cli_set(base_path + ['user', username, 'authentication', 'plaintext-password', password])
+        self.cli_commit()
+
+        # Login with proper credentials
+        out, err = self.ssh_send_cmd(ssh_test_command, username, password)
+        # verify login
+        self.assertFalse(err)
+        self.assertEqual(out, self.ssh_test_command_result)
+
+        # Request system reboot in 5 minutes - this will activate pam_nologin.so
+        # and prevent any login - but we have this disabled, so we must be able
+        # to login to the router
+        self.op_mode(['reboot', 'in', '4'])
+
+        # verify login
+        # Login with proper credentials - after reboot is pending
+        out, err = self.ssh_send_cmd(ssh_test_command, username, password)
+        self.assertFalse(err)
+        self.assertEqual(out, self.ssh_test_command_result)
+
+        # Cancel pending reboot - we do wan't to preceed with the remaining tests
+        self.op_mode(['reboot', 'cancel'])
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
