Add an IPsec xauth permission. Try to use the nologin shell first (just unlock the account). Ticket #1202

2 files changed, 8 insertions, 0 deletions

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 159e791..239d7de 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -360,6 +360,8 @@ function local_user_set(& $user) {
 		$user_shell = "/usr/local/bin/scponly";
 	} elseif (userHasPrivilege($user, "user-ssh-tunnel")) {
 		$user_shell = "/usr/local/sbin/ssh_tunnel_shell";
+	} elseif (userHasPrivilege($user, "user-ipsec-xauth-dialin")) {
+		$user_shell = "/sbin/nologin";
 	} else {
 		$user_shell = "/sbin/nologin";
 		$lock_account = true;
diff --git a/etc/inc/priv/user.priv.inc b/etc/inc/priv/user.priv.inc
index 779f2bb..bfc7f59 100644
--- a/etc/inc/priv/user.priv.inc
+++ b/etc/inc/priv/user.priv.inc
@@ -21,6 +21,12 @@ $priv_list['user-ssh-tunnel']['descr'] = "Indicates whether the user is able to
 										"Note: User - System - Copy files conflicts with ".
 										"this privilege.";
 
+$priv_list['user-ipsec-xauth-dialin'] = array();
+$priv_list['user-ipsec-xauth-dialin']['name'] = "User - VPN - IPsec xauth Dialin";
+$priv_list['user-ipsec-xauth-dialin']['descr'] = "Indicates whether the user is allowed to dial in via IPsec xauth ".
+										"(Note: Does not allow shell access, but may allow ".
+										"the user to create ssh tunnels)";
+
 $priv_list['user-l2tp-dialin'] = array();
 $priv_list['user-l2tp-dialin']['name'] = "User - VPN - L2TP Dialin";
 $priv_list['user-l2tp-dialin']['descr'] = "Indicates whether the user is allowed to dial in via L2TP";