From fbfd675a532a85858530d9ad7bdd63d563189bec Mon Sep 17 00:00:00 2001 From: jim-p Date: Fri, 8 Apr 2011 08:59:50 -0400 Subject: Add an IPsec xauth permission. Try to use the nologin shell first (just unlock the account). Ticket #1202 --- etc/inc/auth.inc | 2 ++ etc/inc/priv/user.priv.inc | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 159e791..239d7de 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -360,6 +360,8 @@ function local_user_set(& $user) { $user_shell = "/usr/local/bin/scponly"; } elseif (userHasPrivilege($user, "user-ssh-tunnel")) { $user_shell = "/usr/local/sbin/ssh_tunnel_shell"; + } elseif (userHasPrivilege($user, "user-ipsec-xauth-dialin")) { + $user_shell = "/sbin/nologin"; } else { $user_shell = "/sbin/nologin"; $lock_account = true; diff --git a/etc/inc/priv/user.priv.inc b/etc/inc/priv/user.priv.inc index 779f2bb..bfc7f59 100644 --- a/etc/inc/priv/user.priv.inc +++ b/etc/inc/priv/user.priv.inc @@ -21,6 +21,12 @@ $priv_list['user-ssh-tunnel']['descr'] = "Indicates whether the user is able to "Note: User - System - Copy files conflicts with ". "this privilege."; +$priv_list['user-ipsec-xauth-dialin'] = array(); +$priv_list['user-ipsec-xauth-dialin']['name'] = "User - VPN - IPsec xauth Dialin"; +$priv_list['user-ipsec-xauth-dialin']['descr'] = "Indicates whether the user is allowed to dial in via IPsec xauth ". + "(Note: Does not allow shell access, but may allow ". + "the user to create ssh tunnels)"; + $priv_list['user-l2tp-dialin'] = array(); $priv_list['user-l2tp-dialin']['name'] = "User - VPN - L2TP Dialin"; $priv_list['user-l2tp-dialin']['descr'] = "Indicates whether the user is allowed to dial in via L2TP"; -- cgit v1.1