1 |
commit: 405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c |
2 |
Author: Mikle Kolyada <zlogene <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Aug 4 11:20:43 2020 +0000 |
4 |
Commit: Mikle Kolyada <zlogene <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Aug 4 11:20:43 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/pambase.git/commit/?id=405452a4 |
7 |
|
8 |
New pambase era |
9 |
|
10 |
pambase was simplified and rewritten in python |
11 |
|
12 |
Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org> |
13 |
|
14 |
.gitignore | 12 +-- |
15 |
LICENSE | 23 ++++++ |
16 |
Makefile | 96 ---------------------- |
17 |
README | 8 -- |
18 |
basic-conf | 52 ------------ |
19 |
linux-pam-conf | 26 ------ |
20 |
login.in | 10 --- |
21 |
other.in | 4 - |
22 |
pambase.py | 95 +++++++++++++++++++++ |
23 |
su.in | 11 --- |
24 |
system-auth.in | 57 ------------- |
25 |
system-login.in | 58 ------------- |
26 |
system-session.inc | 25 ------ |
27 |
templates/login.tpl | 9 ++ |
28 |
templates/other.tpl | 4 + |
29 |
passwd.in => templates/passwd.tpl | 4 +- |
30 |
templates/su.tpl | 8 ++ |
31 |
templates/system-auth.tpl | 54 ++++++++++++ |
32 |
.../system-local-login.tpl | 0 |
33 |
templates/system-login.tpl | 39 +++++++++ |
34 |
.../system-remote-login.tpl | 0 |
35 |
system-services.in => templates/system-service.tpl | 6 +- |
36 |
templates/system-session.tpl | 16 ++++ |
37 |
23 files changed, 252 insertions(+), 365 deletions(-) |
38 |
|
39 |
diff --git a/.gitignore b/.gitignore |
40 |
index 2c63905..844c82f 100644 |
41 |
--- a/.gitignore |
42 |
+++ b/.gitignore |
43 |
@@ -1,10 +1,2 @@ |
44 |
-login |
45 |
-passwd |
46 |
-su |
47 |
-system-auth |
48 |
-system-login |
49 |
-system-local-login |
50 |
-system-remote-login |
51 |
-system-services |
52 |
-other |
53 |
-pambase-*.tar.bz2 |
54 |
+stack/ |
55 |
+.idea/ |
56 |
|
57 |
diff --git a/LICENSE b/LICENSE |
58 |
new file mode 100644 |
59 |
index 0000000..6e891ee |
60 |
--- /dev/null |
61 |
+++ b/LICENSE |
62 |
@@ -0,0 +1,23 @@ |
63 |
+MIT License |
64 |
+ |
65 |
+Copyright (c) 2020 Mikhail Koliada |
66 |
+Copyright (c) 2020 Sam James |
67 |
+Copyright (c) 2020 Gentoo Authors |
68 |
+ |
69 |
+Permission is hereby granted, free of charge, to any person obtaining a copy |
70 |
+of this software and associated documentation files (the "Software"), to deal |
71 |
+in the Software without restriction, including without limitation the rights |
72 |
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
73 |
+copies of the Software, and to permit persons to whom the Software is |
74 |
+furnished to do so, subject to the following conditions: |
75 |
+ |
76 |
+The above copyright notice and this permission notice shall be included in all |
77 |
+copies or substantial portions of the Software. |
78 |
+ |
79 |
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
80 |
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
81 |
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
82 |
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
83 |
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
84 |
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
85 |
+SOFTWARE. |
86 |
|
87 |
diff --git a/Makefile b/Makefile |
88 |
deleted file mode 100644 |
89 |
index 941edfb..0000000 |
90 |
--- a/Makefile |
91 |
+++ /dev/null |
92 |
@@ -1,96 +0,0 @@ |
93 |
-# Reset this to 'cpp' so it gets traditional syntax; cc -E will not work |
94 |
-# properly. |
95 |
-CPP=cpp |
96 |
- |
97 |
-# The pam.d file to create |
98 |
-PAMD=login passwd su system-auth system-login system-local-login system-remote-login system-services other |
99 |
- |
100 |
-# command for git (the DVCS); set this to "true" to ignore GIT support |
101 |
-# (i.e.: in the ebuild) |
102 |
-GIT=git |
103 |
- |
104 |
-PAMFLAGS = -include linux-pam-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION) |
105 |
- |
106 |
-ifeq "$(PASSWDQC)" "yes" |
107 |
-PAMFLAGS += -DHAVE_PASSWDQC=1 |
108 |
-endif |
109 |
- |
110 |
-ifeq "$(CONSOLEKIT)" "yes" |
111 |
-PAMFLAGS += -DHAVE_CONSOLEKIT=1 |
112 |
-endif |
113 |
- |
114 |
-ifeq "$(SYSTEMD)" "yes" |
115 |
-PAMFLAGS += -DHAVE_SYSTEMD=1 |
116 |
-endif |
117 |
- |
118 |
-ifeq "$(ELOGIND)" "yes" |
119 |
-PAMFLAGS += -DHAVE_ELOGIND=1 |
120 |
-endif |
121 |
- |
122 |
-ifeq "$(GNOME_KEYRING)" "yes" |
123 |
-PAMFLAGS += -DHAVE_GNOME_KEYRING=1 |
124 |
-endif |
125 |
- |
126 |
-ifeq "$(SECURETTY)" "yes" |
127 |
-PAMFLAGS += -DHAVE_SECURETTY=1 |
128 |
-endif |
129 |
- |
130 |
-ifeq "$(SELINUX)" "yes" |
131 |
-PAMFLAGS += -DHAVE_SELINUX=1 |
132 |
-endif |
133 |
- |
134 |
-ifeq "$(MKTEMP)" "yes" |
135 |
-PAMFLAGS += -DHAVE_MKTEMP=1 |
136 |
-endif |
137 |
- |
138 |
-ifeq "$(PAM_SSH)" "yes" |
139 |
-PAMFLAGS += -DHAVE_PAM_SSH=1 |
140 |
-endif |
141 |
- |
142 |
-ifeq "$(KRB5)" "yes" |
143 |
-PAMFLAGS += -DHAVE_KRB5=1 |
144 |
-endif |
145 |
- |
146 |
-ifeq "$(NULLOK)" "yes" |
147 |
-PAMFLAGS += -DWANT_NULLOK=1 |
148 |
-endif |
149 |
- |
150 |
-ifeq "$(SHA512)" "yes" |
151 |
-PAMFLAGS += -DWANT_SHA512=1 |
152 |
-endif |
153 |
- |
154 |
-ifeq "$(DEBUG)" "yes" |
155 |
-PAMFLAGS += -DDEBUG=debug |
156 |
-endif |
157 |
- |
158 |
-ifeq "$(MINIMAL)" "yes" |
159 |
-PAMFLAGS += -DMINIMAL |
160 |
-endif |
161 |
- |
162 |
-ifeq "$(LIBCAP)" "yes" |
163 |
-PAMFLAGS += -DHAVE_LIBCAP=1 |
164 |
-endif |
165 |
- |
166 |
-all: $(PAMD) |
167 |
- |
168 |
-install: $(PAMD) |
169 |
- install -d "$(DESTDIR)/etc/pam.d" |
170 |
- install -m0644 $(PAMD) "$(DESTDIR)/etc/pam.d" |
171 |
- |
172 |
-PACKAGE=pambase |
173 |
-ifeq "$(VERSION)" "" |
174 |
-VERSION = $(shell date +"%Y%m%d") |
175 |
-endif |
176 |
- |
177 |
-dist: $(PACKAGE)-$(VERSION).tar.xz |
178 |
- |
179 |
-$(PACKAGE)-$(VERSION).tar.xz: $(shell $(GIT) ls-files) |
180 |
- $(GIT) tag $(PACKAGE)-$(VERSION) |
181 |
- $(GIT) archive --format=tar --prefix=$(PACKAGE)-$(VERSION)/ HEAD | xz > $@ |
182 |
- |
183 |
-$(PAMD): %: %.in |
184 |
- $(CPP) -traditional-cpp -P $(PAMFLAGS) $< -o $@ |
185 |
- sed -i -e '/^$$/d' -e '/^\/\//d' $@ |
186 |
- |
187 |
-clean: |
188 |
- rm -f $(PAMD) *~ |
189 |
|
190 |
diff --git a/README b/README |
191 |
deleted file mode 100644 |
192 |
index 20f2e5e..0000000 |
193 |
--- a/README |
194 |
+++ /dev/null |
195 |
@@ -1,8 +0,0 @@ |
196 |
-This repository contains the PAM configuration base for Gentoo Linux |
197 |
-and Gentoo FreeBSD, this mostly means the system-auth and system-login |
198 |
-configuration file that provides the basic support for generical |
199 |
-authentication for services, and console login (on tty or on various |
200 |
-desktop managers). |
201 |
- |
202 |
-The Makefile manages the choice of optional features that will be |
203 |
-enabled in the final file. |
204 |
|
205 |
diff --git a/basic-conf b/basic-conf |
206 |
deleted file mode 100644 |
207 |
index 7b1bf00..0000000 |
208 |
--- a/basic-conf |
209 |
+++ /dev/null |
210 |
@@ -1,52 +0,0 @@ |
211 |
-// Only use_authtok (authentication token) when using passwdqc or some other module |
212 |
-// that checks for passwords, or pam_krb5 |
213 |
-#define AUTHTOK use_authtok |
214 |
- |
215 |
-#if HAVE_PASSWDQC |
216 |
-# define PASSWORD_STRENGTH 1 |
217 |
-#endif |
218 |
- |
219 |
-#if HAVE_KRB5 && PASSWORD_STRENGTH |
220 |
-# define KRB5_AUTHTOK AUTHTOK |
221 |
-#endif |
222 |
- |
223 |
-#if HAVE_KRB5 || PASSWORD_STRENGTH |
224 |
-# define UNIX_AUTHTOK AUTHTOK |
225 |
-#else |
226 |
-# define UNIX_AUTHTOK |
227 |
-#endif |
228 |
- |
229 |
-// Define DEBUG to an empty string unless it was required by the user |
230 |
-#ifndef DEBUG |
231 |
-#define DEBUG |
232 |
-#endif |
233 |
- |
234 |
-#ifndef UNIX_EXTENDED_ENCRYPTION |
235 |
-#define UNIX_EXTENDED_ENCRYPTION |
236 |
-#endif |
237 |
- |
238 |
-#ifndef LIKEAUTH |
239 |
-#define LIKEAUTH |
240 |
-#endif |
241 |
- |
242 |
-#if WANT_NULLOK |
243 |
-#define NULLOK nullok |
244 |
-#else |
245 |
-#define NULLOK |
246 |
-#endif |
247 |
- |
248 |
-#define KRB5_PARAMS DEBUG ignore_root try_first_pass |
249 |
- |
250 |
-/* By using the extended Linux-PAM syntax for this, it is possible to |
251 |
- fine-tune the Kerberos handling so that it works out of hte box on |
252 |
- most desktop systems. |
253 |
- |
254 |
- What this control operation does is ignore failures and errors from |
255 |
- Kerberos (falling back on local pam_unix auth), but if it's good, |
256 |
- it'll skip over the following module (pam_unix) with an accepted |
257 |
- status. |
258 |
- |
259 |
- IMPORTANT! Make sure that the only thing that comes right after |
260 |
- pam_krb5 with KRB5_CONTROL is pam_unix! |
261 |
- */ |
262 |
-#define KRB5_CONTROL [success=1 default=ignore] |
263 |
|
264 |
diff --git a/linux-pam-conf b/linux-pam-conf |
265 |
deleted file mode 100644 |
266 |
index 962b2eb..0000000 |
267 |
--- a/linux-pam-conf |
268 |
+++ /dev/null |
269 |
@@ -1,26 +0,0 @@ |
270 |
-#define HAVE_LIMITS 1 |
271 |
-#define HAVE_ENV 1 |
272 |
-#define HAVE_ACCESS 1 |
273 |
-#define HAVE_SHELLS 1 |
274 |
-#define HAVE_LOGINUID 1 |
275 |
- |
276 |
-#define SUPPORT_UNIX_SESSION 1 |
277 |
-#define SUPPORT_NOLOGIN_ACCOUNT 1 |
278 |
-#define SUPPORT_NOLOGIN_AUTH 1 |
279 |
- |
280 |
-#if !MINIMAL |
281 |
-# define HAVE_MOTD 1 |
282 |
-# define HAVE_MAIL 1 |
283 |
-# define HAVE_LASTLOG 1 |
284 |
-# define HAVE_FAILLOCK 1 |
285 |
- |
286 |
-#endif |
287 |
- |
288 |
-#if WANT_SHA512 |
289 |
-# define UNIX_EXTENDED_ENCRYPTION sha512 shadow |
290 |
-#else |
291 |
-# define UNIX_EXTENDED_ENCRYPTION md5 shadow |
292 |
-#endif |
293 |
- |
294 |
-#define LIKEAUTH likeauth |
295 |
-#define DEBUG_NOLOGIN |
296 |
|
297 |
diff --git a/login.in b/login.in |
298 |
deleted file mode 100644 |
299 |
index 5067bc7..0000000 |
300 |
--- a/login.in |
301 |
+++ /dev/null |
302 |
@@ -1,10 +0,0 @@ |
303 |
-#if HAVE_SECURETTY |
304 |
-auth required pam_securetty.so |
305 |
-#endif |
306 |
-auth include system-local-login |
307 |
- |
308 |
-account include system-local-login |
309 |
-password include system-local-login |
310 |
- |
311 |
-session optional pam_lastlog.so DEBUG |
312 |
-session include system-local-login |
313 |
|
314 |
diff --git a/other.in b/other.in |
315 |
deleted file mode 100644 |
316 |
index d8cb1fe..0000000 |
317 |
--- a/other.in |
318 |
+++ /dev/null |
319 |
@@ -1,4 +0,0 @@ |
320 |
-auth required pam_deny.so |
321 |
-account required pam_deny.so |
322 |
-password required pam_deny.so |
323 |
-session required pam_deny.so |
324 |
|
325 |
diff --git a/pambase.py b/pambase.py |
326 |
new file mode 100755 |
327 |
index 0000000..1ebafbe |
328 |
--- /dev/null |
329 |
+++ b/pambase.py |
330 |
@@ -0,0 +1,95 @@ |
331 |
+#!/usr/bin/env python3 |
332 |
+ |
333 |
+import argparse |
334 |
+from jinja2 import Template, Environment, FileSystemLoader |
335 |
+import pathlib |
336 |
+ |
337 |
+ |
338 |
+def main(): |
339 |
+ parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') |
340 |
+ parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module') |
341 |
+ parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') |
342 |
+ parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') |
343 |
+ parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') |
344 |
+ parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') |
345 |
+ parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') |
346 |
+ parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') |
347 |
+ parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module') |
348 |
+ parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module') |
349 |
+ parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module') |
350 |
+ parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack') |
351 |
+ parser.add_argument('--debug', action="store_true", help='enable debug for selected modules') |
352 |
+ parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module') |
353 |
+ |
354 |
+ parsed_args = parser.parse_args() |
355 |
+ processed = process_args(parsed_args) |
356 |
+ |
357 |
+ parse_templates(processed) |
358 |
+ |
359 |
+ |
360 |
+def process_args(args): |
361 |
+ # make sure that output directory exists |
362 |
+ pathlib.Path("stack").mkdir(parents=True, exist_ok=True) |
363 |
+ |
364 |
+ blank_variables = [ |
365 |
+ "krb5_authtok", |
366 |
+ "unix_authtok", |
367 |
+ "unix_extended_encryption", |
368 |
+ "likeauth", |
369 |
+ "nullok" |
370 |
+ ] |
371 |
+ |
372 |
+ # create a blank dictionary |
373 |
+ # then add in our parsed args |
374 |
+ output = dict.fromkeys(blank_variables, "") |
375 |
+ output.update(vars(args)) |
376 |
+ |
377 |
+ # unconditional variables |
378 |
+ output["likeauth"] = "likeauth" |
379 |
+ output["unix_authtok"] = "use_authtok" |
380 |
+ |
381 |
+ if args.debug: |
382 |
+ output["debug"] = "debug" |
383 |
+ |
384 |
+ if args.nullok: |
385 |
+ output["nullok"] = "nullok" |
386 |
+ |
387 |
+ if args.krb5: |
388 |
+ output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip() |
389 |
+ |
390 |
+ if args.sha512: |
391 |
+ output["unix_extended_encryption"] = "sha512 shadow" |
392 |
+ else: |
393 |
+ output["unix_extended_encryption"] = "md5 shadow" |
394 |
+ |
395 |
+ return output |
396 |
+ |
397 |
+ |
398 |
+def parse_templates(processed_args): |
399 |
+ load = FileSystemLoader('') |
400 |
+ env = Environment(loader=load) |
401 |
+ |
402 |
+ templates = [ |
403 |
+ "login", |
404 |
+ "other", |
405 |
+ "passwd", |
406 |
+ "system-local-login", |
407 |
+ "system-remote-login", |
408 |
+ "su", |
409 |
+ "system-auth", |
410 |
+ "system-login", |
411 |
+ "system-service" |
412 |
+ ] |
413 |
+ |
414 |
+ for template_name in templates: |
415 |
+ template = env.get_template('templates/{0}.tpl'.format(template_name)) |
416 |
+ |
417 |
+ with open('stack/{0}'.format(template_name), "w+") as output: |
418 |
+ rendered_template = template.render(processed_args) |
419 |
+ |
420 |
+ if rendered_template: |
421 |
+ output.write(rendered_template + "\n") |
422 |
+ |
423 |
+ |
424 |
+if __name__ == "__main__": |
425 |
+ main() |
426 |
|
427 |
diff --git a/su.in b/su.in |
428 |
deleted file mode 100644 |
429 |
index 889ecfe..0000000 |
430 |
--- a/su.in |
431 |
+++ /dev/null |
432 |
@@ -1,11 +0,0 @@ |
433 |
-auth sufficient pam_rootok.so |
434 |
-auth required pam_wheel.so use_uid |
435 |
-auth include system-auth |
436 |
- |
437 |
-account include system-auth |
438 |
- |
439 |
-password include system-auth |
440 |
- |
441 |
-session include system-auth |
442 |
-session required pam_env.so |
443 |
-session optional pam_xauth.so |
444 |
|
445 |
diff --git a/system-auth.in b/system-auth.in |
446 |
deleted file mode 100644 |
447 |
index 9ae09e4..0000000 |
448 |
--- a/system-auth.in |
449 |
+++ /dev/null |
450 |
@@ -1,57 +0,0 @@ |
451 |
-#if HAVE_ENV |
452 |
-auth required pam_env.so DEBUG |
453 |
-#endif |
454 |
- |
455 |
-#if HAVE_PAM_SSH |
456 |
-auth sufficient pam_ssh.so |
457 |
-#endif |
458 |
-#if HAVE_KRB5 |
459 |
-auth KRB5_CONTROL pam_krb5.so KRB5_PARAMS |
460 |
-#endif |
461 |
-auth required pam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG |
462 |
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ |
463 |
-auth optional pam_permit.so |
464 |
- |
465 |
-#if HAVE_FAILLOCK |
466 |
-auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 |
467 |
-auth sufficient pam_unix.so nullok try_first_pass |
468 |
-auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 |
469 |
-#endif |
470 |
- |
471 |
-#if HAVE_KRB5 |
472 |
-account KRB5_CONTROL pam_krb5.so KRB5_PARAMS |
473 |
-#endif |
474 |
-account required pam_unix.so DEBUG |
475 |
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ |
476 |
-account optional pam_permit.so |
477 |
- |
478 |
-#if HAVE_FAILLOCK |
479 |
-account required pam_faillock.so |
480 |
-#endif |
481 |
- |
482 |
-#if HAVE_PASSWDQC |
483 |
-password required pam_passwdqc.so min=8,8,8,8,8 retry=3 |
484 |
-#endif |
485 |
-#if HAVE_KRB5 |
486 |
-password KRB5_CONTROL pam_krb5.so KRB5_PARAMS |
487 |
-#endif |
488 |
-password required pam_unix.so try_first_pass UNIX_AUTHTOK NULLOK UNIX_EXTENDED_ENCRYPTION DEBUG |
489 |
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ |
490 |
-password optional pam_permit.so |
491 |
- |
492 |
-#if HAVE_PAM_SSH |
493 |
-session optional pam_ssh.so |
494 |
-#endif |
495 |
- |
496 |
-#if HAVE_SYSTEMD |
497 |
--session optional pam_systemd.so |
498 |
-#endif |
499 |
- |
500 |
-#if HAVE_ELOGIND |
501 |
--session optional pam_elogind.so |
502 |
-#endif |
503 |
- |
504 |
-#if HAVE_LIBCAP |
505 |
-auth optional pam_cap.so |
506 |
-#endif |
507 |
-#include "system-session.inc" |
508 |
|
509 |
diff --git a/system-login.in b/system-login.in |
510 |
deleted file mode 100644 |
511 |
index ee03613..0000000 |
512 |
--- a/system-login.in |
513 |
+++ /dev/null |
514 |
@@ -1,58 +0,0 @@ |
515 |
- |
516 |
-#if HAVE_SHELLS |
517 |
-auth required pam_shells.so DEBUG |
518 |
-#endif |
519 |
-#if SUPPORT_NOLOGIN_AUTH |
520 |
-auth required pam_nologin.so DEBUG_NOLOGIN |
521 |
-#endif |
522 |
-auth include system-auth |
523 |
- |
524 |
-#if HAVE_FAILLOCK |
525 |
-auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 |
526 |
-auth sufficient pam_unix.so nullok try_first_pass |
527 |
-auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 |
528 |
-#endif |
529 |
- |
530 |
-#if HAVE_ACCESS |
531 |
-account required pam_access.so DEBUG |
532 |
-#endif |
533 |
-#if HAVE_LOGIN_ACCESS |
534 |
-account required pam_login_access.so |
535 |
-#endif |
536 |
-#if SUPPORT_NOLOGIN_ACCOUNT |
537 |
-account required pam_nologin.so DEBUG_NOLOGIN |
538 |
-#endif |
539 |
-account include system-auth |
540 |
- |
541 |
-#if HAVE_FAILLOCK |
542 |
-account required pam_faillock.so |
543 |
-#endif |
544 |
- |
545 |
-password include system-auth |
546 |
- |
547 |
-#if HAVE_LOGINUID |
548 |
-session optional pam_loginuid.so |
549 |
-#endif |
550 |
-#if HAVE_SELINUX |
551 |
-session required pam_selinux.so close |
552 |
-#endif |
553 |
-#if HAVE_ENV |
554 |
-session required pam_env.so envfile=/etc/profile.env DEBUG |
555 |
-#endif |
556 |
-#if HAVE_LASTLOG |
557 |
-session optional pam_lastlog.so silent DEBUG |
558 |
-#endif |
559 |
-session include system-auth |
560 |
-#if HAVE_CONSOLEKIT |
561 |
-session optional pam_ck_connector.so nox11 |
562 |
-#endif |
563 |
-#if HAVE_SELINUX |
564 |
- # Note: modules that run in the user's context must come after this line. |
565 |
-session required pam_selinux.so multiple open |
566 |
-#endif |
567 |
-#if HAVE_MOTD |
568 |
-session optional pam_motd.so motd=/etc/motd |
569 |
-#endif |
570 |
-#if HAVE_MAIL |
571 |
-session optional pam_mail.so |
572 |
-#endif |
573 |
|
574 |
diff --git a/system-session.inc b/system-session.inc |
575 |
deleted file mode 100644 |
576 |
index 2ba6964..0000000 |
577 |
--- a/system-session.inc |
578 |
+++ /dev/null |
579 |
@@ -1,25 +0,0 @@ |
580 |
-#if HAVE_LIMITS |
581 |
-session required pam_limits.so DEBUG |
582 |
-#endif |
583 |
-#if HAVE_ENV |
584 |
-session required pam_env.so DEBUG |
585 |
-#endif |
586 |
-#if HAVE_MKTEMP |
587 |
-session optional pam_mktemp.so |
588 |
-#endif |
589 |
- |
590 |
-/* Only Linux-PAM supports session chain for pam_unix; but if it were |
591 |
- to not support it for whatever reason, still execute pam_krb5, with |
592 |
- sufficient level instead. */ |
593 |
-#if SUPPORT_UNIX_SESSION |
594 |
-# if HAVE_KRB5 |
595 |
-session KRB5_CONTROL pam_krb5.so KRB5_PARAMS |
596 |
-# endif |
597 |
-session required pam_unix.so DEBUG |
598 |
-#else |
599 |
-# if HAVE_KRB5 |
600 |
-session sufficient pam_krb5.so KRB5_PARAMS |
601 |
-# endif |
602 |
-#endif |
603 |
- |
604 |
-session optional pam_permit.so |
605 |
|
606 |
diff --git a/templates/login.tpl b/templates/login.tpl |
607 |
new file mode 100644 |
608 |
index 0000000..7476cb7 |
609 |
--- /dev/null |
610 |
+++ b/templates/login.tpl |
611 |
@@ -0,0 +1,9 @@ |
612 |
+{% if securetty -%} |
613 |
+auth required pam_securetty.so |
614 |
+{% endif -%} |
615 |
+ |
616 |
+auth include system-local-login |
617 |
+account include system-local-login |
618 |
+password include system-local-login |
619 |
+session optional pam_lastlog.so {{ debug|default('', true) }} |
620 |
+session include system-local-login |
621 |
|
622 |
diff --git a/templates/other.tpl b/templates/other.tpl |
623 |
new file mode 100644 |
624 |
index 0000000..f3b7198 |
625 |
--- /dev/null |
626 |
+++ b/templates/other.tpl |
627 |
@@ -0,0 +1,4 @@ |
628 |
+auth required pam_deny.so |
629 |
+account required pam_deny.so |
630 |
+password required pam_deny.so |
631 |
+session required pam_deny.so |
632 |
|
633 |
diff --git a/passwd.in b/templates/passwd.tpl |
634 |
similarity index 66% |
635 |
rename from passwd.in |
636 |
rename to templates/passwd.tpl |
637 |
index 248bb7c..5f4f739 100644 |
638 |
--- a/passwd.in |
639 |
+++ b/templates/passwd.tpl |
640 |
@@ -1,7 +1,5 @@ |
641 |
auth sufficient pam_rootok.so |
642 |
auth include system-auth |
643 |
- |
644 |
account include system-auth |
645 |
- |
646 |
password include system-auth |
647 |
--password optional pam_gnome_keyring.so UNIX_AUTHTOK |
648 |
+-password optional pam_gnome_keyring.so {{ unix_authtok }} |
649 |
|
650 |
diff --git a/templates/su.tpl b/templates/su.tpl |
651 |
new file mode 100644 |
652 |
index 0000000..a36b633 |
653 |
--- /dev/null |
654 |
+++ b/templates/su.tpl |
655 |
@@ -0,0 +1,8 @@ |
656 |
+auth sufficient pam_rootok.so |
657 |
+auth required pam_wheel.so use_uid |
658 |
+auth include system-auth |
659 |
+account include system-auth |
660 |
+password include system-auth |
661 |
+session include system-auth |
662 |
+session required pam_env.so |
663 |
+session optional pam_xauth.so |
664 |
|
665 |
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl |
666 |
new file mode 100644 |
667 |
index 0000000..13f5c0d |
668 |
--- /dev/null |
669 |
+++ b/templates/system-auth.tpl |
670 |
@@ -0,0 +1,54 @@ |
671 |
+auth required pam_env.so {{ debug|default('', true) }} |
672 |
+{% if pam_ssh -%} |
673 |
+auth sufficient pam_ssh.so |
674 |
+{% endif -%} |
675 |
+ |
676 |
+{% if krb5 -%} |
677 |
+auth [success=1 default=ignore] pam_krb5.so {{ krb5_params }} |
678 |
+{% endif -%} |
679 |
+ |
680 |
+auth required pam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} |
681 |
+auth optional pam_permit.so |
682 |
+{% if not minimal -%} |
683 |
+auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 |
684 |
+auth sufficient pam_unix.so {{ nullok|default('', true) }} try_first_pass |
685 |
+auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 |
686 |
+{% endif -%} |
687 |
+ |
688 |
+{% if krb5 -%} |
689 |
+account [success=1 default=ignore] pam_krb5.so {{ krb5_params }} |
690 |
+{% endif -%} |
691 |
+account required pam_unix.so {{ debug|default('', true) }} |
692 |
+account optional pam_permit.so |
693 |
+{% if not minimal -%} |
694 |
+account required pam_faillock.so |
695 |
+{% endif -%} |
696 |
+ |
697 |
+{% if passwdqc -%} |
698 |
+password required pam_passwdqc.so min=8,8,8,8,8 retry=3 |
699 |
+{% endif -%} |
700 |
+ |
701 |
+{% if krb5 -%} |
702 |
+password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} |
703 |
+{% endif -%} |
704 |
+ |
705 |
+password required pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} |
706 |
+password optional pam_permit.so |
707 |
+ |
708 |
+{%- if pam_ssh -%} |
709 |
+session optional pam_ssh.so |
710 |
+{% endif -%} |
711 |
+ |
712 |
+{% if systemd -%} |
713 |
+-session optional pam_systemd.so |
714 |
+{% endif -%} |
715 |
+ |
716 |
+{% if elogind -%} |
717 |
+-session optional pam_elogind.so |
718 |
+{% endif -%} |
719 |
+ |
720 |
+{% if libcap -%} |
721 |
+-session optional pam_libcap.so |
722 |
+{% endif -%} |
723 |
+ |
724 |
+{% include "templates/system-session.tpl" %} |
725 |
|
726 |
diff --git a/system-local-login.in b/templates/system-local-login.tpl |
727 |
similarity index 100% |
728 |
rename from system-local-login.in |
729 |
rename to templates/system-local-login.tpl |
730 |
|
731 |
diff --git a/templates/system-login.tpl b/templates/system-login.tpl |
732 |
new file mode 100644 |
733 |
index 0000000..2f404bc |
734 |
--- /dev/null |
735 |
+++ b/templates/system-login.tpl |
736 |
@@ -0,0 +1,39 @@ |
737 |
+auth required pam_shells.so {{ debug|default('', true) }} |
738 |
+auth required pam_nologin.so |
739 |
+auth include system-auth |
740 |
+{% if not minimal -%} |
741 |
+auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 |
742 |
+auth sufficient pam_unix.so nullok try_first_pass |
743 |
+auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 |
744 |
+{% endif -%} |
745 |
+ |
746 |
+account required pam_access.so {{ debug|default('', true) }} |
747 |
+account required pam_nologin.so |
748 |
+account include system-auth |
749 |
+{% if not minimal -%} |
750 |
+account required pam_faillock.so |
751 |
+{% endif -%} |
752 |
+ |
753 |
+password include system-auth |
754 |
+session optional pam_loginuid.so |
755 |
+{% if selinux -%} |
756 |
+session required pam_selinux.so close |
757 |
+{% endif -%} |
758 |
+ |
759 |
+session required pam_env.so envfile=/etc/profile.env {{ debug|default('', true) }} |
760 |
+{% if not miniaml -%} |
761 |
+session optional pam_lastlog.so silent {{ debug|default('', true) }} |
762 |
+{% endif -%} |
763 |
+session include system-auth |
764 |
+{% if selinux -%} |
765 |
+ # Note: modules that run in the user's context must come after this line. |
766 |
+session required pam_selinux.so multiple open |
767 |
+{% endif -%} |
768 |
+ |
769 |
+{% if not minimal -%} |
770 |
+session optional pam_motd.so motd=/etc/motd |
771 |
+{% endif -%} |
772 |
+ |
773 |
+{% if not minimal -%} |
774 |
+session optional pam_mail.so |
775 |
+{% endif -%} |
776 |
|
777 |
diff --git a/system-remote-login.in b/templates/system-remote-login.tpl |
778 |
similarity index 100% |
779 |
rename from system-remote-login.in |
780 |
rename to templates/system-remote-login.tpl |
781 |
|
782 |
diff --git a/system-services.in b/templates/system-service.tpl |
783 |
similarity index 65% |
784 |
rename from system-services.in |
785 |
rename to templates/system-service.tpl |
786 |
index 989267f..cbfab6f 100644 |
787 |
--- a/system-services.in |
788 |
+++ b/templates/system-service.tpl |
789 |
@@ -1,8 +1,4 @@ |
790 |
auth sufficient pam_permit.so |
791 |
- |
792 |
account include system-auth |
793 |
- |
794 |
-#if HAVE_LOGINUID |
795 |
session optional pam_loginuid.so |
796 |
-#endif |
797 |
-#include "system-session.inc" |
798 |
+{% include "templates/system-session.tpl" %} |
799 |
|
800 |
diff --git a/templates/system-session.tpl b/templates/system-session.tpl |
801 |
new file mode 100644 |
802 |
index 0000000..f2622a8 |
803 |
--- /dev/null |
804 |
+++ b/templates/system-session.tpl |
805 |
@@ -0,0 +1,16 @@ |
806 |
+session required pam_limits.so {{ debug|default('', true) }} |
807 |
+session required pam_env.so {{ debug|default('', true) }} |
808 |
+{% if mktemp -%} |
809 |
+session optional pam_mktemp.so |
810 |
+{% endif -%} |
811 |
+ |
812 |
+{%if krb5 -%} |
813 |
+session [success=1 default=ignore] {{ krb5_params }} |
814 |
+{% endif -%} |
815 |
+ |
816 |
+session required pam_unix.so {{ debug|default('', true) }} |
817 |
+{%if krb5 -%} |
818 |
+session [success=1 default=ignore] {{ krb5_params }} |
819 |
+{% endif -%} |
820 |
+ |
821 |
+session optional pam_permit.so |