Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mikle Kolyada <zlogene@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/pambase:master commit in: /, templates/
Date: Tue, 04 Aug 2020 11:29:39
Message-Id: 1596540043.405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c.zlogene@gentoo
1 commit: 405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c
2 Author: Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
3 AuthorDate: Tue Aug 4 11:20:43 2020 +0000
4 Commit: Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
5 CommitDate: Tue Aug 4 11:20:43 2020 +0000
6 URL: https://gitweb.gentoo.org/proj/pambase.git/commit/?id=405452a4
7
8 New pambase era
9
10 pambase was simplified and rewritten in python
11
12 Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org>
13
14 .gitignore | 12 +--
15 LICENSE | 23 ++++++
16 Makefile | 96 ----------------------
17 README | 8 --
18 basic-conf | 52 ------------
19 linux-pam-conf | 26 ------
20 login.in | 10 ---
21 other.in | 4 -
22 pambase.py | 95 +++++++++++++++++++++
23 su.in | 11 ---
24 system-auth.in | 57 -------------
25 system-login.in | 58 -------------
26 system-session.inc | 25 ------
27 templates/login.tpl | 9 ++
28 templates/other.tpl | 4 +
29 passwd.in => templates/passwd.tpl | 4 +-
30 templates/su.tpl | 8 ++
31 templates/system-auth.tpl | 54 ++++++++++++
32 .../system-local-login.tpl | 0
33 templates/system-login.tpl | 39 +++++++++
34 .../system-remote-login.tpl | 0
35 system-services.in => templates/system-service.tpl | 6 +-
36 templates/system-session.tpl | 16 ++++
37 23 files changed, 252 insertions(+), 365 deletions(-)
38
39 diff --git a/.gitignore b/.gitignore
40 index 2c63905..844c82f 100644
41 --- a/.gitignore
42 +++ b/.gitignore
43 @@ -1,10 +1,2 @@
44 -login
45 -passwd
46 -su
47 -system-auth
48 -system-login
49 -system-local-login
50 -system-remote-login
51 -system-services
52 -other
53 -pambase-*.tar.bz2
54 +stack/
55 +.idea/
56
57 diff --git a/LICENSE b/LICENSE
58 new file mode 100644
59 index 0000000..6e891ee
60 --- /dev/null
61 +++ b/LICENSE
62 @@ -0,0 +1,23 @@
63 +MIT License
64 +
65 +Copyright (c) 2020 Mikhail Koliada
66 +Copyright (c) 2020 Sam James
67 +Copyright (c) 2020 Gentoo Authors
68 +
69 +Permission is hereby granted, free of charge, to any person obtaining a copy
70 +of this software and associated documentation files (the "Software"), to deal
71 +in the Software without restriction, including without limitation the rights
72 +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
73 +copies of the Software, and to permit persons to whom the Software is
74 +furnished to do so, subject to the following conditions:
75 +
76 +The above copyright notice and this permission notice shall be included in all
77 +copies or substantial portions of the Software.
78 +
79 +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
80 +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
81 +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
82 +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
83 +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
84 +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
85 +SOFTWARE.
86
87 diff --git a/Makefile b/Makefile
88 deleted file mode 100644
89 index 941edfb..0000000
90 --- a/Makefile
91 +++ /dev/null
92 @@ -1,96 +0,0 @@
93 -# Reset this to 'cpp' so it gets traditional syntax; cc -E will not work
94 -# properly.
95 -CPP=cpp
96 -
97 -# The pam.d file to create
98 -PAMD=login passwd su system-auth system-login system-local-login system-remote-login system-services other
99 -
100 -# command for git (the DVCS); set this to "true" to ignore GIT support
101 -# (i.e.: in the ebuild)
102 -GIT=git
103 -
104 -PAMFLAGS = -include linux-pam-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION)
105 -
106 -ifeq "$(PASSWDQC)" "yes"
107 -PAMFLAGS += -DHAVE_PASSWDQC=1
108 -endif
109 -
110 -ifeq "$(CONSOLEKIT)" "yes"
111 -PAMFLAGS += -DHAVE_CONSOLEKIT=1
112 -endif
113 -
114 -ifeq "$(SYSTEMD)" "yes"
115 -PAMFLAGS += -DHAVE_SYSTEMD=1
116 -endif
117 -
118 -ifeq "$(ELOGIND)" "yes"
119 -PAMFLAGS += -DHAVE_ELOGIND=1
120 -endif
121 -
122 -ifeq "$(GNOME_KEYRING)" "yes"
123 -PAMFLAGS += -DHAVE_GNOME_KEYRING=1
124 -endif
125 -
126 -ifeq "$(SECURETTY)" "yes"
127 -PAMFLAGS += -DHAVE_SECURETTY=1
128 -endif
129 -
130 -ifeq "$(SELINUX)" "yes"
131 -PAMFLAGS += -DHAVE_SELINUX=1
132 -endif
133 -
134 -ifeq "$(MKTEMP)" "yes"
135 -PAMFLAGS += -DHAVE_MKTEMP=1
136 -endif
137 -
138 -ifeq "$(PAM_SSH)" "yes"
139 -PAMFLAGS += -DHAVE_PAM_SSH=1
140 -endif
141 -
142 -ifeq "$(KRB5)" "yes"
143 -PAMFLAGS += -DHAVE_KRB5=1
144 -endif
145 -
146 -ifeq "$(NULLOK)" "yes"
147 -PAMFLAGS += -DWANT_NULLOK=1
148 -endif
149 -
150 -ifeq "$(SHA512)" "yes"
151 -PAMFLAGS += -DWANT_SHA512=1
152 -endif
153 -
154 -ifeq "$(DEBUG)" "yes"
155 -PAMFLAGS += -DDEBUG=debug
156 -endif
157 -
158 -ifeq "$(MINIMAL)" "yes"
159 -PAMFLAGS += -DMINIMAL
160 -endif
161 -
162 -ifeq "$(LIBCAP)" "yes"
163 -PAMFLAGS += -DHAVE_LIBCAP=1
164 -endif
165 -
166 -all: $(PAMD)
167 -
168 -install: $(PAMD)
169 - install -d "$(DESTDIR)/etc/pam.d"
170 - install -m0644 $(PAMD) "$(DESTDIR)/etc/pam.d"
171 -
172 -PACKAGE=pambase
173 -ifeq "$(VERSION)" ""
174 -VERSION = $(shell date +"%Y%m%d")
175 -endif
176 -
177 -dist: $(PACKAGE)-$(VERSION).tar.xz
178 -
179 -$(PACKAGE)-$(VERSION).tar.xz: $(shell $(GIT) ls-files)
180 - $(GIT) tag $(PACKAGE)-$(VERSION)
181 - $(GIT) archive --format=tar --prefix=$(PACKAGE)-$(VERSION)/ HEAD | xz > $@
182 -
183 -$(PAMD): %: %.in
184 - $(CPP) -traditional-cpp -P $(PAMFLAGS) $< -o $@
185 - sed -i -e '/^$$/d' -e '/^\/\//d' $@
186 -
187 -clean:
188 - rm -f $(PAMD) *~
189
190 diff --git a/README b/README
191 deleted file mode 100644
192 index 20f2e5e..0000000
193 --- a/README
194 +++ /dev/null
195 @@ -1,8 +0,0 @@
196 -This repository contains the PAM configuration base for Gentoo Linux
197 -and Gentoo FreeBSD, this mostly means the system-auth and system-login
198 -configuration file that provides the basic support for generical
199 -authentication for services, and console login (on tty or on various
200 -desktop managers).
201 -
202 -The Makefile manages the choice of optional features that will be
203 -enabled in the final file.
204
205 diff --git a/basic-conf b/basic-conf
206 deleted file mode 100644
207 index 7b1bf00..0000000
208 --- a/basic-conf
209 +++ /dev/null
210 @@ -1,52 +0,0 @@
211 -// Only use_authtok (authentication token) when using passwdqc or some other module
212 -// that checks for passwords, or pam_krb5
213 -#define AUTHTOK use_authtok
214 -
215 -#if HAVE_PASSWDQC
216 -# define PASSWORD_STRENGTH 1
217 -#endif
218 -
219 -#if HAVE_KRB5 && PASSWORD_STRENGTH
220 -# define KRB5_AUTHTOK AUTHTOK
221 -#endif
222 -
223 -#if HAVE_KRB5 || PASSWORD_STRENGTH
224 -# define UNIX_AUTHTOK AUTHTOK
225 -#else
226 -# define UNIX_AUTHTOK
227 -#endif
228 -
229 -// Define DEBUG to an empty string unless it was required by the user
230 -#ifndef DEBUG
231 -#define DEBUG
232 -#endif
233 -
234 -#ifndef UNIX_EXTENDED_ENCRYPTION
235 -#define UNIX_EXTENDED_ENCRYPTION
236 -#endif
237 -
238 -#ifndef LIKEAUTH
239 -#define LIKEAUTH
240 -#endif
241 -
242 -#if WANT_NULLOK
243 -#define NULLOK nullok
244 -#else
245 -#define NULLOK
246 -#endif
247 -
248 -#define KRB5_PARAMS DEBUG ignore_root try_first_pass
249 -
250 -/* By using the extended Linux-PAM syntax for this, it is possible to
251 - fine-tune the Kerberos handling so that it works out of hte box on
252 - most desktop systems.
253 -
254 - What this control operation does is ignore failures and errors from
255 - Kerberos (falling back on local pam_unix auth), but if it's good,
256 - it'll skip over the following module (pam_unix) with an accepted
257 - status.
258 -
259 - IMPORTANT! Make sure that the only thing that comes right after
260 - pam_krb5 with KRB5_CONTROL is pam_unix!
261 - */
262 -#define KRB5_CONTROL [success=1 default=ignore]
263
264 diff --git a/linux-pam-conf b/linux-pam-conf
265 deleted file mode 100644
266 index 962b2eb..0000000
267 --- a/linux-pam-conf
268 +++ /dev/null
269 @@ -1,26 +0,0 @@
270 -#define HAVE_LIMITS 1
271 -#define HAVE_ENV 1
272 -#define HAVE_ACCESS 1
273 -#define HAVE_SHELLS 1
274 -#define HAVE_LOGINUID 1
275 -
276 -#define SUPPORT_UNIX_SESSION 1
277 -#define SUPPORT_NOLOGIN_ACCOUNT 1
278 -#define SUPPORT_NOLOGIN_AUTH 1
279 -
280 -#if !MINIMAL
281 -# define HAVE_MOTD 1
282 -# define HAVE_MAIL 1
283 -# define HAVE_LASTLOG 1
284 -# define HAVE_FAILLOCK 1
285 -
286 -#endif
287 -
288 -#if WANT_SHA512
289 -# define UNIX_EXTENDED_ENCRYPTION sha512 shadow
290 -#else
291 -# define UNIX_EXTENDED_ENCRYPTION md5 shadow
292 -#endif
293 -
294 -#define LIKEAUTH likeauth
295 -#define DEBUG_NOLOGIN
296
297 diff --git a/login.in b/login.in
298 deleted file mode 100644
299 index 5067bc7..0000000
300 --- a/login.in
301 +++ /dev/null
302 @@ -1,10 +0,0 @@
303 -#if HAVE_SECURETTY
304 -auth required pam_securetty.so
305 -#endif
306 -auth include system-local-login
307 -
308 -account include system-local-login
309 -password include system-local-login
310 -
311 -session optional pam_lastlog.so DEBUG
312 -session include system-local-login
313
314 diff --git a/other.in b/other.in
315 deleted file mode 100644
316 index d8cb1fe..0000000
317 --- a/other.in
318 +++ /dev/null
319 @@ -1,4 +0,0 @@
320 -auth required pam_deny.so
321 -account required pam_deny.so
322 -password required pam_deny.so
323 -session required pam_deny.so
324
325 diff --git a/pambase.py b/pambase.py
326 new file mode 100755
327 index 0000000..1ebafbe
328 --- /dev/null
329 +++ b/pambase.py
330 @@ -0,0 +1,95 @@
331 +#!/usr/bin/env python3
332 +
333 +import argparse
334 +from jinja2 import Template, Environment, FileSystemLoader
335 +import pathlib
336 +
337 +
338 +def main():
339 + parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
340 + parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
341 + parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
342 + parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
343 + parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
344 + parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')
345 + parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
346 + parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
347 + parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module')
348 + parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module')
349 + parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module')
350 + parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack')
351 + parser.add_argument('--debug', action="store_true", help='enable debug for selected modules')
352 + parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module')
353 +
354 + parsed_args = parser.parse_args()
355 + processed = process_args(parsed_args)
356 +
357 + parse_templates(processed)
358 +
359 +
360 +def process_args(args):
361 + # make sure that output directory exists
362 + pathlib.Path("stack").mkdir(parents=True, exist_ok=True)
363 +
364 + blank_variables = [
365 + "krb5_authtok",
366 + "unix_authtok",
367 + "unix_extended_encryption",
368 + "likeauth",
369 + "nullok"
370 + ]
371 +
372 + # create a blank dictionary
373 + # then add in our parsed args
374 + output = dict.fromkeys(blank_variables, "")
375 + output.update(vars(args))
376 +
377 + # unconditional variables
378 + output["likeauth"] = "likeauth"
379 + output["unix_authtok"] = "use_authtok"
380 +
381 + if args.debug:
382 + output["debug"] = "debug"
383 +
384 + if args.nullok:
385 + output["nullok"] = "nullok"
386 +
387 + if args.krb5:
388 + output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip()
389 +
390 + if args.sha512:
391 + output["unix_extended_encryption"] = "sha512 shadow"
392 + else:
393 + output["unix_extended_encryption"] = "md5 shadow"
394 +
395 + return output
396 +
397 +
398 +def parse_templates(processed_args):
399 + load = FileSystemLoader('')
400 + env = Environment(loader=load)
401 +
402 + templates = [
403 + "login",
404 + "other",
405 + "passwd",
406 + "system-local-login",
407 + "system-remote-login",
408 + "su",
409 + "system-auth",
410 + "system-login",
411 + "system-service"
412 + ]
413 +
414 + for template_name in templates:
415 + template = env.get_template('templates/{0}.tpl'.format(template_name))
416 +
417 + with open('stack/{0}'.format(template_name), "w+") as output:
418 + rendered_template = template.render(processed_args)
419 +
420 + if rendered_template:
421 + output.write(rendered_template + "\n")
422 +
423 +
424 +if __name__ == "__main__":
425 + main()
426
427 diff --git a/su.in b/su.in
428 deleted file mode 100644
429 index 889ecfe..0000000
430 --- a/su.in
431 +++ /dev/null
432 @@ -1,11 +0,0 @@
433 -auth sufficient pam_rootok.so
434 -auth required pam_wheel.so use_uid
435 -auth include system-auth
436 -
437 -account include system-auth
438 -
439 -password include system-auth
440 -
441 -session include system-auth
442 -session required pam_env.so
443 -session optional pam_xauth.so
444
445 diff --git a/system-auth.in b/system-auth.in
446 deleted file mode 100644
447 index 9ae09e4..0000000
448 --- a/system-auth.in
449 +++ /dev/null
450 @@ -1,57 +0,0 @@
451 -#if HAVE_ENV
452 -auth required pam_env.so DEBUG
453 -#endif
454 -
455 -#if HAVE_PAM_SSH
456 -auth sufficient pam_ssh.so
457 -#endif
458 -#if HAVE_KRB5
459 -auth KRB5_CONTROL pam_krb5.so KRB5_PARAMS
460 -#endif
461 -auth required pam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG
462 -/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
463 -auth optional pam_permit.so
464 -
465 -#if HAVE_FAILLOCK
466 -auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
467 -auth sufficient pam_unix.so nullok try_first_pass
468 -auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
469 -#endif
470 -
471 -#if HAVE_KRB5
472 -account KRB5_CONTROL pam_krb5.so KRB5_PARAMS
473 -#endif
474 -account required pam_unix.so DEBUG
475 -/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
476 -account optional pam_permit.so
477 -
478 -#if HAVE_FAILLOCK
479 -account required pam_faillock.so
480 -#endif
481 -
482 -#if HAVE_PASSWDQC
483 -password required pam_passwdqc.so min=8,8,8,8,8 retry=3
484 -#endif
485 -#if HAVE_KRB5
486 -password KRB5_CONTROL pam_krb5.so KRB5_PARAMS
487 -#endif
488 -password required pam_unix.so try_first_pass UNIX_AUTHTOK NULLOK UNIX_EXTENDED_ENCRYPTION DEBUG
489 -/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
490 -password optional pam_permit.so
491 -
492 -#if HAVE_PAM_SSH
493 -session optional pam_ssh.so
494 -#endif
495 -
496 -#if HAVE_SYSTEMD
497 --session optional pam_systemd.so
498 -#endif
499 -
500 -#if HAVE_ELOGIND
501 --session optional pam_elogind.so
502 -#endif
503 -
504 -#if HAVE_LIBCAP
505 -auth optional pam_cap.so
506 -#endif
507 -#include "system-session.inc"
508
509 diff --git a/system-login.in b/system-login.in
510 deleted file mode 100644
511 index ee03613..0000000
512 --- a/system-login.in
513 +++ /dev/null
514 @@ -1,58 +0,0 @@
515 -
516 -#if HAVE_SHELLS
517 -auth required pam_shells.so DEBUG
518 -#endif
519 -#if SUPPORT_NOLOGIN_AUTH
520 -auth required pam_nologin.so DEBUG_NOLOGIN
521 -#endif
522 -auth include system-auth
523 -
524 -#if HAVE_FAILLOCK
525 -auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
526 -auth sufficient pam_unix.so nullok try_first_pass
527 -auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
528 -#endif
529 -
530 -#if HAVE_ACCESS
531 -account required pam_access.so DEBUG
532 -#endif
533 -#if HAVE_LOGIN_ACCESS
534 -account required pam_login_access.so
535 -#endif
536 -#if SUPPORT_NOLOGIN_ACCOUNT
537 -account required pam_nologin.so DEBUG_NOLOGIN
538 -#endif
539 -account include system-auth
540 -
541 -#if HAVE_FAILLOCK
542 -account required pam_faillock.so
543 -#endif
544 -
545 -password include system-auth
546 -
547 -#if HAVE_LOGINUID
548 -session optional pam_loginuid.so
549 -#endif
550 -#if HAVE_SELINUX
551 -session required pam_selinux.so close
552 -#endif
553 -#if HAVE_ENV
554 -session required pam_env.so envfile=/etc/profile.env DEBUG
555 -#endif
556 -#if HAVE_LASTLOG
557 -session optional pam_lastlog.so silent DEBUG
558 -#endif
559 -session include system-auth
560 -#if HAVE_CONSOLEKIT
561 -session optional pam_ck_connector.so nox11
562 -#endif
563 -#if HAVE_SELINUX
564 - # Note: modules that run in the user's context must come after this line.
565 -session required pam_selinux.so multiple open
566 -#endif
567 -#if HAVE_MOTD
568 -session optional pam_motd.so motd=/etc/motd
569 -#endif
570 -#if HAVE_MAIL
571 -session optional pam_mail.so
572 -#endif
573
574 diff --git a/system-session.inc b/system-session.inc
575 deleted file mode 100644
576 index 2ba6964..0000000
577 --- a/system-session.inc
578 +++ /dev/null
579 @@ -1,25 +0,0 @@
580 -#if HAVE_LIMITS
581 -session required pam_limits.so DEBUG
582 -#endif
583 -#if HAVE_ENV
584 -session required pam_env.so DEBUG
585 -#endif
586 -#if HAVE_MKTEMP
587 -session optional pam_mktemp.so
588 -#endif
589 -
590 -/* Only Linux-PAM supports session chain for pam_unix; but if it were
591 - to not support it for whatever reason, still execute pam_krb5, with
592 - sufficient level instead. */
593 -#if SUPPORT_UNIX_SESSION
594 -# if HAVE_KRB5
595 -session KRB5_CONTROL pam_krb5.so KRB5_PARAMS
596 -# endif
597 -session required pam_unix.so DEBUG
598 -#else
599 -# if HAVE_KRB5
600 -session sufficient pam_krb5.so KRB5_PARAMS
601 -# endif
602 -#endif
603 -
604 -session optional pam_permit.so
605
606 diff --git a/templates/login.tpl b/templates/login.tpl
607 new file mode 100644
608 index 0000000..7476cb7
609 --- /dev/null
610 +++ b/templates/login.tpl
611 @@ -0,0 +1,9 @@
612 +{% if securetty -%}
613 +auth required pam_securetty.so
614 +{% endif -%}
615 +
616 +auth include system-local-login
617 +account include system-local-login
618 +password include system-local-login
619 +session optional pam_lastlog.so {{ debug|default('', true) }}
620 +session include system-local-login
621
622 diff --git a/templates/other.tpl b/templates/other.tpl
623 new file mode 100644
624 index 0000000..f3b7198
625 --- /dev/null
626 +++ b/templates/other.tpl
627 @@ -0,0 +1,4 @@
628 +auth required pam_deny.so
629 +account required pam_deny.so
630 +password required pam_deny.so
631 +session required pam_deny.so
632
633 diff --git a/passwd.in b/templates/passwd.tpl
634 similarity index 66%
635 rename from passwd.in
636 rename to templates/passwd.tpl
637 index 248bb7c..5f4f739 100644
638 --- a/passwd.in
639 +++ b/templates/passwd.tpl
640 @@ -1,7 +1,5 @@
641 auth sufficient pam_rootok.so
642 auth include system-auth
643 -
644 account include system-auth
645 -
646 password include system-auth
647 --password optional pam_gnome_keyring.so UNIX_AUTHTOK
648 +-password optional pam_gnome_keyring.so {{ unix_authtok }}
649
650 diff --git a/templates/su.tpl b/templates/su.tpl
651 new file mode 100644
652 index 0000000..a36b633
653 --- /dev/null
654 +++ b/templates/su.tpl
655 @@ -0,0 +1,8 @@
656 +auth sufficient pam_rootok.so
657 +auth required pam_wheel.so use_uid
658 +auth include system-auth
659 +account include system-auth
660 +password include system-auth
661 +session include system-auth
662 +session required pam_env.so
663 +session optional pam_xauth.so
664
665 diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
666 new file mode 100644
667 index 0000000..13f5c0d
668 --- /dev/null
669 +++ b/templates/system-auth.tpl
670 @@ -0,0 +1,54 @@
671 +auth required pam_env.so {{ debug|default('', true) }}
672 +{% if pam_ssh -%}
673 +auth sufficient pam_ssh.so
674 +{% endif -%}
675 +
676 +{% if krb5 -%}
677 +auth [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
678 +{% endif -%}
679 +
680 +auth required pam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }}
681 +auth optional pam_permit.so
682 +{% if not minimal -%}
683 +auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
684 +auth sufficient pam_unix.so {{ nullok|default('', true) }} try_first_pass
685 +auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
686 +{% endif -%}
687 +
688 +{% if krb5 -%}
689 +account [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
690 +{% endif -%}
691 +account required pam_unix.so {{ debug|default('', true) }}
692 +account optional pam_permit.so
693 +{% if not minimal -%}
694 +account required pam_faillock.so
695 +{% endif -%}
696 +
697 +{% if passwdqc -%}
698 +password required pam_passwdqc.so min=8,8,8,8,8 retry=3
699 +{% endif -%}
700 +
701 +{% if krb5 -%}
702 +password [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
703 +{% endif -%}
704 +
705 +password required pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
706 +password optional pam_permit.so
707 +
708 +{%- if pam_ssh -%}
709 +session optional pam_ssh.so
710 +{% endif -%}
711 +
712 +{% if systemd -%}
713 +-session optional pam_systemd.so
714 +{% endif -%}
715 +
716 +{% if elogind -%}
717 +-session optional pam_elogind.so
718 +{% endif -%}
719 +
720 +{% if libcap -%}
721 +-session optional pam_libcap.so
722 +{% endif -%}
723 +
724 +{% include "templates/system-session.tpl" %}
725
726 diff --git a/system-local-login.in b/templates/system-local-login.tpl
727 similarity index 100%
728 rename from system-local-login.in
729 rename to templates/system-local-login.tpl
730
731 diff --git a/templates/system-login.tpl b/templates/system-login.tpl
732 new file mode 100644
733 index 0000000..2f404bc
734 --- /dev/null
735 +++ b/templates/system-login.tpl
736 @@ -0,0 +1,39 @@
737 +auth required pam_shells.so {{ debug|default('', true) }}
738 +auth required pam_nologin.so
739 +auth include system-auth
740 +{% if not minimal -%}
741 +auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
742 +auth sufficient pam_unix.so nullok try_first_pass
743 +auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
744 +{% endif -%}
745 +
746 +account required pam_access.so {{ debug|default('', true) }}
747 +account required pam_nologin.so
748 +account include system-auth
749 +{% if not minimal -%}
750 +account required pam_faillock.so
751 +{% endif -%}
752 +
753 +password include system-auth
754 +session optional pam_loginuid.so
755 +{% if selinux -%}
756 +session required pam_selinux.so close
757 +{% endif -%}
758 +
759 +session required pam_env.so envfile=/etc/profile.env {{ debug|default('', true) }}
760 +{% if not miniaml -%}
761 +session optional pam_lastlog.so silent {{ debug|default('', true) }}
762 +{% endif -%}
763 +session include system-auth
764 +{% if selinux -%}
765 + # Note: modules that run in the user's context must come after this line.
766 +session required pam_selinux.so multiple open
767 +{% endif -%}
768 +
769 +{% if not minimal -%}
770 +session optional pam_motd.so motd=/etc/motd
771 +{% endif -%}
772 +
773 +{% if not minimal -%}
774 +session optional pam_mail.so
775 +{% endif -%}
776
777 diff --git a/system-remote-login.in b/templates/system-remote-login.tpl
778 similarity index 100%
779 rename from system-remote-login.in
780 rename to templates/system-remote-login.tpl
781
782 diff --git a/system-services.in b/templates/system-service.tpl
783 similarity index 65%
784 rename from system-services.in
785 rename to templates/system-service.tpl
786 index 989267f..cbfab6f 100644
787 --- a/system-services.in
788 +++ b/templates/system-service.tpl
789 @@ -1,8 +1,4 @@
790 auth sufficient pam_permit.so
791 -
792 account include system-auth
793 -
794 -#if HAVE_LOGINUID
795 session optional pam_loginuid.so
796 -#endif
797 -#include "system-session.inc"
798 +{% include "templates/system-session.tpl" %}
799
800 diff --git a/templates/system-session.tpl b/templates/system-session.tpl
801 new file mode 100644
802 index 0000000..f2622a8
803 --- /dev/null
804 +++ b/templates/system-session.tpl
805 @@ -0,0 +1,16 @@
806 +session required pam_limits.so {{ debug|default('', true) }}
807 +session required pam_env.so {{ debug|default('', true) }}
808 +{% if mktemp -%}
809 +session optional pam_mktemp.so
810 +{% endif -%}
811 +
812 +{%if krb5 -%}
813 +session [success=1 default=ignore] {{ krb5_params }}
814 +{% endif -%}
815 +
816 +session required pam_unix.so {{ debug|default('', true) }}
817 +{%if krb5 -%}
818 +session [success=1 default=ignore] {{ krb5_params }}
819 +{% endif -%}
820 +
821 +session optional pam_permit.so
Report Message
Find on MARC Find on Google Groups