Skip to content

Commit

Permalink
(simp#132) Changes to allow the pam module to support authselect
Browse files Browse the repository at this point in the history 
Fixes simp#132
  • Loading branch information
@michael-riddle
michael-riddle committed May 22, 2023
1 parent 46cbf15 commit 44faf8b
Show file tree
Hide file tree
Showing 3 changed files with 124 additions and 97 deletions.
99 changes: 54 additions & 45 deletions manifests/auth.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,15 +109,24 @@
'smartcard',
'fingerprint',
'password',
'system'
'system',
]

$_valid_targets_join = join($valid_targets,',')
if ! ($name in $valid_targets) {
fail("\$name must be one of '${_valid_targets_join}'.")
}

$basedir = '/etc/pam.d'
unless $pam::auth_basedir {
$basedir = $pam::use_authselect ? {
true => '/etc/pam.d/simp',
default => '/etc/pam.d',
}
}
else {
$basedir = $pam::auth_basedir
}

$target = "${name}-auth"

if $content {
Expand All @@ -130,47 +139,47 @@
}
else {
$_content = epp("${module_name}/etc/pam.d/auth.epp", {
name => $name,
password_check_backend => $password_check_backend,
locale_file => $locale_file,
auth_content_pre => $auth_content_pre,
cracklib_enforce_for_root => $cracklib_enforce_for_root,
cracklib_reject_username => $cracklib_reject_username,
cracklib_difok => $cracklib_difok,
cracklib_maxrepeat => $cracklib_maxrepeat,
cracklib_maxsequence => $cracklib_maxsequence,
cracklib_maxclassrepeat => $cracklib_maxclassrepeat,
cracklib_gecoscheck => $cracklib_gecoscheck,
cracklib_dcredit => $cracklib_dcredit,
cracklib_ucredit => $cracklib_ucredit,
cracklib_lcredit => $cracklib_lcredit,
cracklib_ocredit => $cracklib_ocredit,
cracklib_minclass => $cracklib_minclass,
cracklib_minlen => $cracklib_minlen,
cracklib_retry => $cracklib_retry,
deny => $deny,
faillock => $faillock,
faillock_log_dir => $faillock_log_dir,
display_account_lock => $display_account_lock,
fail_interval => $fail_interval,
remember => $remember,
remember_retry => $remember_retry,
remember_for_root => $remember_for_root,
even_deny_root => $even_deny_root,
root_unlock_time => $root_unlock_time,
hash_algorithm => $hash_algorithm,
rounds => $rounds,
uid => $uid,
unlock_time => $unlock_time,
preserve_ac => $preserve_ac,
use_netgroups => $use_netgroups,
use_openshift => $use_openshift,
sssd => $sssd,
tty_audit_users => $tty_audit_users,
separator => $separator,
enable_separator => $enable_separator,
oath => $oath,
oath_window => $oath_window
name => $name,
password_check_backend => $password_check_backend,
locale_file => $locale_file,
auth_content_pre => $auth_content_pre,
cracklib_enforce_for_root => $cracklib_enforce_for_root,
cracklib_reject_username => $cracklib_reject_username,
cracklib_difok => $cracklib_difok,
cracklib_maxrepeat => $cracklib_maxrepeat,
cracklib_maxsequence => $cracklib_maxsequence,
cracklib_maxclassrepeat => $cracklib_maxclassrepeat,
cracklib_gecoscheck => $cracklib_gecoscheck,
cracklib_dcredit => $cracklib_dcredit,
cracklib_ucredit => $cracklib_ucredit,
cracklib_lcredit => $cracklib_lcredit,
cracklib_ocredit => $cracklib_ocredit,
cracklib_minclass => $cracklib_minclass,
cracklib_minlen => $cracklib_minlen,
cracklib_retry => $cracklib_retry,
deny => $deny,
faillock => $faillock,
faillock_log_dir => $faillock_log_dir,
display_account_lock => $display_account_lock,
fail_interval => $fail_interval,
remember => $remember,
remember_retry => $remember_retry,
remember_for_root => $remember_for_root,
even_deny_root => $even_deny_root,
root_unlock_time => $root_unlock_time,
hash_algorithm => $hash_algorithm,
rounds => $rounds,
uid => $uid,
unlock_time => $unlock_time,
preserve_ac => $preserve_ac,
use_netgroups => $use_netgroups,
use_openshift => $use_openshift,
sssd => $sssd,
tty_audit_users => $tty_audit_users,
separator => $separator,
enable_separator => $enable_separator,
oath => $oath,
oath_window => $oath_window
})
}
}
Expand All @@ -180,12 +189,12 @@
owner => 'root',
group => 'root',
mode => '0644',
content => $_content
content => $_content,
}

if ! $preserve_ac {
file { "${basedir}/${target}-ac":
ensure => absent
ensure => absent,
}
}
}
98 changes: 54 additions & 44 deletions manifests/config.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,17 @@
owner => 'root',
group => 'root',
mode => '0644',
recurse => true
recurse => true,
}

if $pam::use_authselect {
file { '/etc/pam.d/simp':
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0644',
recurse => true,
}
}

if ($pam::password_check_backend == 'pwquality') {
Expand All @@ -20,29 +30,29 @@
group => 'root',
mode => '0644',
content => epp("${module_name}/etc/security/pwquality.conf.epp", {
difok => $pam::cracklib_difok,
maxrepeat => $pam::cracklib_maxrepeat,
maxsequence => $pam::cracklib_maxsequence,
maxclassrepeat => $pam::cracklib_maxclassrepeat,
gecoscheck => $pam::cracklib_gecoscheck,
dcredit => $pam::cracklib_dcredit,
ucredit => $pam::cracklib_ucredit,
lcredit => $pam::cracklib_lcredit,
ocredit => $pam::cracklib_ocredit,
minclass => $pam::cracklib_minclass,
minlen => $pam::cracklib_minlen,
retry => $pam::cracklib_retry,
badwords => $pam::cracklib_badwords,
dictpath => $pam::cracklib_dictpath,
dictcheck => $pam::dictcheck
})
difok => $pam::cracklib_difok,
maxrepeat => $pam::cracklib_maxrepeat,
maxsequence => $pam::cracklib_maxsequence,
maxclassrepeat => $pam::cracklib_maxclassrepeat,
gecoscheck => $pam::cracklib_gecoscheck,
dcredit => $pam::cracklib_dcredit,
ucredit => $pam::cracklib_ucredit,
lcredit => $pam::cracklib_lcredit,
ocredit => $pam::cracklib_ocredit,
minclass => $pam::cracklib_minclass,
minlen => $pam::cracklib_minlen,
retry => $pam::cracklib_retry,
badwords => $pam::cracklib_badwords,
dictpath => $pam::cracklib_dictpath,
dictcheck => $pam::dictcheck
}),
}

if $pam::rm_pwquality_conf_d {
# Ensure that we can't be overridden
file { '/etc/security/pwquality.conf.d':
ensure => 'absent',
force => true
force => true,
}
}
}
Expand All @@ -52,8 +62,8 @@
}
else {
$_other_content = epp("${module_name}/etc/pam.d/other.epp", {
warn_if_unknown => $pam::warn_if_unknown,
deny_if_unknown => $pam::deny_if_unknown
warn_if_unknown => $pam::warn_if_unknown,
deny_if_unknown => $pam::deny_if_unknown
})
}

Expand All @@ -63,47 +73,47 @@
owner => 'root',
group => 'root',
mode => '0644',
;
[ '/etc/pam.d/atd', '/etc/pam.d/crond' ]:
;
;
['/etc/pam.d/atd', '/etc/pam.d/crond']:
;
'/etc/pam.d/sudo':
content => epp('pam/etc/pam.d/sudo', {
content => epp('pam/etc/pam.d/sudo', {
'pam_module_path' => 'system-auth',
'force_revoke' => false,
'tty_audit_users' => $pam::tty_audit_users,
})
;
})
;
'/etc/pam.d/sudo-i':
content => epp('pam/etc/pam.d/sudo', {
content => epp('pam/etc/pam.d/sudo', {
'pam_module_path' => 'sudo',
'force_revoke' => true,
'tty_audit_users' => $pam::tty_audit_users,
})
;
})
;
'/etc/pam.d/other':
content => $_other_content,
;
;
}

if ($facts['os']['release']['major'] <= '7') and ($pam::disable_authconfig == true) {
# Replace authconfig and authconfig-tui with a no-op script
# so that those tools can't be used to modify PAM.
file { '/usr/local/sbin/simp_authconfig.sh':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0755',
content => file("${module_name}/simp_authconfig.sh")
}
file { '/usr/local/sbin/simp_authconfig.sh':
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0755',
content => file("${module_name}/simp_authconfig.sh"),
}

file { [
file { [
'/usr/sbin/authconfig',
'/usr/sbin/authconfig-tui'
]:
'/usr/sbin/authconfig-tui',
]:
ensure => 'link',
target => '/usr/local/sbin/simp_authconfig.sh',
require => File['/usr/local/sbin/simp_authconfig.sh']
}
require => File['/usr/local/sbin/simp_authconfig.sh'],
}
}

if ($pam::faillock_log_dir) {
Expand All @@ -115,9 +125,9 @@
seluser => 'system_u',
selrole => 'object_r',
seltype => 'faillog_t',
selrange => 's0'
selrange => 's0',
}
}

if ! empty($pam::auth_sections) { ::pam::auth { $pam::auth_sections: }}
if ! empty($pam::auth_sections) { ::pam::auth { $pam::auth_sections: } }
}
24 changes: 16 additions & 8 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -270,6 +270,15 @@
# Disable authconfig from being used, as it breaks this module's reconfiguration
# of PAM.
#
# @param use_authselect
# If true, the files created in this module will be created in a simp directory
# and authselect will simply include the files created under that new directory.
# In short, if this value is true, the files will be created the same way, they
# will just live under a different directory and be included by the original files
#
# @param auth_basedir
# The directory in which the auth files will be created
#
# @param package_ensure
# Ensure setting for all packages installed by this module
#
Expand Down Expand Up @@ -319,11 +328,11 @@
Boolean $deny_if_unknown = true,
Boolean $use_netgroups = false,
Boolean $use_openshift = false,
Boolean $sssd = simplib::lookup('simp_options::sssd', { 'default_value' => false}),
Boolean $sssd = simplib::lookup('simp_options::sssd', { 'default_value' => false }),
Boolean $enable_separator = true,
String[0] $separator = ',',
Array[String[0]] $tty_audit_users = [ 'root' ],
Pam::AuthSections $auth_sections = [ 'fingerprint', 'system', 'password', 'smartcard' ],
Array[String[0]] $tty_audit_users = ['root'],
Pam::AuthSections $auth_sections = ['fingerprint', 'system', 'password', 'smartcard'],
Optional[Array[String]] $auth_content_pre = undef,
Optional[Array[String]] $su_content_extra = undef,
Optional[String] $su_content = undef,
Expand All @@ -332,14 +341,14 @@
Optional[String] $system_auth_content = undef,
Optional[String] $password_auth_content = undef,
Optional[String] $smartcard_auth_content = undef,
Optional[StdLib::Absolutepath] $auth_basedir = undef,
Boolean $enable = true,
Boolean $enable_warning = true,
Boolean $disable_authconfig = true,
Boolean $use_authselect = simplib::lookup('simp_options::authselect', { 'default_value' => false }),
Simplib::PackageEnsure $package_ensure = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'present' })
) {


if simplib::lookup('simp_options::pam', { 'default_value' => true } ) {
if simplib::lookup('simp_options::pam', { 'default_value' => true }) {
if $enable {
simplib::assert_metadata( $module_name )

Expand All @@ -348,11 +357,10 @@

Class['pam::install']
-> Class['pam::config']

}
}
else {
# The global catalyst was set to false but the module was included
# The global catalyst was set to false but the module was included
if $enable_warning {
if simplib::lookup('simp_options::pam', { 'default_value' => true }) == false {
warning('Module pupmod-simp-pam was included but global catalyst simp_options::pam is set to false. This could have unexpected effects.')
Expand Down

0 comments on commit 44faf8b

Please sign in to comment.