Skip to content
Snippets Groups Projects
Commit 2fa7da36 authored by Lars Beckers's avatar Lars Beckers
Browse files

ad-auth: custom pam configs to prefer sss over unix

parent ad9afb4a
No related branches found
No related tags found
No related merge requests found
Pipeline #2613 passed
Name: SSS authentication
Default: yes
Conflicts: sss
Priority: 301
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_sss.so ignore_unknown_user forward_pass
Auth-Initial:
[success=end default=ignore] pam_sss.so ignore_unknown_user forward_pass
Account-Type: Additional
Account:
sufficient pam_localuser.so
[default=bad success=ok user_unknown=ignore] pam_sss.so
Session-Type: Additional
Session-Interactive-Only: yes
Session:
optional pam_sss.so
Password-Type: Primary
Password:
sufficient pam_sss.so use_authtok
Password-Initial:
sufficient pam_sss.so
Name: Unix authentication
Default: yes
Conflicts: unix
Priority: 300
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_unix.so use_first_pass nullok_secure
Auth-Initial:
[success=end default=ignore] pam_unix.so use_first_pass nullok_secure
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Account-Initial:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Session-Type: Additional
Session:
required pam_unix.so
Session-Initial:
required pam_unix.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
Password-Initial:
[success=end default=ignore] pam_unix.so obscure sha512
--- ---
# file: roles/ad-auth/tasks/pam.yml
- name: ensure pam applies a general umask - name: retrieve data of overwritten pam configs (unix)
stat:
path: "/usr/share/pam-configs/unix"
checksum_algorithm: "sha1"
register: "pamunix"
- name: retrieve data of overwritten pam configs (sss)
stat:
path: "/usr/share/pam-configs/sss"
checksum_algorithm: "sha1"
register: "pamsss"
- name: check that overwritten pam configs were not updated
fail:
msg: "The original PAM configs (unix/sss) that we overwrite have changed."
when: (pamunix.stat.checksum != '727dc8f53ceaea0264d0877fcbb2a52eb341ff10'
or pamsss.stat.checksum != '3c1d4e9fa522e2ec9729260d3b108ef31df8ef9d')
- name: ensure pam applies customized configs
copy: copy:
src: pam/umask src: "pam/{{ item }}"
dest: /usr/share/pam-configs/umask dest: "/usr/share/pam-configs/{{ item }}"
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
notify: notify:
- regenerate pam config - regenerate pam config
with_items:
- umask
- sss-custom
- unix-custom
tags: tags:
- pam - pam
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment