From 2fa7da36c84ddadc333d7a32346a3a285043d60a Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Thu, 19 Nov 2020 22:21:00 +0100
Subject: [PATCH] ad-auth: custom pam configs to prefer sss over unix
---
ad-auth/files/pam/sss-custom | 23 +++++++++++++++++++++++
ad-auth/files/pam/unix-custom | 24 ++++++++++++++++++++++++
ad-auth/tasks/pam.yml | 29 +++++++++++++++++++++++++----
3 files changed, 72 insertions(+), 4 deletions(-)
create mode 100644 ad-auth/files/pam/sss-custom
create mode 100644 ad-auth/files/pam/unix-custom
diff --git a/ad-auth/files/pam/sss-custom b/ad-auth/files/pam/sss-custom
new file mode 100644
index 0000000..fc1f9c8
--- /dev/null
+++ b/ad-auth/files/pam/sss-custom
@@ -0,0 +1,23 @@
+Name: SSS authentication
+Default: yes
+Conflicts: sss
+Priority: 301
+
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_sss.so ignore_unknown_user forward_pass
+Auth-Initial:
+ [success=end default=ignore] pam_sss.so ignore_unknown_user forward_pass
+Account-Type: Additional
+Account:
+ sufficient pam_localuser.so
+ [default=bad success=ok user_unknown=ignore] pam_sss.so
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+ optional pam_sss.so
+Password-Type: Primary
+Password:
+ sufficient pam_sss.so use_authtok
+Password-Initial:
+ sufficient pam_sss.so
diff --git a/ad-auth/files/pam/unix-custom b/ad-auth/files/pam/unix-custom
new file mode 100644
index 0000000..17aee25
--- /dev/null
+++ b/ad-auth/files/pam/unix-custom
@@ -0,0 +1,24 @@
+Name: Unix authentication
+Default: yes
+Conflicts: unix
+Priority: 300
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_unix.so use_first_pass nullok_secure
+Auth-Initial:
+ [success=end default=ignore] pam_unix.so use_first_pass nullok_secure
+Account-Type: Primary
+Account:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Account-Initial:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Session-Type: Additional
+Session:
+ required pam_unix.so
+Session-Initial:
+ required pam_unix.so
+Password-Type: Primary
+Password:
+ [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
+Password-Initial:
+ [success=end default=ignore] pam_unix.so obscure sha512
diff --git a/ad-auth/tasks/pam.yml b/ad-auth/tasks/pam.yml
index 43973a6..b003214 100644
--- a/ad-auth/tasks/pam.yml
+++ b/ad-auth/tasks/pam.yml
@@ -1,14 +1,35 @@
---
-# file: roles/ad-auth/tasks/pam.yml
-- name: ensure pam applies a general umask
+- name: retrieve data of overwritten pam configs (unix)
+ stat:
+ path: "/usr/share/pam-configs/unix"
+ checksum_algorithm: "sha1"
+ register: "pamunix"
+
+- name: retrieve data of overwritten pam configs (sss)
+ stat:
+ path: "/usr/share/pam-configs/sss"
+ checksum_algorithm: "sha1"
+ register: "pamsss"
+
+- name: check that overwritten pam configs were not updated
+ fail:
+ msg: "The original PAM configs (unix/sss) that we overwrite have changed."
+ when: (pamunix.stat.checksum != '727dc8f53ceaea0264d0877fcbb2a52eb341ff10'
+ or pamsss.stat.checksum != '3c1d4e9fa522e2ec9729260d3b108ef31df8ef9d')
+
+- name: ensure pam applies customized configs
copy:
- src: pam/umask
- dest: /usr/share/pam-configs/umask
+ src: "pam/{{ item }}"
+ dest: "/usr/share/pam-configs/{{ item }}"
owner: root
group: root
mode: '0644'
notify:
- regenerate pam config
+ with_items:
+ - umask
+ - sss-custom
+ - unix-custom
tags:
- pam
--
GitLab