Commit 9bfa49aa authored by Lars Beckers's avatar Lars Beckers
Browse files

Merge branch 'fix-pam-auth' into 'master'

fix building pam config

See merge request !7
parents 43ad6950 42c343d7
Pipeline #3967 passed with stage
in 39 seconds
---
- name: regenerate pam config
# I kill that cat
- name: disable pam-auth-update heuristic
file:
path: /var/lib/pam/
state: "{{ item }}"
mode: "0755"
owner: root
group: root
with_items:
- absent
- directory
listen: "regenerate pam config"
- name: update pam
command: pam-auth-update --force
environment:
DEBIAN_FRONTEND: noninteractive
listen: "regenerate pam config"
- name: clear sssd cache
command: sss_cache -E
......
......@@ -25,17 +25,34 @@
- pamunix.stat.checksum != 'f3703a58a041745d6b70b9ebb179736653d32ef4'
- name: ensure pam applies customized configs
copy:
src: "pam/{{ item }}"
template:
src: "pam/{{ item }}.j2"
dest: "/usr/share/pam-configs/{{ item }}"
owner: root
group: root
mode: '0644'
notify:
- disable pam-auth-update heuristic
- regenerate pam config
with_items:
- umask
- sss-custom
- unix-custom
tags:
- pam
- name: ensure we readout current debconf
debconf:
name: libpam-runtime
register: debconf_libpam
- name: ensure debconf is updated
debconf:
name: libpam-runtime
question: libpam-runtime/profiles
vtype: multiselect
value: >-
{{ debconf_libpam["current"]["libpam-runtime/profiles"].split(", ") |
map("regex_replace", '^(unix|sss)$', '\\1-custom') |
join(', ') }}
notify:
- disable pam-auth-update heuristic
- regenerate pam config
Name: SSS authentication
Name: SSS authentication custom
Default: yes
Conflicts: sss
Priority: 301
......
Name: Unix authentication
Name: Unix authentication custom
Default: yes
Conflicts: unix
Priority: 300
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_unix.so use_first_pass nullok_secure
[success=end default=ignore] pam_unix.so try_first_pass {{ "nullok_secure" if ansible_distribution_major_version|int(default=99) < 11 else "nullok" }}
Auth-Initial:
[success=end default=ignore] pam_unix.so use_first_pass nullok_secure
[success=end default=ignore] pam_unix.so try_first_pass {{ "nullok_secure" if ansible_distribution_major_version|int(default=99) < 11 else "nullok" }}
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
......@@ -19,6 +19,7 @@ Session-Initial:
required pam_unix.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass {{ "sha512" if ansible_distribution_major_version|int(default=99) < 11 else "yescrypt" }}
Password-Initial:
[success=end default=ignore] pam_unix.so obscure sha512
[success=end default=ignore] pam_unix.so obscure {{ "sha512" if ansible_distribution_major_version|int(default=99) < 11 else "yescrypt" }}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment