Skip to content
Snippets Groups Projects
Commit 9e7973c6 authored by Hinrikus Wolf's avatar Hinrikus Wolf
Browse files

fix building pam config

parent a7167ee0
No related branches found
No related tags found
1 merge request!7fix building pam config
Pipeline #3962 failed
--- ---
# I kill that cat
- name: disable pam-auth-update heuristic
file:
path: /var/lib/pam/
state: "{{ item }}"
mode: 0755
owner: root
group: root
with_items:
- absent
- directory
- name: regenerate pam config - name: regenerate pam config
command: pam-auth-update --force shell: rm -f /var/lib/pam/* && pam-auth-update --force
environment: environment:
DEBIAN_FRONTEND: noninteractive DEBIAN_FRONTEND: noninteractive
......
...@@ -25,17 +25,34 @@ ...@@ -25,17 +25,34 @@
- pamunix.stat.checksum != 'f3703a58a041745d6b70b9ebb179736653d32ef4' - pamunix.stat.checksum != 'f3703a58a041745d6b70b9ebb179736653d32ef4'
- name: ensure pam applies customized configs - name: ensure pam applies customized configs
copy: template:
src: "pam/{{ item }}" src: "pam/{{ item }}.j2"
dest: "/usr/share/pam-configs/{{ item }}" dest: "/usr/share/pam-configs/{{ item }}"
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
notify: notify:
- disable pam-auth-update heuristic
- regenerate pam config - regenerate pam config
with_items: with_items:
- umask - umask
- sss-custom - sss-custom
- unix-custom - unix-custom
tags:
- pam - name: ensure we readout current debconf
debconf:
name: libpam-runtime
register: debconf_libpam
- name: ensure debconf is updated
debconf:
name: libpam-runtime
question: libpam-runtime/profiles
vtype: multiselect
value: >-
{{ debconf_libpam["current"]["libpam-runtime/profiles"].split(", ") |
map("regex_replace", '^(unix|sss)$', '\\1-custom') |
join(', ') }}
notify:
- disable pam-auth-update heuristic
- regenerate pam config
Name: SSS authentication Name: SSS authentication custom
Default: yes Default: yes
Conflicts: sss Conflicts: sss
Priority: 301 Priority: 301
......
File moved
Name: Unix authentication Name: Unix authentication custom
Default: yes Default: yes
Conflicts: unix Conflicts: unix
Priority: 300 Priority: 300
Auth-Type: Primary Auth-Type: Primary
Auth: Auth:
[success=end default=ignore] pam_unix.so use_first_pass nullok_secure [success=end default=ignore] pam_unix.so try_first_pass {{ "nullok_secure" if ansible_distribution_major_version|int(default=99) < 11 else "nullok" }}
Auth-Initial: Auth-Initial:
[success=end default=ignore] pam_unix.so use_first_pass nullok_secure [success=end default=ignore] pam_unix.so try_first_pass {{ "nullok_secure" if ansible_distribution_major_version|int(default=99) < 11 else "nullok" }}
Account-Type: Primary Account-Type: Primary
Account: Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so [success=end new_authtok_reqd=done default=ignore] pam_unix.so
...@@ -19,6 +19,7 @@ Session-Initial: ...@@ -19,6 +19,7 @@ Session-Initial:
required pam_unix.so required pam_unix.so
Password-Type: Primary Password-Type: Primary
Password: Password:
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass {{ "sha512" if ansible_distribution_major_version|int(default=99) < 11 else "yescrypt" }}
Password-Initial: Password-Initial:
[success=end default=ignore] pam_unix.so obscure sha512 [success=end default=ignore] pam_unix.so obscure {{ "sha512" if ansible_distribution_major_version|int(default=99) < 11 else "yescrypt" }}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment