Incorporate stx custom pam-config files for Debian
STX customizes some pam configurations. This update incorporated the following customized pam config files on Debian: common-account common-auth common-password common-session common-session-noninteractive This update dropped the following customized pam config files that are on CentOS: sshd system-auth The default sshd will be used. system-auth is CentOS specific and it's not used on Debian. Their settings are covered by the common-* config files. Test Plan on Debian: PASS: package build, image build PASS: system installation, bootstrap and unlock PASS: console login by sysadmin, ldap users. Observe that home directory is created the first time the user login. PASS: su to sysdmin, su to ldap users. Observed that home directory is created the first time the user is su to. PASS: ssh by sysadmin, ldap users. Observe that home directory is created for the first time the user login by ssh. PASS: change password for sysadmin, ldap users. Observe the password quality rule is respected. PASS: change password for sysadmin, ldap users. Observe the password history rule is respected. Story: 2009965 Task: 45290 Signed-off-by: Andy Ning <andy.ning@windriver.com> Change-Id: I21acda0be4af43ddc7580ed662ae86b9ef152684
This commit is contained in:
parent
33cbfc6c22
commit
0fd3faac49
|
@ -1,8 +1,5 @@
|
|||
common-auth /etc/pam.d
|
||||
common-password /etc/pam.d
|
||||
common-session /etc/pam.d
|
||||
common-session-noninteractive /etc/pam.d
|
||||
common-account /etc/pam.d
|
||||
|
||||
system-auth.pamd /usr/share/starlingx
|
||||
sshd.pam /usr/share/starlingx
|
||||
common-auth /usr/share/starlingx
|
||||
common-password /usr/share/starlingx
|
||||
common-session /usr/share/starlingx
|
||||
common-session-noninteractive /usr/share/starlingx
|
||||
common-account /usr/share/starlingx
|
||||
|
|
|
@ -2,7 +2,10 @@
|
|||
|
||||
set -e
|
||||
|
||||
cp /usr/share/starlingx/system-auth.pamd /etc/pam.d/system-auth
|
||||
cp /usr/share/starlingx/sshd.pam /etc/pam.d/sshd
|
||||
cp /usr/share/starlingx/common-account /etc/pam.d/common-account
|
||||
cp /usr/share/starlingx/common-auth /etc/pam.d/common-auth
|
||||
cp /usr/share/starlingx/common-password /etc/pam.d/common-password
|
||||
cp /usr/share/starlingx/common-session /etc/pam.d/common-session
|
||||
cp /usr/share/starlingx/common-session-noninteractive /etc/pam.d/common-session-noninteractive
|
||||
|
||||
#DEBHELPER#
|
||||
|
|
|
@ -1,20 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
dpkg-divert --remove --package pam-config --rename \
|
||||
/etc/pam.d/common-auth
|
||||
|
||||
dpkg-divert --remove --package pam-config --rename \
|
||||
/etc/pam.d/common-password
|
||||
|
||||
dpkg-divert --remove --package pam-config --rename \
|
||||
/etc/pam.d/common-session
|
||||
|
||||
dpkg-divert --remove --package pam-config --rename \
|
||||
/etc/pam.d/common-session-noninteractive
|
||||
|
||||
dpkg-divert --remove --package pam-config --rename \
|
||||
/etc/pam.d/common-account
|
||||
|
||||
#DEBHELPER#
|
|
@ -1,25 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
dpkg-divert --add --package pam-config --rename \
|
||||
--divert /etc/pam.d/common-auth.old \
|
||||
/etc/pam.d/common-auth
|
||||
|
||||
dpkg-divert --add --package pam-config --rename \
|
||||
--divert /etc/pam.d/common-password.old \
|
||||
/etc/pam.d/common-password
|
||||
|
||||
dpkg-divert --add --package pam-config --rename \
|
||||
--divert /etc/pam.d/common-session.old \
|
||||
/etc/pam.d/common-session
|
||||
|
||||
dpkg-divert --add --package pam-config --rename \
|
||||
--divert /etc/pam.d/common-session-noninteractive.old \
|
||||
/etc/pam.d/common-session-noninteractive
|
||||
|
||||
dpkg-divert --add --package pam-config --rename \
|
||||
--divert /etc/pam.d/common-account.old \
|
||||
/etc/pam.d/common-account
|
||||
|
||||
#DEBHELPER#
|
|
@ -19,3 +19,4 @@ session required pam_permit.so
|
|||
session [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
|
||||
session [success=ok new_authtok_reqd=done default=bad] pam_ldap.so
|
||||
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
|
||||
session optional pam_systemd.so
|
||||
|
|
|
@ -1,24 +0,0 @@
|
|||
# WRSM-1.0
|
||||
|
||||
auth include common-auth
|
||||
account required pam_nologin.so
|
||||
|
||||
# SELinux needs to be the first session rule. This ensures that any
|
||||
# lingering context has been cleared. Without out this it is possible
|
||||
# that a module could execute code in the wrong domain.
|
||||
# When the module is present, "required" would be sufficient (When SELinux
|
||||
# is disabled, this returns success.)
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||
|
||||
account include common-account
|
||||
password include common-password
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include common-session
|
||||
session required pam_loginuid.so
|
||||
|
||||
# SELinux needs to intervene at login time to ensure that the process
|
||||
# starts in the proper default security context. Only sessions which are
|
||||
# intended to run in the user's context should be run after this.
|
||||
# When the module is present, "required" would be sufficient (When SELinux
|
||||
# is disabled, this returns success.)
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
|
@ -1,31 +0,0 @@
|
|||
#%PAM-1.0
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_unix.so try_first_pass
|
||||
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 1000 quiet
|
||||
account required pam_permit.so
|
||||
|
||||
################# StarlingX Cloud Password Rules #######################
|
||||
# Enforce a password containing atleast 1 lower case, 1 upper case, #
|
||||
# 1 digit and 1 special character. Such a password will have a #
|
||||
# minimum length of 7 characters. A user may not re-use the last most #
|
||||
# recent password and every password must differ from its previous #
|
||||
# one by atleast 3 characters #
|
||||
# - Added enforce_for_root for pam_pwquality.so #
|
||||
#######################################################################
|
||||
|
||||
password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug
|
||||
password requisite pam_pwhistory.so use_authtok enforce_for_root remember=2
|
||||
|
||||
password [success=2 default=ignore] pam_unix.so sha512 shadow try_first_pass use_authtok
|
||||
password [success=1 default=ignore] pam_ldap.so use_authtok
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
Loading…
Reference in New Issue