Incorporate stx custom pam-config files for Debian

STX customizes some pam configurations. This update incorporated the following customized pam config files on Debian: common-account common-auth common-password common-session common-session-noninteractive This update dropped the following customized pam config files that are on CentOS: sshd system-auth The default sshd will be used. system-auth is CentOS specific and it's not used on Debian. Their settings are covered by the common-* config files. Test Plan on Debian: PASS: package build, image build PASS: system installation, bootstrap and unlock PASS: console login by sysadmin, ldap users. Observe that home directory is created the first time the user login. PASS: su to sysdmin, su to ldap users. Observed that home directory is created the first time the user is su to. PASS: ssh by sysadmin, ldap users. Observe that home directory is created for the first time the user login by ssh. PASS: change password for sysadmin, ldap users. Observe the password quality rule is respected. PASS: change password for sysadmin, ldap users. Observe the password history rule is respected. Story: 2009965 Task: 45290 Signed-off-by: Andy Ning <andy.ning@windriver.com> Change-Id: I21acda0be4af43ddc7580ed662ae86b9ef152684
2022-05-05 14:50:24 -04:00 · 2022-05-05 14:50:24 -04:00 · 0fd3faac49
parent 33cbfc6c22
commit 0fd3faac49
7 changed files with 11 additions and 110 deletions
--- a/pam-config/debian/deb_folder/pam-config.install
+++ b/pam-config/debian/deb_folder/pam-config.install
@ -1,8 +1,5 @@
-common-auth /etc/pam.d
-common-password /etc/pam.d
-common-session /etc/pam.d
-common-session-noninteractive /etc/pam.d
-common-account /etc/pam.d
-
-system-auth.pamd /usr/share/starlingx
-sshd.pam /usr/share/starlingx
+common-auth /usr/share/starlingx
+common-password /usr/share/starlingx
+common-session /usr/share/starlingx
+common-session-noninteractive /usr/share/starlingx
+common-account /usr/share/starlingx
--- a/pam-config/debian/deb_folder/postinst
+++ b/pam-config/debian/deb_folder/postinst
@ -2,7 +2,10 @@

 set -e

-cp /usr/share/starlingx/system-auth.pamd /etc/pam.d/system-auth
-cp /usr/share/starlingx/sshd.pam /etc/pam.d/sshd
+cp /usr/share/starlingx/common-account /etc/pam.d/common-account
+cp /usr/share/starlingx/common-auth /etc/pam.d/common-auth
+cp /usr/share/starlingx/common-password /etc/pam.d/common-password
+cp /usr/share/starlingx/common-session /etc/pam.d/common-session
+cp /usr/share/starlingx/common-session-noninteractive /etc/pam.d/common-session-noninteractive

 #DEBHELPER#
--- a/pam-config/debian/deb_folder/postrm
+++ b/pam-config/debian/deb_folder/postrm
@ -1,20 +0,0 @@
-#!/bin/sh
-
-set -e
-
-dpkg-divert --remove --package pam-config --rename \
-    /etc/pam.d/common-auth
-
-dpkg-divert --remove --package pam-config --rename \
-    /etc/pam.d/common-password
-
-dpkg-divert --remove --package pam-config --rename \
-    /etc/pam.d/common-session
-
-dpkg-divert --remove --package pam-config --rename \
-    /etc/pam.d/common-session-noninteractive
-
-dpkg-divert --remove --package pam-config --rename \
-    /etc/pam.d/common-account
-
-#DEBHELPER#
--- a/pam-config/debian/deb_folder/preinst
+++ b/pam-config/debian/deb_folder/preinst
@ -1,25 +0,0 @@
-#!/bin/sh
-
-set -e
-
-dpkg-divert --add --package pam-config --rename \
-    --divert /etc/pam.d/common-auth.old \
-    /etc/pam.d/common-auth
-
-dpkg-divert --add --package pam-config --rename \
-    --divert /etc/pam.d/common-password.old \
-    /etc/pam.d/common-password
-
-dpkg-divert --add --package pam-config --rename \
-    --divert /etc/pam.d/common-session.old \
-    /etc/pam.d/common-session
-
-dpkg-divert --add --package pam-config --rename \
-    --divert /etc/pam.d/common-session-noninteractive.old \
-    /etc/pam.d/common-session-noninteractive
-
-dpkg-divert --add --package pam-config --rename \
-    --divert /etc/pam.d/common-account.old \
-    /etc/pam.d/common-account
-
-#DEBHELPER#
--- a/pam-config/source-debian/common-session
+++ b/pam-config/source-debian/common-session
@ -19,3 +19,4 @@ session     required        pam_permit.so
 session     [success=1 new_authtok_reqd=done default=ignore]    pam_unix.so
 session     [success=ok new_authtok_reqd=done default=bad]      pam_ldap.so
 session     required        pam_mkhomedir.so umask=0022 skel=/etc/skel
+session     optional        pam_systemd.so
--- a/pam-config/source-debian/sshd.pam
+++ b/pam-config/source-debian/sshd.pam
@ -1,24 +0,0 @@
-# WRSM-1.0
-
-auth       include      common-auth
-account    required     pam_nologin.so
-
-# SELinux needs to be the first session rule. This ensures that any
-# lingering context has been cleared. Without out this it is possible
-# that a module could execute code in the wrong domain.
-# When the module is present, "required" would be sufficient (When SELinux
-# is disabled, this returns success.)
-session    [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
-
-account    include      common-account
-password   include      common-password
-session    optional     pam_keyinit.so force revoke
-session    include      common-session
-session    required     pam_loginuid.so
-
-# SELinux needs to intervene at login time to ensure that the process
-# starts in the proper default security context. Only sessions which are
-# intended to run in the user's context should be run after this.
-# When the module is present, "required" would be sufficient (When SELinux
-# is disabled, this returns success.)
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
--- a/pam-config/source-debian/system-auth.pamd
+++ b/pam-config/source-debian/system-auth.pamd
@ -1,31 +0,0 @@
-#%PAM-1.0
-auth        required      pam_env.so
-auth        sufficient    pam_unix.so try_first_pass
-auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
-auth        required      pam_deny.so
-
-account     required      pam_unix.so
-account     sufficient    pam_localuser.so
-account     sufficient    pam_succeed_if.so uid < 1000 quiet
-account     required      pam_permit.so
-
-################# StarlingX Cloud Password Rules #######################
-# Enforce a password containing atleast 1 lower case, 1 upper case,   #
-# 1 digit and 1 special character. Such a password will have a        #
-# minimum length of 7 characters. A user may not re-use the last most #
-# recent password and every password must differ from its previous    #
-# one by atleast 3 characters                                         # 
-# - Added enforce_for_root for pam_pwquality.so             #
-#######################################################################
-
-password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug
-password    requisite     pam_pwhistory.so use_authtok enforce_for_root remember=2
-
-password    [success=2 default=ignore]      pam_unix.so sha512 shadow try_first_pass use_authtok
-password    [success=1 default=ignore]      pam_ldap.so use_authtok
-
-session     optional      pam_keyinit.so revoke
-session     required      pam_limits.so
-session     optional      pam_systemd.so
-session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
-session     required      pam_unix.so