diff options
author | Simon Rettberg | 2018-03-08 17:14:42 +0100 |
---|---|---|
committer | Simon Rettberg | 2018-03-08 17:14:42 +0100 |
commit | 53f8946416b456476d130334490790c3979d2f82 (patch) | |
tree | 6d2483d84477e109de568455ab96aa2cf807b253 /core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config | |
parent | [hardware-stats] check if '--no-legend' is needed (diff) | |
download | mltk-53f8946416b456476d130334490790c3979d2f82.tar.gz mltk-53f8946416b456476d130334490790c3979d2f82.tar.xz mltk-53f8946416b456476d130334490790c3979d2f82.zip |
[pam-slx-plug] Starting to separate some of the pam/nsswitch logic out of sssd/pam
Preparation for our own ldap/ad login handling, sssd will only be used for
nsswitch related stuff and fallback.
Diffstat (limited to 'core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config')
-rwxr-xr-x | core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config b/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config new file mode 100755 index 00000000..0138d3d0 --- /dev/null +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config @@ -0,0 +1,121 @@ +#!/bin/bash +# -- bash for arrays + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" + +declare -a auth +declare -a account +declare -a session +declare -a nss +declare -a dns + +# Our plugin, but account ONLY since it's fast +account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/pam/exec_account") + +# unix +auth+=("[success=%NUM% default=ignore] pam_unix.so nodelay") +account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_unix.so") +nss+=("files" "cache") + +# check for bwIDM +if [ -x "/opt/openslx/scripts/pam_bwidm" ]; then + auth+=("[success=%NUM% default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/scripts/pam_bwidm") + account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_exec.so quiet /opt/openslx/scripts/pam_bwidm") +fi + +# Insert kerberos before our auth module +if [ -s "/etc/ksb5.conf" ]; then + auth+=("optional pam_krb5.so minimum_uid=1000 use_first_pass") + session+=("optional pam_krb5.so minimum_uid=1000") +fi + +# Our plugin, auth now +auth+=("[success=%NUM% default=ignore] pam_exec.so quiet expose_authtok /opt/openslx/pam/exec_auth") + +# sssd if reasonable +if systemctl is-enabled -q sssd.service && grep -q -e '^\s*id_provider' -e '^\s*auth_provider' "/etc/sssd/sssd.conf"; then + auth+=("[success=%NUM% default=ignore] pam_sss.so use_first_pass") + account+=("[success=%NUM% new_authtok_reqd=done default=ignore] pam_sss.so") + nss+=("sss") + # Skip sss if unix worked + session+=("[success=1] pam_unix.so") + session+=("optional pam_sss.so") +else + session+=("optional pam_unix.so") +fi + +# DNS +dns+=("files" "cache") +if systemctl is-enabled -q systemd-resolved; then + dns+=("resolve") +fi +dns+=("dns") + +session+=("optional pam_exec.so quiet /opt/openslx/pam/exec_session") + +# +# Write pam configs +tmpfile=$(mktemp) +# common-auth +skip=$(( ${#auth[@]} + 1 )) +echo "# Generated $(date)" > "$tmpfile" +for line in "${auth[@]}"; do + echo "auth ${line//%NUM%/$skip}" + skip=$(( skip - 1 )) +done >> "$tmpfile" +cat >> "$tmpfile" <<-HERE + auth optional pam_faildelay.so delay=2123123 + auth requisite pam_deny.so + auth required pam_permit.so + auth optional pam_cap.so +HERE +cp -f -- "$tmpfile" "/etc/pam.d/common-auth" + +# common-account +skip=${#account[@]} +echo "# Generated $(date)" > "$tmpfile" +for line in "${account[@]}"; do + echo "account ${line//%NUM%/$skip}" + skip=$(( skip - 1 )) +done >> "$tmpfile" +cat >> "$tmpfile" <<-HERE + account requisite pam_deny.so + account required pam_permit.so +HERE +cp -f -- "$tmpfile" "/etc/pam.d/common-account" + +# common-session +cat > "$tmpfile" <<-HERE + session required pam_permit.so + session optional pam_umask.so + session required pam_systemd.so + session optional pam_env.so readenv=1 + session optional pam_env.so readenv=1 envfile=/etc/default/locale + session optional pam_exec.so quiet /opt/openslx/pam/mkhome +HERE +for line in "${session[@]}"; do + echo "session $line" +done >> "$tmpfile" +cp -f -- "$tmpfile" "/etc/pam.d/common-session" + +# +# Write nsswitch.conf +cat > "/etc/nsswitch.conf" <<-HERE +# Generated $(date) +passwd: ${nss[@]} +group: ${nss[@]} +shadow: files + +hosts: ${dns[@]} +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis +HERE + +exit 0 + |