diff options
author | Michael Pereira Neves | 2014-03-31 21:42:26 +0200 |
---|---|---|
committer | Michael Pereira Neves | 2014-03-31 21:42:26 +0200 |
commit | f0c87279ad88c2a9bdd8c26aef192b56232aa777 (patch) | |
tree | 7c9bf4e05269c70d2a54fdfd7ef3db4e0a35d5f2 /server/modules/pam-curitiba/etc/pam.d | |
parent | [cups-curitiba] add curitiba cups config module (diff) | |
download | tm-scripts-f0c87279ad88c2a9bdd8c26aef192b56232aa777.tar.gz tm-scripts-f0c87279ad88c2a9bdd8c26aef192b56232aa777.tar.xz tm-scripts-f0c87279ad88c2a9bdd8c26aef192b56232aa777.zip |
[pam-curitiba] add curitiba pam config module
Diffstat (limited to 'server/modules/pam-curitiba/etc/pam.d')
-rw-r--r-- | server/modules/pam-curitiba/etc/pam.d/common-account | 28 | ||||
-rw-r--r-- | server/modules/pam-curitiba/etc/pam.d/common-auth | 30 | ||||
-rw-r--r-- | server/modules/pam-curitiba/etc/pam.d/common-password | 37 | ||||
-rw-r--r-- | server/modules/pam-curitiba/etc/pam.d/common-session | 39 | ||||
-rw-r--r-- | server/modules/pam-curitiba/etc/pam.d/common-session-noninteractive | 33 | ||||
-rw-r--r-- | server/modules/pam-curitiba/etc/pam.d/kdm | 10 | ||||
-rw-r--r-- | server/modules/pam-curitiba/etc/pam.d/kdm-np | 11 | ||||
-rw-r--r-- | server/modules/pam-curitiba/etc/pam.d/login | 109 | ||||
-rw-r--r-- | server/modules/pam-curitiba/etc/pam.d/other | 16 | ||||
-rw-r--r-- | server/modules/pam-curitiba/etc/pam.d/passwd | 6 | ||||
-rw-r--r-- | server/modules/pam-curitiba/etc/pam.d/sshd | 41 | ||||
-rw-r--r-- | server/modules/pam-curitiba/etc/pam.d/vmware-authd | 6 | ||||
-rw-r--r-- | server/modules/pam-curitiba/etc/pam.d/xdm | 6 |
13 files changed, 372 insertions, 0 deletions
diff --git a/server/modules/pam-curitiba/etc/pam.d/common-account b/server/modules/pam-curitiba/etc/pam.d/common-account new file mode 100644 index 00000000..6342fa6a --- /dev/null +++ b/server/modules/pam-curitiba/etc/pam.d/common-account @@ -0,0 +1,28 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +#account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +account required pam_krb5.so minimum_uid=1000 +# end of pam-auth-update config +#session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 diff --git a/server/modules/pam-curitiba/etc/pam.d/common-auth b/server/modules/pam-curitiba/etc/pam.d/common-auth new file mode 100644 index 00000000..70a9140a --- /dev/null +++ b/server/modules/pam-curitiba/etc/pam.d/common-auth @@ -0,0 +1,30 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 +auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass +#auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass +# here's the fallback if no module succeeds +auth requisite pam_deny.so +auth optional pam_script.so expose=1 +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +#auth optional pam_ecryptfs.so unwrap +#auth optional pam_cap.so +# end of pam-auth-update config diff --git a/server/modules/pam-curitiba/etc/pam.d/common-password b/server/modules/pam-curitiba/etc/pam.d/common-password new file mode 100644 index 00000000..58732951 --- /dev/null +++ b/server/modules/pam-curitiba/etc/pam.d/common-password @@ -0,0 +1,37 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password [success=2 default=ignore] pam_krb5.so minimum_uid=1000 +password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 +#password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +#password optional pam_gnome_keyring.so +#password optional pam_ecryptfs.so +# end of pam-auth-update config diff --git a/server/modules/pam-curitiba/etc/pam.d/common-session b/server/modules/pam-curitiba/etc/pam.d/common-session new file mode 100644 index 00000000..2dfaa5cf --- /dev/null +++ b/server/modules/pam-curitiba/etc/pam.d/common-session @@ -0,0 +1,39 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_systemd.so +session optional pam_ck_connector.so nox11 +session optional pam_env.so readenv=1 +session optional pam_env.so readenv=1 envfile=/etc/default/locale +session optional pam_krb5.so minimum_uid=1000 +session required pam_unix.so +#session optional pam_winbind.so +session sufficient pam_script.so +session optional pam_mkhomedir.so skel=/etc/skel umask=0022 +#session optional pam_ecryptfs.so unwrap +# end of pam-auth-update config diff --git a/server/modules/pam-curitiba/etc/pam.d/common-session-noninteractive b/server/modules/pam-curitiba/etc/pam.d/common-session-noninteractive new file mode 100644 index 00000000..e96d66ee --- /dev/null +++ b/server/modules/pam-curitiba/etc/pam.d/common-session-noninteractive @@ -0,0 +1,33 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session optional pam_krb5.so minimum_uid=1000 +session required pam_unix.so +#session optional pam_winbind.so +#session optional pam_ecryptfs.so unwrap +# end of pam-auth-update config diff --git a/server/modules/pam-curitiba/etc/pam.d/kdm b/server/modules/pam-curitiba/etc/pam.d/kdm new file mode 100644 index 00000000..e6a4ec9b --- /dev/null +++ b/server/modules/pam-curitiba/etc/pam.d/kdm @@ -0,0 +1,10 @@ +# +# /etc/pam.d/kdm - specify the PAM behaviour of kdm +# +auth required pam_nologin.so +auth required pam_env.so readenv=1 +auth required pam_env.so readenv=1 envfile=/etc/default/locale +auth include common-auth +account include common-account +password include common-password +session include common-session diff --git a/server/modules/pam-curitiba/etc/pam.d/kdm-np b/server/modules/pam-curitiba/etc/pam.d/kdm-np new file mode 100644 index 00000000..dc10e5b5 --- /dev/null +++ b/server/modules/pam-curitiba/etc/pam.d/kdm-np @@ -0,0 +1,11 @@ +# +# /etc/pam.d/kdm-np - specify the PAM behaviour of kdm for passwordless logins +# +auth required pam_nologin.so +auth required pam_env.so readenv=1 +auth required pam_env.so readenv=1 envfile=/etc/default/locale +session required pam_limits.so +account include common-account +password include common-password +session include common-session +auth required pam_permit.so diff --git a/server/modules/pam-curitiba/etc/pam.d/login b/server/modules/pam-curitiba/etc/pam.d/login new file mode 100644 index 00000000..0df79279 --- /dev/null +++ b/server/modules/pam-curitiba/etc/pam.d/login @@ -0,0 +1,109 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +auth include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +#auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +#session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the message of the day upon succesful login. +# (Replaces the `MOTD_FILE' option in login.defs) +# This includes a dynamically generated part from /run/motd.dynamic +# and a static (admin-editable) part from /etc/motd. +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +#session optional pam_mail.so standard + +# Standard Un*x account and session +account include common-account +session include common-session +password include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/server/modules/pam-curitiba/etc/pam.d/other b/server/modules/pam-curitiba/etc/pam.d/other new file mode 100644 index 00000000..59d776c9 --- /dev/null +++ b/server/modules/pam-curitiba/etc/pam.d/other @@ -0,0 +1,16 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. If you really want nothing to happen then use pam_permit.so or +#pam_deny.so as appropriate. + +# We fall back to the system default in /etc/pam.d/common-* +# + +@include common-auth +@include common-account +@include common-password +@include common-session diff --git a/server/modules/pam-curitiba/etc/pam.d/passwd b/server/modules/pam-curitiba/etc/pam.d/passwd new file mode 100644 index 00000000..32eaa3c6 --- /dev/null +++ b/server/modules/pam-curitiba/etc/pam.d/passwd @@ -0,0 +1,6 @@ +# +# The PAM configuration file for the Shadow `passwd' service +# + +password include common-password + diff --git a/server/modules/pam-curitiba/etc/pam.d/sshd b/server/modules/pam-curitiba/etc/pam.d/sshd new file mode 100644 index 00000000..8954d639 --- /dev/null +++ b/server/modules/pam-curitiba/etc/pam.d/sshd @@ -0,0 +1,41 @@ +# PAM configuration for the Secure Shell service + +# Read environment variables from /etc/environment and +# /etc/security/pam_env.conf. +auth required pam_env.so # [1] +# In Debian 4.0 (etch), locale-related environment variables were moved to +# /etc/default/locale, so read that as well. +auth required pam_env.so envfile=/etc/default/locale + +# Standard Un*x authentication. +auth include common-auth + +# Disallow non-root logins when /etc/nologin exists. +account required pam_nologin.so + +# Uncomment and edit /etc/security/access.conf if you need to set complex +# access limits that are hard to express in sshd_config. +# account required pam_access.so + +# Standard Un*x authorization. +account include common-account + +# Standard Un*x session setup and teardown. +session include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so # [1] + +# TODO do we need this? +# Print the status of the user's mailbox upon successful login. +#session optional pam_mail.so standard noenv # [1] + +# TODO do we need this? +# Set up user limits from /etc/security/limits.conf. +#session required pam_limits.so + +# Set up SELinux capabilities (need modified pam) +# session required pam_selinux.so multiple + +# Standard Un*x password updating. +password include common-password diff --git a/server/modules/pam-curitiba/etc/pam.d/vmware-authd b/server/modules/pam-curitiba/etc/pam.d/vmware-authd new file mode 100644 index 00000000..1f9b60f9 --- /dev/null +++ b/server/modules/pam-curitiba/etc/pam.d/vmware-authd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include common-auth +account include common-account +password include common-password +session include common-session + diff --git a/server/modules/pam-curitiba/etc/pam.d/xdm b/server/modules/pam-curitiba/etc/pam.d/xdm new file mode 100644 index 00000000..d21651db --- /dev/null +++ b/server/modules/pam-curitiba/etc/pam.d/xdm @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include common-auth +account include common-account +password include common-password +session required pam_loginuid.so +session include common-session |