diff options
Diffstat (limited to 'remote/modules/pam/data')
15 files changed, 119 insertions, 3 deletions
diff --git a/remote/modules/pam/data/etc/gssapi_mech.conf b/remote/modules/pam/data/etc/gssapi_mech.conf new file mode 100644 index 00000000..ac41f5fd --- /dev/null +++ b/remote/modules/pam/data/etc/gssapi_mech.conf @@ -0,0 +1,21 @@ +# Example /etc/gssapi_mech.conf file +# +# GSSAPI Mechanism Definitions +# +# This configuration file determines which GSS-API mechanisms +# the gssd code should use +# +# NOTE: +# The initiaiization function "mechglue_internal_krb5_init" +# is used for the MIT krb5 gssapi mechanism. This special +# function name indicates that an internal function should +# be used to determine the entry points for the MIT gssapi +# mechanism funtions. +# +# library initialization function +# ================================ ========================== +# The MIT K5 gssapi library, use special function for initialization. +libgssapi_krb5.so.2 mechglue_internal_krb5_init +# +# The SPKM3 gssapi library function. Use the function spkm3_gss_initialize. +# /usr/local/gss_mechs/spkm/spkm3/libgssapi_spkm3.so spkm3_gss_initialize diff --git a/remote/modules/pam/data/etc/idmapd.conf b/remote/modules/pam/data/etc/idmapd.conf new file mode 100644 index 00000000..2253cf0d --- /dev/null +++ b/remote/modules/pam/data/etc/idmapd.conf @@ -0,0 +1,12 @@ +[General] + +Verbosity = 0 +Pipefs-Directory = /run/rpc_pipefs +# set your own domain here, if id differs from FQDN minus hostname +Domain = uni-freiburg.de +# localdomain + +[Mapping] + +Nobody-User = nobody +Nobody-Group = nogroup diff --git a/remote/modules/pam/data/etc/krb5.conf b/remote/modules/pam/data/etc/krb5.conf new file mode 100644 index 00000000..6fd49243 --- /dev/null +++ b/remote/modules/pam/data/etc/krb5.conf @@ -0,0 +1,28 @@ +# file copied from configuration package (rootfs/etc/krb5.conf) +######################################################################### +[libdefaults] + noaddresses = false + clockskew = 300 + default_realm = PUBLIC.ADS.UNI-FREIBURG.DE + forwardable = true + minimum_uid = 1000 + proxiable = false + renew_lifetime = 30d + retain_after_close = false + ticket_lifetime = 3d + use_shmem = sshd + allow_weak_crypto=true +######################################################################### +[realms] + PUBLIC.ADS.UNI-FREIBURG.DE = { + kdc = kerberos.uni-freiburg.de + default_domain = uni-freiburg.de + admin_server = kerberos.uni-freiburg.de + } +######################################################################### +[domain_realm] + uni-freiburg.de = PUBLIC.ADS.UNI-FREIBURG.DE + .uni-freiburg.de = PUBLIC.ADS.UNI-FREIBURG.DE +########################################################################## +[appdefaults] +######################################################################### diff --git a/remote/modules/pam/data/etc/pam-script/pam_script_ses_close b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close new file mode 100755 index 00000000..48e778e2 --- /dev/null +++ b/remote/modules/pam/data/etc/pam-script/pam_script_ses_close @@ -0,0 +1,5 @@ +#!/bin/bash + +echo "[$PAM_TYPE] Closing session for $PAM_USER" + +umount /home/$PAM_USER diff --git a/remote/modules/pam/data/etc/pam-script/pam_script_ses_open b/remote/modules/pam/data/etc/pam-script/pam_script_ses_open new file mode 100755 index 00000000..86386267 --- /dev/null +++ b/remote/modules/pam/data/etc/pam-script/pam_script_ses_open @@ -0,0 +1,21 @@ +#!/bin/bash + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/bin:/opt/openslx/sbin:/opt/openslx/usr/bin:/opt/openslx/usr/sbin" + +echo "[$PAM_TYPE] Opening session for $PAM_USER" +echo "[$PAM_TYPE] Mounting home directory for $PAM_USER" + +# generate keytab +sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab +chmod 600 /etc/krb5.keytab + +# determine fileserver and share for home directories +ldapsearch -x -LLL uid="$PAM_USER" homeDirectory rufFileserver > /tmp/ldapsearch."$PAM_USER" + +FILESERVER=$(cat /tmp/ldapsearch.$PAM_USER | grep rufFileserver | cut -d" " -f2) +VOLUME=$(cat /tmp/ldapsearch.$PAM_USER | grep homeDirectory | cut -d" " -f2) + +# now we can mount the home directory +mkdir -p /home/$PAM_USER +mount -t nfs4 -o rw,nosuid,nodev,nolock,intr,hard,sloppy,sec=krb5p "$FILESERVER":"$VOLUME" /home/"$PAM_USER" \ + || echo "[$PAM_TYPE] Failed to mount home directory for $PAM_USER" diff --git a/remote/modules/pam/data/etc/pam.d/common-account b/remote/modules/pam/data/etc/pam.d/common-account index 3a5d5a14..26055551 100644 --- a/remote/modules/pam/data/etc/pam.d/common-account +++ b/remote/modules/pam/data/etc/pam.d/common-account @@ -23,4 +23,5 @@ account requisite pam_deny.so # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) +account required pam_krb5.so # end of pam-auth-update config diff --git a/remote/modules/pam/data/etc/pam.d/common-auth b/remote/modules/pam/data/etc/pam.d/common-auth index 1fa577e7..088ed13f 100644 --- a/remote/modules/pam/data/etc/pam.d/common-auth +++ b/remote/modules/pam/data/etc/pam.d/common-auth @@ -14,7 +14,8 @@ # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) -auth [success=2 default=ignore] pam_unix.so +auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 +auth [success=2 default=ignore] pam_unix.so try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so diff --git a/remote/modules/pam/data/etc/pam.d/common-session b/remote/modules/pam/data/etc/pam.d/common-session index c5813892..e3180dd4 100644 --- a/remote/modules/pam/data/etc/pam.d/common-session +++ b/remote/modules/pam/data/etc/pam.d/common-session @@ -26,8 +26,10 @@ session required pam_permit.so # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) -session [success=1] pam_unix.so -session [success=ok] pam_ldap.so +session [success=3] pam_unix.so +session [success=2] pam_krb5.so minimum_uid=1000 +session [success=1] pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=0022 +session optional pam_script.so session required pam_systemd.so kill-session-processes=1 # end of pam-auth-update config diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service new file mode 120000 index 00000000..194aba77 --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-gssd.service @@ -0,0 +1 @@ +../rpc-gssd.service
\ No newline at end of file diff --git a/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service new file mode 120000 index 00000000..66a28252 --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/getty.target.wants/rpc-idmapd.service @@ -0,0 +1 @@ +../rpc-idmapd.service
\ No newline at end of file diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service b/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service new file mode 100644 index 00000000..6623428d --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/rpc-gssd.service @@ -0,0 +1,7 @@ +[Unit] +Description=NFS rpcsec_gss daemon +Requires=run-rpc_pipefs.mount +After=run-rpc_pipefs.mount + +[Service] +ExecStart=/usr/sbin/rpc.gssd -f -vvv diff --git a/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service b/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service new file mode 100644 index 00000000..c4da93e7 --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/rpc-idmapd.service @@ -0,0 +1,7 @@ +[Unit] +Description=NFSv4 ID-name mapping daemon +Requires=network.target run-rpc_pipefs.mount +After=network.target + +[Service] +ExecStart=/usr/sbin/rpc.idmapd -f diff --git a/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount b/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount new file mode 100644 index 00000000..692adce8 --- /dev/null +++ b/remote/modules/pam/data/etc/systemd/system/run-rpc_pipefs.mount @@ -0,0 +1,7 @@ +[Unit] +Description=Pipefs RPC filesystem + +[Mount] +What=rpc_pipefs +Where=/run/rpc_pipefs +Type=rpc_pipefs diff --git a/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close new file mode 120000 index 00000000..a12002a7 --- /dev/null +++ b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_close @@ -0,0 +1 @@ +/etc/pam-script/pam_script_ses_close
\ No newline at end of file diff --git a/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open new file mode 120000 index 00000000..783d5605 --- /dev/null +++ b/remote/modules/pam/data/usr/share/libpam-script/pam_script_ses_open @@ -0,0 +1 @@ +/etc/pam-script/pam_script_ses_open
\ No newline at end of file |