coren has submitted this change and it was merged. Change subject: Labs: switch PAM handling to use pam-auth-update ......................................................................
Labs: switch PAM handling to use pam-auth-update This avoids having local modifications in /etc/pam.d that do not play nice with the distro-provided config (and prevents distro-specific breaking). Rather than modify the pam.d config directly we add a wikimedia-labs specific configuration in /usr/share/pam-configs/ which is then merged properly by pam-auth-update. This changeset also includes a script that reverts manual (or puppet-mediated) changes that were done to /etc/pam.d, by reverting them to the package or freshly generated versions. This is intended to be invoked (once) by a salt run on all instances to clean up remenants of the previous way of doing things. Bug: T85910 Change-Id: I1cf70b11c494ed010f14a3734b514dde36f6cf74 --- A modules/ldap/files/cleanup-pam-config D modules/ldap/files/common-account D modules/ldap/files/common-auth D modules/ldap/files/common-password D modules/ldap/files/common-session D modules/ldap/files/common-session-noninteractive D modules/ldap/files/sshd A modules/ldap/files/wikimedia-labs-pam M modules/ldap/manifests/client/pam.pp 9 files changed, 71 insertions(+), 123 deletions(-) Approvals: coren: Looks good to me, approved Faidon Liambotis: Looks good to me, but someone else must approve jenkins-bot: Verified diff --git a/modules/ldap/files/cleanup-pam-config b/modules/ldap/files/cleanup-pam-config new file mode 100644 index 0000000..5da5429 --- /dev/null +++ b/modules/ldap/files/cleanup-pam-config @@ -0,0 +1,43 @@ +#! /bin/bash + +## This script axes the current pam configuration from +## /etc/pam.d/sshd and /etc/pam.d/common-* and forces it +## to be recreated (from the package for the former, and +## from /usr/share/pam-configs/ for the latter). +## +## The whole thing paranoidly: +## a) keeps backups; +## b) rolls back at the first sign of trouble; and +## c) won't even start if a backup is present + +if ! cd /etc/pam.d; then + echo "Unable to cd to /etc/pam.d" >&2 + exit 1 +fi + +# iff ./sshd exists and ./sshd.orig does not, move the former +# to the latter and force dpkg to reinstall missing config +# files (via apt-get). This restarts the sshd master daemon, +# and returns ./sshd.orig to ./sshd if apt-get reports issues. +# +# If all went well, ./sshd has the stock config and ./sshd.orig +# has a backup of the previous one. +mv -n sshd sshd.orig && ( + apt-get -o Dpkg::Options::="--force-confmiss" install --reinstall openssh-server || + mv -f sshd.orig sshd +) + +# For ./common-* we make copies instead of moving the +# configuration files around to avoid there ever being a point +# where only /part/ of the configuration is present. Once +# all the files have been copied, /then/ we remove the +# originals and regenerate configuration. +for i in common-{account,auth,password,session,session-noninteractive}; do + cp -np $i $i.orig || exit 1 +done +rm common-{account,auth,password,session,session-noninteractive} && ( + pam-auth-update --package --force || + for i in common-{account,auth,password,session,session-noninteractive}; do + mv -f $i.orig $i + done +) diff --git a/modules/ldap/files/common-account b/modules/ldap/files/common-account deleted file mode 100644 index ee55340..0000000 --- a/modules/ldap/files/common-account +++ /dev/null @@ -1,11 +0,0 @@ -# here are the per-package modules (the "Primary" block) -account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so -account [success=1 default=ignore] pam_ldap.so -# here's the fallback if no module succeeds -account requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -account required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config diff --git a/modules/ldap/files/common-auth b/modules/ldap/files/common-auth deleted file mode 100644 index 27a9721..0000000 --- a/modules/ldap/files/common-auth +++ /dev/null @@ -1,13 +0,0 @@ -# here are the per-package modules (the "Primary" block) -auth [success=2 default=ignore] pam_unix.so nullok_secure -auth [success=1 default=ignore] pam_ldap.so use_first_pass -# here's the fallback if no module succeeds -auth requisite pam_deny.so -# limit access to specific users -auth required pam_access.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -auth required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config diff --git a/modules/ldap/files/common-password b/modules/ldap/files/common-password deleted file mode 100644 index f9f2c3c..0000000 --- a/modules/ldap/files/common-password +++ /dev/null @@ -1,11 +0,0 @@ -# here are the per-package modules (the "Primary" block) -password [success=1 default=ignore] pam_unix.so obscure sha512 -#password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass -# here's the fallback if no module succeeds -password requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -password required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config diff --git a/modules/ldap/files/common-session b/modules/ldap/files/common-session deleted file mode 100644 index 3b9d702..0000000 --- a/modules/ldap/files/common-session +++ /dev/null @@ -1,13 +0,0 @@ -# here are the per-package modules (the "Primary" block) -session [default=1] pam_permit.so -# here's the fallback if no module succeeds -session requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -session required pam_permit.so -# and here are more per-package modules (the "Additional" block) -session required pam_unix.so -session required pam_mkhomedir.so umask=0077 -session optional pam_ldap.so -# end of pam-auth-update config diff --git a/modules/ldap/files/common-session-noninteractive b/modules/ldap/files/common-session-noninteractive deleted file mode 100644 index 2eadc15..0000000 --- a/modules/ldap/files/common-session-noninteractive +++ /dev/null @@ -1,12 +0,0 @@ -# here are the per-package modules (the "Primary" block) -session [default=1] pam_permit.so -# here's the fallback if no module succeeds -session requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -session required pam_permit.so -# and here are more per-package modules (the "Additional" block) -session required pam_unix.so -session optional pam_ldap.so -# end of pam-auth-update config diff --git a/modules/ldap/files/sshd b/modules/ldap/files/sshd deleted file mode 100644 index 97ae78a..0000000 --- a/modules/ldap/files/sshd +++ /dev/null @@ -1,39 +0,0 @@ -# PAM configuration for the Secure Shell service - -# Read environment variables from /etc/environment and -# /etc/security/pam_env.conf. -auth required pam_env.so # [1] -# In Debian 4.0 (etch), locale-related environment variables were moved to -# /etc/default/locale, so read that as well. -auth required pam_env.so envfile=/etc/default/locale - -# Standard Un*x authentication. -@include common-auth - -# Disallow non-root logins when /etc/nologin exists. -account required pam_nologin.so - -# Uncomment and edit /etc/security/access.conf if you need to set complex -# access limits that are hard to express in sshd_config. -account required pam_access.so - -# Standard Un*x authorization. -@include common-account - -# Standard Un*x session setup and teardown. -@include common-session - -# Print the message of the day upon successful login. -session optional pam_motd.so # [1] - -# Print the status of the user's mailbox upon successful login. -session optional pam_mail.so standard noenv # [1] - -# Set up user limits from /etc/security/limits.conf. -session required pam_limits.so - -# Set up SELinux capabilities (need modified pam) -# session required pam_selinux.so multiple - -# Standard Un*x password updating. -@include common-password diff --git a/modules/ldap/files/wikimedia-labs-pam b/modules/ldap/files/wikimedia-labs-pam new file mode 100644 index 0000000..e34e611 --- /dev/null +++ b/modules/ldap/files/wikimedia-labs-pam @@ -0,0 +1,9 @@ +Name: Wikimedia Labs-specific PAM settings +Default: yes +Priority: 200 +Session-Type: Additional +Session: + [success=ok new_authtok_reqd=ok default=ignore] pam_mkhomedir.so umask=0077 +Account-Type: Primary +Account: + [success=ok new_authtok_reqd=ok ignore=ignore default=bad] pam_access.so diff --git a/modules/ldap/manifests/client/pam.pp b/modules/ldap/manifests/client/pam.pp index b5e9677..8b1bdb9 100644 --- a/modules/ldap/manifests/client/pam.pp +++ b/modules/ldap/manifests/client/pam.pp @@ -1,35 +1,30 @@ class ldap::client::pam($ldapconfig) { + package { 'libpam-ldapd': - ensure => latest, + ensure => present, } - File { - owner => 'root', - group => 'root', - mode => '0444', + exec { 'pam-auth-update': + command => '/usr/sbin/pam-auth-update --package', + refreshonly => true, + require => Package['libpam-ldapd'], } - file { '/etc/pam.d/common-auth': - source => 'puppet:///modules/ldap/common-auth', + file { '/usr/share/pam-configs/wikimedia-labs-pam': + ensure => present, + source => 'puppet:///modules/ldap/wikimedia-labs-pam', + notify => Exec['pam-auth-update'], + owner => 'root', + group => 'root', + mode => '0444', } - file { '/etc/pam.d/sshd': - source => 'puppet:///modules/ldap/sshd', + file { '/usr/local/sbin/cleanup-pam-config': + ensure => present, + source => 'puppet:///modules/ldap/cleanup-pam-config', + owner => 'root', + group => 'root', + mode => '0555', } - file { '/etc/pam.d/common-account': - source => 'puppet:///modules/ldap/common-account', - } - - file { '/etc/pam.d/common-password': - source => 'puppet:///modules/ldap/common-password', - } - - file { '/etc/pam.d/common-session': - source => 'puppet:///modules/ldap/common-session', - } - - file { '/etc/pam.d/common-session-noninteractive': - source => 'puppet:///modules/ldap/common-session-noninteractive', - } } -- To view, visit https://gerrit.wikimedia.org/r/255555 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I1cf70b11c494ed010f14a3734b514dde36f6cf74 Gerrit-PatchSet: 7 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: coren <mpellet...@wikimedia.org> Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org> Gerrit-Reviewer: Chasemp <r...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org> Gerrit-Reviewer: coren <mpellet...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits