coren has submitted this change and it was merged.
Change subject: Labs: switch PAM handling to use pam-auth-update
......................................................................
Labs: switch PAM handling to use pam-auth-update
This avoids having local modifications in /etc/pam.d that do
not play nice with the distro-provided config (and prevents
distro-specific breaking). Rather than modify the pam.d
config directly we add a wikimedia-labs specific configuration
in /usr/share/pam-configs/ which is then merged properly
by pam-auth-update.
This changeset also includes a script that reverts manual
(or puppet-mediated) changes that were done to /etc/pam.d,
by reverting them to the package or freshly generated
versions. This is intended to be invoked (once) by a salt
run on all instances to clean up remenants of the previous
way of doing things.
Bug: T85910
Change-Id: I1cf70b11c494ed010f14a3734b514dde36f6cf74
---
A modules/ldap/files/cleanup-pam-config
D modules/ldap/files/common-account
D modules/ldap/files/common-auth
D modules/ldap/files/common-password
D modules/ldap/files/common-session
D modules/ldap/files/common-session-noninteractive
D modules/ldap/files/sshd
A modules/ldap/files/wikimedia-labs-pam
M modules/ldap/manifests/client/pam.pp
9 files changed, 71 insertions(+), 123 deletions(-)
Approvals:
coren: Looks good to me, approved
Faidon Liambotis: Looks good to me, but someone else must approve
jenkins-bot: Verified
diff --git a/modules/ldap/files/cleanup-pam-config
b/modules/ldap/files/cleanup-pam-config
new file mode 100644
index 0000000..5da5429
--- /dev/null
+++ b/modules/ldap/files/cleanup-pam-config
@@ -0,0 +1,43 @@
+#! /bin/bash
+
+## This script axes the current pam configuration from
+## /etc/pam.d/sshd and /etc/pam.d/common-* and forces it
+## to be recreated (from the package for the former, and
+## from /usr/share/pam-configs/ for the latter).
+##
+## The whole thing paranoidly:
+## a) keeps backups;
+## b) rolls back at the first sign of trouble; and
+## c) won't even start if a backup is present
+
+if ! cd /etc/pam.d; then
+ echo "Unable to cd to /etc/pam.d" >&2
+ exit 1
+fi
+
+# iff ./sshd exists and ./sshd.orig does not, move the former
+# to the latter and force dpkg to reinstall missing config
+# files (via apt-get). This restarts the sshd master daemon,
+# and returns ./sshd.orig to ./sshd if apt-get reports issues.
+#
+# If all went well, ./sshd has the stock config and ./sshd.orig
+# has a backup of the previous one.
+mv -n sshd sshd.orig && (
+ apt-get -o Dpkg::Options::="--force-confmiss" install --reinstall
openssh-server ||
+ mv -f sshd.orig sshd
+)
+
+# For ./common-* we make copies instead of moving the
+# configuration files around to avoid there ever being a point
+# where only /part/ of the configuration is present. Once
+# all the files have been copied, /then/ we remove the
+# originals and regenerate configuration.
+for i in common-{account,auth,password,session,session-noninteractive}; do
+ cp -np $i $i.orig || exit 1
+done
+rm common-{account,auth,password,session,session-noninteractive} && (
+ pam-auth-update --package --force ||
+ for i in common-{account,auth,password,session,session-noninteractive}; do
+ mv -f $i.orig $i
+ done
+)
diff --git a/modules/ldap/files/common-account
b/modules/ldap/files/common-account
deleted file mode 100644
index ee55340..0000000
--- a/modules/ldap/files/common-account
+++ /dev/null
@@ -1,11 +0,0 @@
-# here are the per-package modules (the "Primary" block)
-account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
-account [success=1 default=ignore] pam_ldap.so
-# here's the fallback if no module succeeds
-account requisite pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-account required pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-# end of pam-auth-update config
diff --git a/modules/ldap/files/common-auth b/modules/ldap/files/common-auth
deleted file mode 100644
index 27a9721..0000000
--- a/modules/ldap/files/common-auth
+++ /dev/null
@@ -1,13 +0,0 @@
-# here are the per-package modules (the "Primary" block)
-auth [success=2 default=ignore] pam_unix.so nullok_secure
-auth [success=1 default=ignore] pam_ldap.so use_first_pass
-# here's the fallback if no module succeeds
-auth requisite pam_deny.so
-# limit access to specific users
-auth required pam_access.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth required pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-# end of pam-auth-update config
diff --git a/modules/ldap/files/common-password
b/modules/ldap/files/common-password
deleted file mode 100644
index f9f2c3c..0000000
--- a/modules/ldap/files/common-password
+++ /dev/null
@@ -1,11 +0,0 @@
-# here are the per-package modules (the "Primary" block)
-password [success=1 default=ignore] pam_unix.so obscure sha512
-#password [success=1 user_unknown=ignore default=die] pam_ldap.so
try_first_pass
-# here's the fallback if no module succeeds
-password requisite pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-password required pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-# end of pam-auth-update config
diff --git a/modules/ldap/files/common-session
b/modules/ldap/files/common-session
deleted file mode 100644
index 3b9d702..0000000
--- a/modules/ldap/files/common-session
+++ /dev/null
@@ -1,13 +0,0 @@
-# here are the per-package modules (the "Primary" block)
-session [default=1] pam_permit.so
-# here's the fallback if no module succeeds
-session requisite pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session required pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-session required pam_unix.so
-session required pam_mkhomedir.so umask=0077
-session optional pam_ldap.so
-# end of pam-auth-update config
diff --git a/modules/ldap/files/common-session-noninteractive
b/modules/ldap/files/common-session-noninteractive
deleted file mode 100644
index 2eadc15..0000000
--- a/modules/ldap/files/common-session-noninteractive
+++ /dev/null
@@ -1,12 +0,0 @@
-# here are the per-package modules (the "Primary" block)
-session [default=1] pam_permit.so
-# here's the fallback if no module succeeds
-session requisite pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session required pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-session required pam_unix.so
-session optional pam_ldap.so
-# end of pam-auth-update config
diff --git a/modules/ldap/files/sshd b/modules/ldap/files/sshd
deleted file mode 100644
index 97ae78a..0000000
--- a/modules/ldap/files/sshd
+++ /dev/null
@@ -1,39 +0,0 @@
-# PAM configuration for the Secure Shell service
-
-# Read environment variables from /etc/environment and
-# /etc/security/pam_env.conf.
-auth required pam_env.so # [1]
-# In Debian 4.0 (etch), locale-related environment variables were moved to
-# /etc/default/locale, so read that as well.
-auth required pam_env.so envfile=/etc/default/locale
-
-# Standard Un*x authentication.
-@include common-auth
-
-# Disallow non-root logins when /etc/nologin exists.
-account required pam_nologin.so
-
-# Uncomment and edit /etc/security/access.conf if you need to set complex
-# access limits that are hard to express in sshd_config.
-account required pam_access.so
-
-# Standard Un*x authorization.
-@include common-account
-
-# Standard Un*x session setup and teardown.
-@include common-session
-
-# Print the message of the day upon successful login.
-session optional pam_motd.so # [1]
-
-# Print the status of the user's mailbox upon successful login.
-session optional pam_mail.so standard noenv # [1]
-
-# Set up user limits from /etc/security/limits.conf.
-session required pam_limits.so
-
-# Set up SELinux capabilities (need modified pam)
-# session required pam_selinux.so multiple
-
-# Standard Un*x password updating.
-@include common-password
diff --git a/modules/ldap/files/wikimedia-labs-pam
b/modules/ldap/files/wikimedia-labs-pam
new file mode 100644
index 0000000..e34e611
--- /dev/null
+++ b/modules/ldap/files/wikimedia-labs-pam
@@ -0,0 +1,9 @@
+Name: Wikimedia Labs-specific PAM settings
+Default: yes
+Priority: 200
+Session-Type: Additional
+Session:
+ [success=ok new_authtok_reqd=ok default=ignore] pam_mkhomedir.so umask=0077
+Account-Type: Primary
+Account:
+ [success=ok new_authtok_reqd=ok ignore=ignore default=bad] pam_access.so
diff --git a/modules/ldap/manifests/client/pam.pp
b/modules/ldap/manifests/client/pam.pp
index b5e9677..8b1bdb9 100644
--- a/modules/ldap/manifests/client/pam.pp
+++ b/modules/ldap/manifests/client/pam.pp
@@ -1,35 +1,30 @@
class ldap::client::pam($ldapconfig) {
+
package { 'libpam-ldapd':
- ensure => latest,
+ ensure => present,
}
- File {
- owner => 'root',
- group => 'root',
- mode => '0444',
+ exec { 'pam-auth-update':
+ command => '/usr/sbin/pam-auth-update --package',
+ refreshonly => true,
+ require => Package['libpam-ldapd'],
}
- file { '/etc/pam.d/common-auth':
- source => 'puppet:///modules/ldap/common-auth',
+ file { '/usr/share/pam-configs/wikimedia-labs-pam':
+ ensure => present,
+ source => 'puppet:///modules/ldap/wikimedia-labs-pam',
+ notify => Exec['pam-auth-update'],
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
}
- file { '/etc/pam.d/sshd':
- source => 'puppet:///modules/ldap/sshd',
+ file { '/usr/local/sbin/cleanup-pam-config':
+ ensure => present,
+ source => 'puppet:///modules/ldap/cleanup-pam-config',
+ owner => 'root',
+ group => 'root',
+ mode => '0555',
}
- file { '/etc/pam.d/common-account':
- source => 'puppet:///modules/ldap/common-account',
- }
-
- file { '/etc/pam.d/common-password':
- source => 'puppet:///modules/ldap/common-password',
- }
-
- file { '/etc/pam.d/common-session':
- source => 'puppet:///modules/ldap/common-session',
- }
-
- file { '/etc/pam.d/common-session-noninteractive':
- source => 'puppet:///modules/ldap/common-session-noninteractive',
- }
}
--
To view, visit https://gerrit.wikimedia.org/r/255555
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I1cf70b11c494ed010f14a3734b514dde36f6cf74
Gerrit-PatchSet: 7
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: coren <mpellet...@wikimedia.org>
Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: Chasemp <r...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org>
Gerrit-Reviewer: coren <mpellet...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
