[gentoo-commits] proj/pambase:master commit in: templates/
commit: f6e52e5b96c20426687bc8041b171c9b788d7910 Author: Sam James gentoo org> AuthorDate: Sun Jan 28 08:14:35 2024 + Commit: Sam James gentoo org> CommitDate: Sun Jan 28 08:14:35 2024 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=f6e52e5b system-auth.tpl: fix sssd's pam_deny Closes: https://bugs.gentoo.org/922918 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 4065e89..9a274a4 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -31,7 +31,7 @@ auth sufficient pam_sss.so forward_pass {{ debug|default('', true) }} auth optionalpam_cap.so {% endif %} {% if sssd %} -auth sufficient pam_deny.so +auth requiredpam_deny.so {% endif %} {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: c2060f499d483e11ba4524283c2d95a6a8beb8dc Author: Christopher Byrne gmail com> AuthorDate: Sun Sep 3 16:32:19 2023 + Commit: Sam James gentoo org> CommitDate: Fri Jan 19 05:31:42 2024 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=c2060f49 Add sssd support Bug: https://bugs.gentoo.org/726050 Closes: https://github.com/gentoo/pambase/issues/1 Signed-off-by: Christopher Byrne gmail.com> Closes: https://github.com/gentoo/pambase/pull/17 Signed-off-by: Sam James gentoo.org> pambase.py | 7 ++- templates/system-auth.tpl| 38 -- templates/system-session.tpl | 4 3 files changed, 42 insertions(+), 7 deletions(-) diff --git a/pambase.py b/pambase.py index 3875e89..ceec8cb 100755 --- a/pambase.py +++ b/pambase.py @@ -19,6 +19,7 @@ def main(): parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module') +parser.add_argument('--sssd', action="store_true", help='enable sssd.so module') parser.add_argument('--yescrypt', action="store_true", help='enable yescrypt option for pam_unix.so module') parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module') parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module') @@ -41,7 +42,8 @@ def process_args(args): "unix_authtok", "unix_extended_encryption", "likeauth", -"nullok" +"nullok", +"local_users_only" ] # create a blank dictionary @@ -62,6 +64,9 @@ def process_args(args): if args.krb5: output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip() +if args.sssd: +output["local_users_only"] = "local_users_only" + if args.yescrypt: output["unix_extended_encryption"] = "yescrypt shadow" elif args.sha512: diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 9b078f3..4065e89 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -7,34 +7,55 @@ auth sufficient pam_ssh.so auth [success={{ 4 if homed else 3 }} default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} +{% if sssd %} +auth [default=1 ignore=ignore success=ok]pam_usertype.so isregular +auth [default=3 ignore=ignore success=ok]pam_localuser.so +{% endif %} + auth requisite pam_faillock.so preauth + {% if homed %} auth[success=2 default=ignore] pam_systemd_home.so {% endif %} + +{% if sssd %} +authsufficientpam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} +{% else %} auth[success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +{% endif %} auth [default=die] pam_faillock.so authfail - +{% if sssd %} +auth sufficient pam_sss.so forward_pass {{ debug|default('', true) }} +{% endif %} {% if caps %} auth optionalpam_cap.so {% endif %} - +{% if sssd %} +auth sufficient pam_deny.so +{% endif %} {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} {% if homed %} -account [success=1 default=ignore] pam_systemd_home.so +account [success={{ 2 if sssd else 1 }} default=ignore] pam_systemd_home.so {% endif %} accountrequiredpam_unix.so {{ debug|default('', true) }} account requiredpam_faillock.so +{% if sssd %} +accountsufficient pam_localuser.so +accountsufficient pam_usertype.so issystem +account[default=bad success=ok user_unknown=ignore] pam_sss.so {{ debug|default('', true) }} +accountrequiredpam_permit.so +{% endif %} {% if passwdqc %} password requiredpam_passwdqc.so config=/etc/security/passwdqc.conf {% endif %} {% if pwquality %} -passwordrequiredpam_pwquality.so +passwordrequiredpam_pwquality.so {{ local_users_only|default('', true ) }} {% endif %} {% if pwhistory %} @@ -50,9 +71,14 @@ password[success=1 default=ignore] pam_systemd_home.so {% endif %} {% if passwdqc or pwquality %} -password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} +password {{ 'sufficient' if sssd else 'required' }} pam_unix.so try_first_pass {{ unix_authtok|default('', true) }}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: ce3e0c4f0648ce44cb239be043a85468b29c4b13 Author: Michael Jones users noreply github com> AuthorDate: Sat Aug 6 05:41:29 2022 + Commit: Sam James gentoo org> CommitDate: Sat Aug 13 18:28:30 2022 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ce3e0c4f other.tpl: Fix whitespace Closes: https://github.com/gentoo/pambase/pull/14 Signed-off-by: Sam James gentoo.org> templates/other.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/other.tpl b/templates/other.tpl index f3b7198..9544f8e 100644 --- a/templates/other.tpl +++ b/templates/other.tpl @@ -1,4 +1,4 @@ auth requiredpam_deny.so accountrequiredpam_deny.so -password requiredpam_deny.so -sessionrequiredpam_deny.so +password requiredpam_deny.so +sessionrequiredpam_deny.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: f039f4766ce2b7cfc0ddec806805a4144534c99b Author: Michael Jones jonesmz com> AuthorDate: Sat Aug 6 06:06:06 2022 + Commit: Sam James gentoo org> CommitDate: Sat Aug 13 18:28:46 2022 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=f039f476 system-login.tpl: Fix whitespace Closes: https://github.com/gentoo/pambase/pull/16 Signed-off-by: Sam James gentoo.org> templates/system-login.tpl | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/system-login.tpl b/templates/system-login.tpl index b4b74cf..0269296 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -4,11 +4,11 @@ auth include system-auth accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so -account requiredpam_time.so +accountrequiredpam_time.so accountinclude system-auth password include system-auth -session optionalpam_loginuid.so +sessionoptionalpam_loginuid.so {% if selinux %} sessionrequiredpam_selinux.so close {% endif %} @@ -32,9 +32,9 @@ session optionalpam_mail.so {% endif %} {% if systemd %} --sessionoptionalpam_systemd.so +-session optionalpam_systemd.so {% endif %} {% if elogind %} --sessionoptionalpam_elogind.so +-session optionalpam_elogind.so {% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 2bb5c1846ca7a3222b8ff071d4bc3e63da68d3f1 Author: Michael Jones users noreply github com> AuthorDate: Sat Aug 6 05:40:20 2022 + Commit: Sam James gentoo org> CommitDate: Sat Aug 13 18:28:11 2022 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=2bb5c184 login.tpl: Fix unnecessary space character Closes: https://github.com/gentoo/pambase/pull/13 Signed-off-by: Sam James gentoo.org> templates/login.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/login.tpl b/templates/login.tpl index 23e262a..cb85249 100644 --- a/templates/login.tpl +++ b/templates/login.tpl @@ -5,5 +5,5 @@ authrequiredpam_securetty.so auth include system-local-login accountinclude system-local-login password include system-local-login -sessionoptionalpam_lastlog.so {{ debug|default('', true) }} +sessionoptionalpam_lastlog.so {{ debug|default('', true) }} sessioninclude system-local-login
[gentoo-commits] proj/pambase:master commit in: templates/
commit: dacde6da43a9c87f896b842946b514cd49db5dd3 Author: Alexandra Parker gmail com> AuthorDate: Sat Feb 12 21:30:29 2022 + Commit: Sam James gentoo org> CommitDate: Mon Feb 14 16:51:51 2022 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=dacde6da homed: add before pam_unix - --homed inserts pam_systemd_home before pam_unix - --homed --krb5 does that and adjusts krb5's jump to 4 modules Signed-off-by: Alexandra Parker gmail.com> Closes: https://bugs.gentoo.org/808993 Closes: https://github.com/gentoo/pambase/pull/9 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 62344ff..9739b6f 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -4,16 +4,14 @@ auth sufficient pam_ssh.so {% endif %} {% if krb5 %} -auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} +auth [success={{ 4 if homed else 3 }} default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} auth requisite pam_faillock.so preauth {% if homed %} -auth [success=2 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass -auth[success=1 default=ignore] pam_systemd_home.so -{% else %} -auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +auth[success=2 default=ignore] pam_systemd_home.so {% endif %} +auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth [default=die] pam_faillock.so authfail {% if caps %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: c3471f99454e8d086e133beaaf28b129fb22fc40 Author: Sam James gentoo org> AuthorDate: Tue Feb 2 15:50:25 2021 + Commit: Sam James gentoo org> CommitDate: Tue Feb 2 15:50:25 2021 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=c3471f99 templates/system-auth.tpl: fix try_first_pass typo Closes: https://github.com/gentoo/pambase/issues/6 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 1adee05..62344ff 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -12,7 +12,7 @@ auth requisite pam_faillock.so preauth auth [success=2 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth[success=1 default=ignore] pam_systemd_home.so {% else %} -auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas +auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass {% endif %} auth [default=die] pam_faillock.so authfail
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: fbbc2d49c860857b2fe4b2a6cdb967b0867261c9 Author: Mikle KOlyada gentoo org> AuthorDate: Sat Jan 30 19:50:12 2021 + Commit: Sam James gentoo org> CommitDate: Sun Jan 31 21:37:17 2021 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=fbbc2d49 systemd-auth: add systemd-homed support Signed-off-by: Mikle KOlyada gentoo.org> Closes: https://github.com/gentoo/pambase/pull/5 Signed-off-by: Sam James gentoo.org> pambase.py | 1 + templates/system-auth.tpl| 18 -- templates/system-session.tpl | 4 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/pambase.py b/pambase.py index 278d578..c078156 100755 --- a/pambase.py +++ b/pambase.py @@ -14,6 +14,7 @@ def main(): parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') +parser.add_argument('--homed', action="store_true", help='enable pam_systemd_home.so module') parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 01a29db..1adee05 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -8,16 +8,26 @@ auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} auth requisite pam_faillock.so preauth -auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +{% if homed %} +auth [success=2 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +auth[success=1 default=ignore] pam_systemd_home.so +{% else %} +auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas +{% endif %} auth [default=die] pam_faillock.so authfail {% if caps %} --auth optionalpam_cap.so +auth optionalpam_cap.so {% endif %} {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} + +{% if homed %} +account [success=1 default=ignore] pam_systemd_home.so +{% endif %} + accountrequiredpam_unix.so {{ debug|default('', true) }} account requiredpam_faillock.so @@ -37,6 +47,10 @@ passwordrequiredpam_pwhistory.so use_authtok remember=5 retry=3 password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} +{% if homed %} +password[success=1 default=ignore] pam_systemd_home.so +{% endif %} + {% if passwdqc or pwquality %} password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} {% else %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl index 2a7024b..536db49 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -8,4 +8,8 @@ session optionalpam_mktemp.so session[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} +{% if homed %} +session [success=1 default=ignore] pam_systemd_home.so +{% endif %} + sessionrequiredpam_unix.so {{ debug|default('', true) }}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: 93165fa671e7c6fe41a09302f3c00a140dd6ec9b Author: Sam James gentoo org> AuthorDate: Sun Jan 31 21:36:48 2021 + Commit: Sam James gentoo org> CommitDate: Sun Jan 31 21:37:12 2021 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=93165fa6 Revert "systemd-auth: add systemd-homed support" This reverts commit 5a545eb14a1220af1ba8031f3669471e77edbc2f. Auto-merged on a reverted commit. Signed-off-by: Sam James gentoo.org> pambase.py | 1 - templates/system-auth.tpl| 18 ++ templates/system-session.tpl | 4 3 files changed, 2 insertions(+), 21 deletions(-) diff --git a/pambase.py b/pambase.py index c078156..278d578 100755 --- a/pambase.py +++ b/pambase.py @@ -14,7 +14,6 @@ def main(): parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') -parser.add_argument('--homed', action="store_true", help='enable pam_systemd_home.so module') parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 1adee05..01a29db 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -8,26 +8,16 @@ auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} auth requisite pam_faillock.so preauth -{% if homed %} -auth [success=2 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass -auth[success=1 default=ignore] pam_systemd_home.so -{% else %} -auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas -{% endif %} +auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth [default=die] pam_faillock.so authfail {% if caps %} -auth optionalpam_cap.so +-auth optionalpam_cap.so {% endif %} {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} - -{% if homed %} -account [success=1 default=ignore] pam_systemd_home.so -{% endif %} - accountrequiredpam_unix.so {{ debug|default('', true) }} account requiredpam_faillock.so @@ -47,10 +37,6 @@ passwordrequiredpam_pwhistory.so use_authtok remember=5 retry=3 password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} -{% if homed %} -password[success=1 default=ignore] pam_systemd_home.so -{% endif %} - {% if passwdqc or pwquality %} password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} {% else %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl index 536db49..2a7024b 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -8,8 +8,4 @@ session optionalpam_mktemp.so session[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} -{% if homed %} -session [success=1 default=ignore] pam_systemd_home.so -{% endif %} - sessionrequiredpam_unix.so {{ debug|default('', true) }}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: 2c873cb38ef20d7eb83b5e4aee723c34d64bde3d Author: Sam James gentoo org> AuthorDate: Sun Jan 31 21:36:41 2021 + Commit: Sam James gentoo org> CommitDate: Sun Jan 31 21:37:04 2021 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=2c873cb3 Revert "Add systemd-homed support" This reverts commit 639b45ccb986de7314372a4a841e6f04c536c49a. Unintentionally had this staged still. Signed-off-by: Sam James gentoo.org> pambase.py | 1 - templates/system-auth.tpl| 6 -- templates/system-session.tpl | 4 3 files changed, 11 deletions(-) diff --git a/pambase.py b/pambase.py index b306ca4..c078156 100755 --- a/pambase.py +++ b/pambase.py @@ -9,7 +9,6 @@ def main(): parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module') parser.add_argument('--caps', action="store_true", help='enable pam_cap.so module') -parser.add_argument('--homed', action="store_true", help='enable pam_systemd_homed.so module') parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module') parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 174aacf..1adee05 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -2,9 +2,6 @@ authrequiredpam_env.so {{ debug|default('', true) }} {% if pam_ssh %} auth sufficient pam_ssh.so {% endif %} -{% if homed %} --auth sufficient pam_systemd_home.so -{% endif %} {% if krb5 %} auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} @@ -23,9 +20,6 @@ auth [default=die] pam_faillock.so authfail auth optionalpam_cap.so {% endif %} -{% if homed %} --account sufficient pam_systemd_home.so -{% endif %} {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl index 48653d4..536db49 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -4,10 +4,6 @@ sessionrequiredpam_env.so {{ debug|default('', true) }} sessionoptionalpam_mktemp.so {% endif %} -{% if homed %} --session optionalpam_systemd_home.so -{% endif %} - {%if krb5 %} session[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %}
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: 5a545eb14a1220af1ba8031f3669471e77edbc2f Author: Mikle KOlyada gentoo org> AuthorDate: Sat Jan 30 19:50:12 2021 + Commit: Sam James gentoo org> CommitDate: Sun Jan 31 21:36:01 2021 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=5a545eb1 systemd-auth: add systemd-homed support Signed-off-by: Mikle KOlyada gentoo.org> Closes: https://github.com/gentoo/pambase/pull/5 Signed-off-by: Sam James gentoo.org> pambase.py | 1 + templates/system-auth.tpl| 18 -- templates/system-session.tpl | 4 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/pambase.py b/pambase.py index eb3d4fe..b306ca4 100755 --- a/pambase.py +++ b/pambase.py @@ -15,6 +15,7 @@ def main(): parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') +parser.add_argument('--homed', action="store_true", help='enable pam_systemd_home.so module') parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 53557dc..174aacf 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -11,11 +11,16 @@ auth[success=3 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} auth requisite pam_faillock.so preauth -auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +{% if homed %} +auth [success=2 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +auth[success=1 default=ignore] pam_systemd_home.so +{% else %} +auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas +{% endif %} auth [default=die] pam_faillock.so authfail {% if caps %} --auth optionalpam_cap.so +auth optionalpam_cap.so {% endif %} {% if homed %} @@ -24,6 +29,11 @@ auth [default=die] pam_faillock.so authfail {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} + +{% if homed %} +account [success=1 default=ignore] pam_systemd_home.so +{% endif %} + accountrequiredpam_unix.so {{ debug|default('', true) }} account requiredpam_faillock.so @@ -43,6 +53,10 @@ passwordrequiredpam_pwhistory.so use_authtok remember=5 retry=3 password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} +{% if homed %} +password[success=1 default=ignore] pam_systemd_home.so +{% endif %} + {% if passwdqc or pwquality %} password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} {% else %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl index 3dd1d70..48653d4 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -12,4 +12,8 @@ session optionalpam_mktemp.so session[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} +{% if homed %} +session [success=1 default=ignore] pam_systemd_home.so +{% endif %} + sessionrequiredpam_unix.so {{ debug|default('', true) }}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: 639b45ccb986de7314372a4a841e6f04c536c49a Author: Sam James gentoo org> AuthorDate: Fri Jan 29 03:46:42 2021 + Commit: Sam James gentoo org> CommitDate: Fri Jan 29 03:46:42 2021 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=639b45cc Add systemd-homed support Bug: https://bugs.gentoo.org/767784 Signed-off-by: Sam James gentoo.org> pambase.py | 1 + templates/system-auth.tpl| 6 ++ templates/system-session.tpl | 4 3 files changed, 11 insertions(+) diff --git a/pambase.py b/pambase.py index 278d578..eb3d4fe 100755 --- a/pambase.py +++ b/pambase.py @@ -9,6 +9,7 @@ def main(): parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module') parser.add_argument('--caps', action="store_true", help='enable pam_cap.so module') +parser.add_argument('--homed', action="store_true", help='enable pam_systemd_homed.so module') parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module') parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 01a29db..53557dc 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -2,6 +2,9 @@ authrequiredpam_env.so {{ debug|default('', true) }} {% if pam_ssh %} auth sufficient pam_ssh.so {% endif %} +{% if homed %} +-auth sufficient pam_systemd_home.so +{% endif %} {% if krb5 %} auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} @@ -15,6 +18,9 @@ auth [default=die] pam_faillock.so authfail -auth optionalpam_cap.so {% endif %} +{% if homed %} +-account sufficient pam_systemd_home.so +{% endif %} {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl index 2a7024b..3dd1d70 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -4,6 +4,10 @@ sessionrequiredpam_env.so {{ debug|default('', true) }} sessionoptionalpam_mktemp.so {% endif %} +{% if homed %} +-session optionalpam_systemd_home.so +{% endif %} + {%if krb5 %} session[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: ee4f6b1a6b402ebdf3c5763d934f1aaa6b32e633 Author: Mikle KOlyada gentoo org> AuthorDate: Sun Dec 20 17:52:38 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Sun Dec 20 17:52:38 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ee4f6b1a system-login: add pam_time.so Signed-off-by: Mikle KOlyada gentoo.org> templates/system-login.tpl | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/system-login.tpl b/templates/system-login.tpl index 0c60bb6..b4b74cf 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -4,6 +4,7 @@ authinclude system-auth accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so +account requiredpam_time.so accountinclude system-auth password include system-auth
[gentoo-commits] proj/pambase:master commit in: templates/
commit: b725e39af14b57b69a256818bc1c98f98122c6a1 Author: Mikle KOlyada gentoo org> AuthorDate: Sat Dec 19 22:30:15 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Sat Dec 19 22:30:15 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=b725e39a strip pam_permit.so from system-auth Signed-off-by: Mikle KOlyada gentoo.org> templates/system-auth.tpl| 4 templates/system-session.tpl | 2 -- 2 files changed, 6 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 19e08fa..01a29db 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -10,7 +10,6 @@ auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} auth requisite pam_faillock.so preauth auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth [default=die] pam_faillock.so authfail -auth optionalpam_permit.so {% if caps %} -auth optionalpam_cap.so @@ -21,7 +20,6 @@ account [success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} accountrequiredpam_unix.so {{ debug|default('', true) }} account requiredpam_faillock.so -account optionalpam_permit.so {% if passwdqc %} password requiredpam_passwdqc.so config=/etc/security/passwdqc.conf @@ -45,8 +43,6 @@ password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) } passwordrequiredpam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} {% endif %} -password optionalpam_permit.so - {% if pam_ssh %} sessionoptionalpam_ssh.so {% endif %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl index ce3afa5..2a7024b 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -9,5 +9,3 @@ session [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} sessionrequiredpam_unix.so {{ debug|default('', true) }} - -sessionoptionalpam_permit.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 3f36e2c3de28b3cde25a27d05e49d354e098c368 Author: Sam James gentoo org> AuthorDate: Tue Nov 3 07:19:16 2020 + Commit: Sam James gentoo org> CommitDate: Tue Nov 3 07:19:16 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=3f36e2c3 templates/system-auth.tpl: shift cap to be with other auth Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 4ff78e4..19e08fa 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -12,6 +12,10 @@ auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ d auth [default=die] pam_faillock.so authfail auth optionalpam_permit.so +{% if caps %} +-auth optionalpam_cap.so +{% endif %} + {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} @@ -47,8 +51,4 @@ password optionalpam_permit.so sessionoptionalpam_ssh.so {% endif %} -{% if caps %} --auth optionalpam_cap.so -{% endif %} - {% include "templates/system-session.tpl" %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: daeb59effa26ace52bf699229a1bc22afe8808fd Author: Sam James gentoo org> AuthorDate: Mon Nov 2 23:38:12 2020 + Commit: Sam James gentoo org> CommitDate: Mon Nov 2 23:39:38 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=daeb59ef templates/system-auth.tpl: fix pam_cap realm This fixes the pam_cap realm which can only be auth. This is a regression from old pre-rewrite pambase. It was however exposed by the fixing of an incorrect module name (pam_libcap -> pam_cap) not long ago. Bug: https://bugs.gentoo.org/751946 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 6964e05..2f2fe76 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -48,7 +48,7 @@ session optionalpam_ssh.so {% endif %} {% if libcap %} --sessionoptionalpam_cap.so +-auth optionalpam_cap.so {% endif %} {% include "templates/system-session.tpl" %}
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: 94a9b5f76fc8fa1a3c6c34c5baa3fb25825e1dc2 Author: Sam James gentoo org> AuthorDate: Mon Nov 2 23:40:50 2020 + Commit: Sam James gentoo org> CommitDate: Mon Nov 2 23:40:50 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=94a9b5f7 pambase.py: rename --libcap -> --caps Signed-off-by: Sam James gentoo.org> pambase.py| 2 +- templates/system-auth.tpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pambase.py b/pambase.py index de5dddb..278d578 100755 --- a/pambase.py +++ b/pambase.py @@ -8,7 +8,7 @@ import pathlib def main(): parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module') -parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module') +parser.add_argument('--caps', action="store_true", help='enable pam_cap.so module') parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module') parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 2f2fe76..4ff78e4 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -47,7 +47,7 @@ password optionalpam_permit.so sessionoptionalpam_ssh.so {% endif %} -{% if libcap %} +{% if caps %} -auth optionalpam_cap.so {% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: de5f97873c345b69c44df5a9d06fcd69ee6c5ccf Author: Mikle Kolyada gentoo org> AuthorDate: Wed Oct 28 19:24:04 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Wed Oct 28 19:24:04 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=de5f9787 fix number of jumps when pam_krb5 used Signed-off-by: Mikle Kolyada gentoo.org> templates/system-auth.tpl | 2 +- templates/system-login.tpl | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 6edba8d..6964e05 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -4,7 +4,7 @@ authsufficient pam_ssh.so {% endif %} {% if krb5 %} -auth [success=4 default=ignore] pam_krb5.so {{ krb5_params }} +auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} auth requisite pam_faillock.so preauth diff --git a/templates/system-login.tpl b/templates/system-login.tpl index 6a0d544..0c60bb6 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -5,7 +5,6 @@ authinclude system-auth accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so accountinclude system-auth -account requiredpam_faillock.so password include system-auth session optionalpam_loginuid.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 74b99b4462138ed6b496725b2499fb5d17ad9371 Author: Mikle Kolyada gentoo org> AuthorDate: Wed Oct 28 16:07:21 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Wed Oct 28 16:13:35 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=74b99b44 Do not use use_authtok if no passwd module was stacked Signed-off-by: Mikle Kolyada gentoo.org> templates/system-auth.tpl | 5 + 1 file changed, 5 insertions(+) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 2ffd7ea..6edba8d 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -35,7 +35,12 @@ passwordrequiredpam_pwhistory.so use_authtok remember=5 retry=3 password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} +{% if passwdqc or pwquality %} password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} +{% else %} +passwordrequiredpam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} +{% endif %} + password optionalpam_permit.so {% if pam_ssh %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 99919c4b2b59af27e7ad1daa6fbe8c614a8463c0 Author: Sam James gentoo org> AuthorDate: Mon Oct 26 08:32:29 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 26 22:48:06 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=99919c4b templates/system-auth.tpl: skip pam_unix with krb5 Before this change, success on pam_krb5 would result in jumping one line (over pam_permit) back into pam_unix. Incidentally, we did the later stanza correctly. This was a regression from old pambase. Bug: https://bugs.gentoo.org/748405 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 8b61701..668303f 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -4,20 +4,20 @@ auth sufficient pam_ssh.so {% endif %} {% if krb5 %} -auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }} +auth [success=4 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} -auth optionalpam_permit.so auth requisite pam_faillock.so preauth auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth [default=die] pam_faillock.so authfail +auth optionalpam_permit.so {% if krb5 %} -account[success=1 default=ignore] pam_krb5.so {{ krb5_params }} +account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} accountrequiredpam_unix.so {{ debug|default('', true) }} -accountoptionalpam_permit.so account requiredpam_faillock.so +account optionalpam_permit.so {% if passwdqc %} password requiredpam_passwdqc.so config=/etc/security/passwdqc.conf
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 473b931a56c9387cc6a1e1eddef2260fc9f3896f Author: Sam James gentoo org> AuthorDate: Mon Oct 26 08:33:23 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 26 21:14:00 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=473b931a templates/system-login.tpl: always need faillock Fixes: eb138196aa2d3cb860d5eb5ab1d05985df34ad2c Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 2 -- templates/system-login.tpl | 2 -- 2 files changed, 4 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index faf18ee..8b61701 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -17,9 +17,7 @@ account [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} accountrequiredpam_unix.so {{ debug|default('', true) }} accountoptionalpam_permit.so -{% if not minimal %} account requiredpam_faillock.so -{% endif %} {% if passwdqc %} password requiredpam_passwdqc.so config=/etc/security/passwdqc.conf diff --git a/templates/system-login.tpl b/templates/system-login.tpl index 889c2d7..6a0d544 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -5,9 +5,7 @@ authinclude system-auth accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so accountinclude system-auth -{% if not minimal %} account requiredpam_faillock.so -{% endif %} password include system-auth session optionalpam_loginuid.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 47a7d6f7477ac279b271babd970d2b4b6839fdb5 Author: Sam James gentoo org> AuthorDate: Mon Oct 26 21:15:18 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 26 22:48:39 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=47a7d6f7 templates/system-auth.tpl: fix libcap module name Bug: https://bugs.gentoo.org/750524 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 668303f..2ffd7ea 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -43,7 +43,7 @@ session optionalpam_ssh.so {% endif %} {% if libcap %} --sessionoptionalpam_libcap.so +-sessionoptionalpam_cap.so {% endif %} {% include "templates/system-session.tpl" %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: eb138196aa2d3cb860d5eb5ab1d05985df34ad2c Author: Sam James gentoo org> AuthorDate: Tue Oct 20 02:32:28 2020 + Commit: Sam James gentoo org> CommitDate: Tue Oct 20 02:38:20 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=eb138196 templates/system-auth.tpl: use faillock in minimal case Bug: https://bugs.gentoo.org/748405 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 7 ++- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index bc28468..faf18ee 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -7,13 +7,10 @@ auth sufficient pam_ssh.so auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} -auth requiredpam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} auth optionalpam_permit.so -{% if not minimal %} -auth requiredpam_faillock.so preauth -auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_faillock.so preauth +auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth [default=die] pam_faillock.so authfail -{% endif %} {% if krb5 %} account[success=1 default=ignore] pam_krb5.so {{ krb5_params }}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: e0835e729bcf04f501d4610cf3925ec41b37c5f5 Author: Sam James gentoo org> AuthorDate: Mon Oct 12 17:30:18 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 12 17:30:18 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=e0835e72 templates/system-auth.tpl: drop superfluous conf param on faillock pam_faillock defaults to /etc/security/faillock.conf anyway. Closes: https://bugs.gentoo.org/747967 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 557da9b..bc28468 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -10,7 +10,7 @@ auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }} auth requiredpam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} auth optionalpam_permit.so {% if not minimal %} -auth requiredpam_faillock.so preauth conf=/etc/security/faillock.conf +auth requiredpam_faillock.so preauth auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail {% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: abca630446236ddf83c7686ca8742b305bf8a050 Author: Sam James gentoo org> AuthorDate: Mon Oct 12 15:30:28 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 12 15:30:28 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=abca6304 templates/system-login.tpl: remove duplicate block already in system-auth Do it right this time! Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 5 + templates/system-login.tpl | 6 -- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 11319d6..557da9b 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -9,6 +9,11 @@ auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }} auth requiredpam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} auth optionalpam_permit.so +{% if not minimal %} +auth requiredpam_faillock.so preauth conf=/etc/security/faillock.conf +auth sufficient pam_unix.so nullok try_first_pass +auth [default=die] pam_faillock.so authfail +{% endif %} {% if krb5 %} account[success=1 default=ignore] pam_krb5.so {{ krb5_params }} diff --git a/templates/system-login.tpl b/templates/system-login.tpl index 25843f5..889c2d7 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -2,12 +2,6 @@ auth requiredpam_shells.so {{ debug|default('', true) }} auth requiredpam_nologin.so auth include system-auth -{% if not minimal %} -authrequiredpam_faillock.so preauth conf=/etc/security/faillock.conf -authsufficient pam_unix.so nullok try_first_pass -auth[default=die] pam_faillock.so authfail -{% endif %} - accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so accountinclude system-auth
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 949722adbb7187b68f392164865a964610221604 Author: Sam James gentoo org> AuthorDate: Sun Oct 11 20:48:41 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 12 14:32:12 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=949722ad templates/system-session.tpl: include pam_krb5.so module name Signed-off-by: Sam James gentoo.org> templates/system-session.tpl | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/templates/system-session.tpl b/templates/system-session.tpl index 1538429..ce3afa5 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -5,12 +5,9 @@ sessionoptionalpam_mktemp.so {% endif %} {%if krb5 %} -session[success=1 default=ignore] {{ krb5_params }} +session[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} sessionrequiredpam_unix.so {{ debug|default('', true) }} -{%if krb5 %} -session [success=1 default=ignore] {{ krb5_params }} -{% endif %} sessionoptionalpam_permit.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 37a3f41da6fa3136c46c9d76a18ad36f4f680303 Author: Sam James gentoo org> AuthorDate: Sun Oct 11 20:57:19 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 12 14:32:12 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=37a3f41d templates/system-login.tpl: move systemd, elogind blocks here Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 8 templates/system-login.tpl | 8 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 46fc131..f8484f1 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -47,14 +47,6 @@ password optionalpam_permit.so sessionoptionalpam_ssh.so {% endif %} -{% if systemd %} --sessionoptionalpam_systemd.so -{% endif %} - -{% if elogind %} --sessionoptionalpam_elogind.so -{% endif %} - {% if libcap %} -sessionoptionalpam_libcap.so {% endif %} diff --git a/templates/system-login.tpl b/templates/system-login.tpl index 99801a1..889c2d7 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -32,3 +32,11 @@ session optionalpam_motd.so motd=/etc/motd {% if not minimal %} sessionoptionalpam_mail.so {% endif %} + +{% if systemd %} +-sessionoptionalpam_systemd.so +{% endif %} + +{% if elogind %} +-sessionoptionalpam_elogind.so +{% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: da499cca70c5e77c851c5f75440df188fe2eeabe Author: Sam James gentoo org> AuthorDate: Sun Oct 11 20:55:39 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 12 14:32:12 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=da499cca templates/system-login.tpl: remove duplicate block from system-auth Bug: https://bugs.gentoo.org/747868 Signed-off-by: Sam James gentoo.org> templates/system-login.tpl | 5 - 1 file changed, 5 deletions(-) diff --git a/templates/system-login.tpl b/templates/system-login.tpl index d51481b..99801a1 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -1,11 +1,6 @@ auth requiredpam_shells.so {{ debug|default('', true) }} auth requiredpam_nologin.so auth include system-auth -{% if not minimal %} -authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 -authsufficient pam_unix.so nullok try_first_pass -auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 -{% endif %} accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: b54edff3a6724bba19fd803042909cc448d169fd Author: Mikle Kolyada gentoo org> AuthorDate: Sat Oct 10 15:35:39 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Sat Oct 10 15:37:14 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=b54edff3 switch pam_faillock.so to its config file Signed-off-by: Mikle Kolyada gentoo.org> templates/system-auth.tpl | 4 ++-- templates/system-login.tpl | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 46fc131..1bb53ae 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -10,9 +10,9 @@ auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }} auth requiredpam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} auth optionalpam_permit.so {% if not minimal %} -authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 +authrequiredpam_faillock.so preauth conf=/etc/security/faillock.conf authsufficient pam_unix.so {{ nullok|default('', true) }} try_first_pass -auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 +auth[default=die] pam_faillock.so authfail {% endif %} {% if krb5 %} diff --git a/templates/system-login.tpl b/templates/system-login.tpl index d51481b..bb4f093 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -2,9 +2,9 @@ authrequiredpam_shells.so {{ debug|default('', true) }} auth requiredpam_nologin.so auth include system-auth {% if not minimal %} -authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 +authrequiredpam_faillock.so preauth conf=/etc/security/faillock.conf authsufficient pam_unix.so nullok try_first_pass -auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 +auth[default=die] pam_faillock.so authfail {% endif %} accountrequiredpam_access.so {{ debug|default('', true) }}
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: 46e6f29b1f9b7edd9541382fddd9b0837900e649 Author: Mikle Kolyada gentoo org> AuthorDate: Sun Sep 13 09:59:15 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Sun Sep 13 10:00:50 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=46e6f29b system-auth: introduce pam_pwhistory Signed-off-by: Mikle Kolyada gentoo.org> pambase.py| 1 + templates/system-auth.tpl | 4 2 files changed, 5 insertions(+) diff --git a/pambase.py b/pambase.py index 83ee97c..de5dddb 100755 --- a/pambase.py +++ b/pambase.py @@ -10,6 +10,7 @@ def main(): parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module') parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module') parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') +parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module') parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 0381e66..46fc131 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -32,6 +32,10 @@ password requiredpam_passwdqc.so config=/etc/security/passwdqc.conf passwordrequiredpam_pwquality.so {% endif %} +{% if pwhistory %} +passwordrequiredpam_pwhistory.so use_authtok remember=5 retry=3 +{% endif %} + {% if krb5 %} password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 1b7c7f7678a6402a0b0aec80b3883fd98516be4e Author: Mikle Kolyada gentoo org> AuthorDate: Wed Sep 9 16:32:10 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Wed Sep 9 16:32:10 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=1b7c7f76 system-auth: switch password modules to configs * pam_passwdqc.so can by managed by the /etc/security/passwdqc.conf * pam_pwquality.so can be managed by the /etc/security/pwquality.conf Both allow users to create their own password polices without touching files in the /etc/pam.d directory Signed-off-by: Mikle Kolyada gentoo.org> templates/system-auth.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 69cc472..0381e66 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -25,11 +25,11 @@ account requiredpam_faillock.so {% endif %} {% if passwdqc %} -password requiredpam_passwdqc.so min=8,8,8,8,8 retry=3 +password requiredpam_passwdqc.so config=/etc/security/passwdqc.conf {% endif %} {% if pwquality %} -passwordrequiredpam_pwquality.so retry=3 minlen=8 lcredit=2 ucredit=2 dcredit=2 ocredit=2 difok=3 enforce_for_root +passwordrequiredpam_pwquality.so {% endif %} {% if krb5 %}
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: ed4f15348fa950b02016154790bb6d180cccf5f9 Author: Mikle Kolyada gentoo org> AuthorDate: Mon Aug 17 07:30:39 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Mon Aug 17 07:30:39 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ed4f1534 make pam_gnome_keyring optional Signed-off-by: Mikle Kolyada gentoo.org> pambase.py | 143 ++- templates/passwd.tpl | 5 +- 2 files changed, 76 insertions(+), 72 deletions(-) diff --git a/pambase.py b/pambase.py index 07e458d..83ee97c 100755 --- a/pambase.py +++ b/pambase.py @@ -6,96 +6,97 @@ import pathlib def main(): - parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') - parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module') - parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') - parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') - parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') - parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') - parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') - parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') - parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') - parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module') - parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module') - parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module') - parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack') - parser.add_argument('--debug', action="store_true", help='enable debug for selected modules') - parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module') - - parsed_args = parser.parse_args() - processed = process_args(parsed_args) - - parse_templates(processed) +parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') +parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module') +parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module') +parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') +parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') +parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') +parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') +parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') +parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') +parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') +parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module') +parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module') +parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module') +parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack') +parser.add_argument('--debug', action="store_true", help='enable debug for selected modules') +parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module') + +parsed_args = parser.parse_args() +processed = process_args(parsed_args) + +parse_templates(processed) def process_args(args): - # make sure that output directory exists - pathlib.Path("stack").mkdir(parents=True, exist_ok=True) +# make sure that output directory exists +pathlib.Path("stack").mkdir(parents=True, exist_ok=True) - blank_variables = [ - "krb5_authtok", - "unix_authtok", - "unix_extended_encryption", - "likeauth", - "nullok" - ] +blank_variables = [ +"krb5_authtok", +"unix_authtok", +"unix_extended_encryption", +"likeauth", +"nullok" +] - # create a blank dictionary - # then add in our parsed args - output = dict.fromkeys(blank_variables, "") - output.update(vars(args)) +# create a blank dictionary +# then add in our parsed args +output = dict.fromkeys(blank_variables, "") +output.update(vars(args)) - # unconditional variables -
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: 1e2706575348150992737c5415df36f6517b20fe Author: Mikle Kolyada gentoo org> AuthorDate: Sat Aug 15 08:44:57 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Sat Aug 15 08:50:19 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=1e270657 Add pam_pwquality.so support Signed-off-by: Mikle Kolyada gentoo.org> pambase.py| 1 + templates/system-auth.tpl | 4 2 files changed, 5 insertions(+) diff --git a/pambase.py b/pambase.py index d021b81..07e458d 100755 --- a/pambase.py +++ b/pambase.py @@ -9,6 +9,7 @@ def main(): parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module') parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') + parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 298e45c..69cc472 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -28,6 +28,10 @@ account requiredpam_faillock.so password requiredpam_passwdqc.so min=8,8,8,8,8 retry=3 {% endif %} +{% if pwquality %} +passwordrequiredpam_pwquality.so retry=3 minlen=8 lcredit=2 ucredit=2 dcredit=2 ocredit=2 difok=3 enforce_for_root +{% endif %} + {% if krb5 %} password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: ca96d2bc6bbcf860d12b9d610509c155029fe3cc Author: Sam James gentoo org> AuthorDate: Thu Aug 6 22:46:40 2020 + Commit: Sam James gentoo org> CommitDate: Thu Aug 6 22:46:40 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ca96d2bc pambase.py: rename system-service -> system-services Some of e.g. OpenRC's installed pam files assume 'system-services': ./supervise-daemon:2:session include system-services ./start-stop-daemon:2:session include system-services Signed-off-by: Sam James gentoo.org> pambase.py| 2 +- templates/{system-service.tpl => system-services.tpl} | 0 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/pambase.py b/pambase.py index 8f04870..d021b81 100755 --- a/pambase.py +++ b/pambase.py @@ -78,7 +78,7 @@ def parse_templates(processed_args): "su", "system-auth", "system-login", - "system-service" + "system-services" ] for template_name in templates: diff --git a/templates/system-service.tpl b/templates/system-services.tpl similarity index 100% rename from templates/system-service.tpl rename to templates/system-services.tpl
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 4e5e41c2e5607a298f30f679aa7ba8c4994033e3 Author: Sam James gentoo org> AuthorDate: Wed Aug 5 06:10:02 2020 + Commit: Sam James gentoo org> CommitDate: Wed Aug 5 06:10:16 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=4e5e41c2 templates/*: remove unnecessary strips Now obsolete as of 732fb3bbfd7d007fdca78dd4587f1a7bd34bfa6c. Signed-off-by: Sam James gentoo.org> templates/login.tpl | 4 ++-- templates/system-auth.tpl| 44 ++-- templates/system-login.tpl | 28 ++-- templates/system-session.tpl | 12 ++-- 4 files changed, 44 insertions(+), 44 deletions(-) diff --git a/templates/login.tpl b/templates/login.tpl index 7476cb7..23e262a 100644 --- a/templates/login.tpl +++ b/templates/login.tpl @@ -1,6 +1,6 @@ -{% if securetty -%} +{% if securetty %} auth requiredpam_securetty.so -{% endif -%} +{% endif %} auth include system-local-login accountinclude system-local-login diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index e8a6d91..298e45c 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -1,54 +1,54 @@ auth requiredpam_env.so {{ debug|default('', true) }} -{% if pam_ssh -%} +{% if pam_ssh %} auth sufficient pam_ssh.so -{% endif -%} +{% endif %} -{% if krb5 -%} +{% if krb5 %} auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }} -{% endif -%} +{% endif %} auth requiredpam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} auth optionalpam_permit.so -{% if not minimal -%} +{% if not minimal %} authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 authsufficient pam_unix.so {{ nullok|default('', true) }} try_first_pass auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 -{% endif -%} +{% endif %} -{% if krb5 -%} +{% if krb5 %} account[success=1 default=ignore] pam_krb5.so {{ krb5_params }} -{% endif -%} +{% endif %} accountrequiredpam_unix.so {{ debug|default('', true) }} accountoptionalpam_permit.so -{% if not minimal -%} +{% if not minimal %} account requiredpam_faillock.so -{% endif -%} +{% endif %} -{% if passwdqc -%} +{% if passwdqc %} password requiredpam_passwdqc.so min=8,8,8,8,8 retry=3 -{% endif -%} +{% endif %} -{% if krb5 -%} +{% if krb5 %} password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} -{% endif -%} +{% endif %} password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} password optionalpam_permit.so -{%- if pam_ssh %} +{% if pam_ssh %} sessionoptionalpam_ssh.so -{% endif -%} +{% endif %} -{% if systemd -%} +{% if systemd %} -sessionoptionalpam_systemd.so -{% endif -%} +{% endif %} -{% if elogind -%} +{% if elogind %} -sessionoptionalpam_elogind.so -{% endif -%} +{% endif %} -{% if libcap -%} +{% if libcap %} -sessionoptionalpam_libcap.so -{% endif -%} +{% endif %} {% include "templates/system-session.tpl" %} diff --git a/templates/system-login.tpl b/templates/system-login.tpl index d8df530..d51481b 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -1,39 +1,39 @@ auth requiredpam_shells.so {{ debug|default('', true) }} auth requiredpam_nologin.so auth include system-auth -{% if not minimal -%} +{% if not minimal %} authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 authsufficient pam_unix.so nullok try_first_pass auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 -{% endif -%} +{% endif %} accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so accountinclude system-auth -{% if not minimal -%} +{% if not minimal %} account requiredpam_faillock.so -{% endif -%} +{% endif %} password include system-auth session optionalpam_loginuid.so -{% if selinux -%} +{% if selinux %} sessionrequiredpam_selinux.so close -{% endif -%} +{% endif %} sessionrequiredpam_env.so envfile=/etc/profile.env {{ debug|default('', true) }} -{% if not minimal -%} +{% if not minimal %} sessionoptionalpam_lastlog.so silent {{
[gentoo-commits] proj/pambase:master commit in: templates/
commit: acd1f9046c8d79ba5e232043131f6c9842d357e7 Author: Mikle Kolyada gentoo org> AuthorDate: Tue Aug 4 13:35:41 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Tue Aug 4 13:35:41 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=acd1f904 fix pam_ssh formatting Signed-off-by: Mikle Kolyada gentoo.org> templates/system-auth.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 13f5c0d..e8a6d91 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -35,7 +35,7 @@ password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} password optionalpam_permit.so -{%- if pam_ssh -%} +{%- if pam_ssh %} sessionoptionalpam_ssh.so {% endif -%}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 7f7b677eca0487d304e114714890feadae06b9a2 Author: Mikle Kolyada gentoo org> AuthorDate: Tue Aug 4 12:41:04 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Tue Aug 4 12:41:04 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=7f7b677e fix a typo in logic Signed-off-by: Mikle Kolyada gentoo.org> templates/system-login.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-login.tpl b/templates/system-login.tpl index 2f404bc..d8df530 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -21,7 +21,7 @@ session requiredpam_selinux.so close {% endif -%} sessionrequiredpam_env.so envfile=/etc/profile.env {{ debug|default('', true) }} -{% if not miniaml -%} +{% if not minimal -%} sessionoptionalpam_lastlog.so silent {{ debug|default('', true) }} {% endif -%} sessioninclude system-auth
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: 405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c Author: Mikle Kolyada gentoo org> AuthorDate: Tue Aug 4 11:20:43 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Tue Aug 4 11:20:43 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=405452a4 New pambase era pambase was simplified and rewritten in python Signed-off-by: Mikle Kolyada gentoo.org> .gitignore | 12 +-- LICENSE| 23 ++ Makefile | 96 -- README | 8 -- basic-conf | 52 linux-pam-conf | 26 -- login.in | 10 --- other.in | 4 - pambase.py | 95 + su.in | 11 --- system-auth.in | 57 - system-login.in| 58 - system-session.inc | 25 -- templates/login.tpl| 9 ++ templates/other.tpl| 4 + passwd.in => templates/passwd.tpl | 4 +- templates/su.tpl | 8 ++ templates/system-auth.tpl | 54 .../system-local-login.tpl | 0 templates/system-login.tpl | 39 + .../system-remote-login.tpl| 0 system-services.in => templates/system-service.tpl | 6 +- templates/system-session.tpl | 16 23 files changed, 252 insertions(+), 365 deletions(-) diff --git a/.gitignore b/.gitignore index 2c63905..844c82f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,10 +1,2 @@ -login -passwd -su -system-auth -system-login -system-local-login -system-remote-login -system-services -other -pambase-*.tar.bz2 +stack/ +.idea/ diff --git a/LICENSE b/LICENSE new file mode 100644 index 000..6e891ee --- /dev/null +++ b/LICENSE @@ -0,0 +1,23 @@ +MIT License + +Copyright (c) 2020 Mikhail Koliada +Copyright (c) 2020 Sam James +Copyright (c) 2020 Gentoo Authors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/Makefile b/Makefile deleted file mode 100644 index 941edfb..000 --- a/Makefile +++ /dev/null @@ -1,96 +0,0 @@ -# Reset this to 'cpp' so it gets traditional syntax; cc -E will not work -# properly. -CPP=cpp - -# The pam.d file to create -PAMD=login passwd su system-auth system-login system-local-login system-remote-login system-services other - -# command for git (the DVCS); set this to "true" to ignore GIT support -# (i.e.: in the ebuild) -GIT=git - -PAMFLAGS = -include linux-pam-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION) - -ifeq "$(PASSWDQC)" "yes" -PAMFLAGS += -DHAVE_PASSWDQC=1 -endif - -ifeq "$(CONSOLEKIT)" "yes" -PAMFLAGS += -DHAVE_CONSOLEKIT=1 -endif - -ifeq "$(SYSTEMD)" "yes" -PAMFLAGS += -DHAVE_SYSTEMD=1 -endif - -ifeq "$(ELOGIND)" "yes" -PAMFLAGS += -DHAVE_ELOGIND=1 -endif - -ifeq "$(GNOME_KEYRING)" "yes" -PAMFLAGS += -DHAVE_GNOME_KEYRING=1 -endif - -ifeq "$(SECURETTY)" "yes" -PAMFLAGS += -DHAVE_SECURETTY=1 -endif - -ifeq "$(SELINUX)" "yes" -PAMFLAGS += -DHAVE_SELINUX=1 -endif - -ifeq "$(MKTEMP)" "yes" -PAMFLAGS += -DHAVE_MKTEMP=1 -endif - -ifeq "$(PAM_SSH)" "yes" -PAMFLAGS += -DHAVE_PAM_SSH=1 -endif - -ifeq "$(KRB5)" "yes" -PAMFLAGS += -DHAVE_KRB5=1 -endif - -ifeq "$(NULLOK)" "yes" -PAMFLAGS += -DWANT_NULLOK=1 -endif - -ifeq "$(SHA512)" "yes" -PAMFLAGS += -DWANT_SHA512=1 -endif - -ifeq "$(DEBUG)" "yes" -PAMFLAGS += -DDEBUG=debug -endif - -ifeq "$(MINIMAL)" "yes" -PAMFLAGS += -DMINIMAL -endif - -ifeq "$(LIBCAP)" "yes" -PAMFLAGS +=