[gentoo-commits] proj/pambase:master commit in: templates/
commit: f6e52e5b96c20426687bc8041b171c9b788d7910
Author: Sam James gentoo org>
AuthorDate: Sun Jan 28 08:14:35 2024 +
Commit: Sam James gentoo org>
CommitDate: Sun Jan 28 08:14:35 2024 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=f6e52e5b
system-auth.tpl: fix sssd's pam_deny
Closes: https://bugs.gentoo.org/922918
Signed-off-by: Sam James gentoo.org>
templates/system-auth.tpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 4065e89..9a274a4 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -31,7 +31,7 @@ auth sufficient pam_sss.so forward_pass {{
debug|default('', true) }}
auth optionalpam_cap.so
{% endif %}
{% if sssd %}
-auth sufficient pam_deny.so
+auth requiredpam_deny.so
{% endif %}
{% if krb5 %}
account[success=2 default=ignore] pam_krb5.so {{
krb5_params }}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: c2060f499d483e11ba4524283c2d95a6a8beb8dc
Author: Christopher Byrne gmail com>
AuthorDate: Sun Sep 3 16:32:19 2023 +
Commit: Sam James gentoo org>
CommitDate: Fri Jan 19 05:31:42 2024 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=c2060f49
Add sssd support
Bug: https://bugs.gentoo.org/726050
Closes: https://github.com/gentoo/pambase/issues/1
Signed-off-by: Christopher Byrne gmail.com>
Closes: https://github.com/gentoo/pambase/pull/17
Signed-off-by: Sam James gentoo.org>
pambase.py | 7 ++-
templates/system-auth.tpl| 38 --
templates/system-session.tpl | 4
3 files changed, 42 insertions(+), 7 deletions(-)
diff --git a/pambase.py b/pambase.py
index 3875e89..ceec8cb 100755
--- a/pambase.py
+++ b/pambase.py
@@ -19,6 +19,7 @@ def main():
parser.add_argument('--mktemp', action="store_true", help='enable
pam_mktemp.so module')
parser.add_argument('--pam-ssh', action="store_true", help='enable
pam_ssh.so module')
parser.add_argument('--securetty', action="store_true", help='enable
pam_securetty.so module')
+parser.add_argument('--sssd', action="store_true", help='enable sssd.so
module')
parser.add_argument('--yescrypt', action="store_true", help='enable
yescrypt option for pam_unix.so module')
parser.add_argument('--sha512', action="store_true", help='enable sha512
option for pam_unix.so module')
parser.add_argument('--krb5', action="store_true", help='enable
pam_krb5.so module')
@@ -41,7 +42,8 @@ def process_args(args):
"unix_authtok",
"unix_extended_encryption",
"likeauth",
-"nullok"
+"nullok",
+"local_users_only"
]
# create a blank dictionary
@@ -62,6 +64,9 @@ def process_args(args):
if args.krb5:
output["krb5_params"] = "{0} ignore_root
try_first_pass".format("debug").strip()
+if args.sssd:
+output["local_users_only"] = "local_users_only"
+
if args.yescrypt:
output["unix_extended_encryption"] = "yescrypt shadow"
elif args.sha512:
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 9b078f3..4065e89 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -7,34 +7,55 @@ auth sufficient pam_ssh.so
auth [success={{ 4 if homed else 3 }} default=ignore]
pam_krb5.so {{ krb5_params }}
{% endif %}
+{% if sssd %}
+auth [default=1 ignore=ignore success=ok]pam_usertype.so
isregular
+auth [default=3 ignore=ignore success=ok]pam_localuser.so
+{% endif %}
+
auth requisite pam_faillock.so preauth
+
{% if homed %}
auth[success=2 default=ignore] pam_systemd_home.so
{% endif %}
+
+{% if sssd %}
+authsufficientpam_unix.so {{ nullok|default('', true) }} {{
debug|default('', true) }}
+{% else %}
auth[success=1 new_authtok_reqd=1 ignore=ignore default=bad]
pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }}
try_first_pass
+{% endif %}
auth [default=die] pam_faillock.so authfail
-
+{% if sssd %}
+auth sufficient pam_sss.so forward_pass {{ debug|default('',
true) }}
+{% endif %}
{% if caps %}
auth optionalpam_cap.so
{% endif %}
-
+{% if sssd %}
+auth sufficient pam_deny.so
+{% endif %}
{% if krb5 %}
account[success=2 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
{% if homed %}
-account [success=1 default=ignore] pam_systemd_home.so
+account [success={{ 2 if sssd else 1 }} default=ignore]
pam_systemd_home.so
{% endif %}
accountrequiredpam_unix.so {{ debug|default('', true)
}}
account requiredpam_faillock.so
+{% if sssd %}
+accountsufficient pam_localuser.so
+accountsufficient pam_usertype.so issystem
+account[default=bad success=ok user_unknown=ignore] pam_sss.so
{{ debug|default('', true) }}
+accountrequiredpam_permit.so
+{% endif %}
{% if passwdqc %}
password requiredpam_passwdqc.so
config=/etc/security/passwdqc.conf
{% endif %}
{% if pwquality %}
-passwordrequiredpam_pwquality.so
+passwordrequiredpam_pwquality.so {{
local_users_only|default('', true ) }}
{% endif %}
{% if pwhistory %}
@@ -50,9 +71,14 @@ password[success=1 default=ignore]
pam_systemd_home.so
{% endif %}
{% if passwdqc or pwquality %}
-password requiredpam_unix.so try_first_pass {{
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+password {{ 'sufficient' if sssd else 'required' }} pam_unix.so
try_first_pass {{ unix_authtok|default('', true) }}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: ce3e0c4f0648ce44cb239be043a85468b29c4b13 Author: Michael Jones users noreply github com> AuthorDate: Sat Aug 6 05:41:29 2022 + Commit: Sam James gentoo org> CommitDate: Sat Aug 13 18:28:30 2022 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ce3e0c4f other.tpl: Fix whitespace Closes: https://github.com/gentoo/pambase/pull/14 Signed-off-by: Sam James gentoo.org> templates/other.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/other.tpl b/templates/other.tpl index f3b7198..9544f8e 100644 --- a/templates/other.tpl +++ b/templates/other.tpl @@ -1,4 +1,4 @@ auth requiredpam_deny.so accountrequiredpam_deny.so -password requiredpam_deny.so -sessionrequiredpam_deny.so +password requiredpam_deny.so +sessionrequiredpam_deny.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: f039f4766ce2b7cfc0ddec806805a4144534c99b
Author: Michael Jones jonesmz com>
AuthorDate: Sat Aug 6 06:06:06 2022 +
Commit: Sam James gentoo org>
CommitDate: Sat Aug 13 18:28:46 2022 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=f039f476
system-login.tpl: Fix whitespace
Closes: https://github.com/gentoo/pambase/pull/16
Signed-off-by: Sam James gentoo.org>
templates/system-login.tpl | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index b4b74cf..0269296 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -4,11 +4,11 @@ auth include system-auth
accountrequiredpam_access.so {{ debug|default('',
true) }}
accountrequiredpam_nologin.so
-account requiredpam_time.so
+accountrequiredpam_time.so
accountinclude system-auth
password include system-auth
-session optionalpam_loginuid.so
+sessionoptionalpam_loginuid.so
{% if selinux %}
sessionrequiredpam_selinux.so close
{% endif %}
@@ -32,9 +32,9 @@ session optionalpam_mail.so
{% endif %}
{% if systemd %}
--sessionoptionalpam_systemd.so
+-session optionalpam_systemd.so
{% endif %}
{% if elogind %}
--sessionoptionalpam_elogind.so
+-session optionalpam_elogind.so
{% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 2bb5c1846ca7a3222b8ff071d4bc3e63da68d3f1
Author: Michael Jones users noreply github
com>
AuthorDate: Sat Aug 6 05:40:20 2022 +
Commit: Sam James gentoo org>
CommitDate: Sat Aug 13 18:28:11 2022 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=2bb5c184
login.tpl: Fix unnecessary space character
Closes: https://github.com/gentoo/pambase/pull/13
Signed-off-by: Sam James gentoo.org>
templates/login.tpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/login.tpl b/templates/login.tpl
index 23e262a..cb85249 100644
--- a/templates/login.tpl
+++ b/templates/login.tpl
@@ -5,5 +5,5 @@ authrequiredpam_securetty.so
auth include system-local-login
accountinclude system-local-login
password include system-local-login
-sessionoptionalpam_lastlog.so {{ debug|default('',
true) }}
+sessionoptionalpam_lastlog.so {{ debug|default('',
true) }}
sessioninclude system-local-login
[gentoo-commits] proj/pambase:master commit in: templates/
commit: dacde6da43a9c87f896b842946b514cd49db5dd3
Author: Alexandra Parker gmail com>
AuthorDate: Sat Feb 12 21:30:29 2022 +
Commit: Sam James gentoo org>
CommitDate: Mon Feb 14 16:51:51 2022 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=dacde6da
homed: add before pam_unix
- --homed inserts pam_systemd_home before pam_unix
- --homed --krb5 does that and adjusts krb5's jump to 4 modules
Signed-off-by: Alexandra Parker gmail.com>
Closes: https://bugs.gentoo.org/808993
Closes: https://github.com/gentoo/pambase/pull/9
Signed-off-by: Sam James gentoo.org>
templates/system-auth.tpl | 8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 62344ff..9739b6f 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -4,16 +4,14 @@ auth sufficient pam_ssh.so
{% endif %}
{% if krb5 %}
-auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }}
+auth [success={{ 4 if homed else 3 }} default=ignore]
pam_krb5.so {{ krb5_params }}
{% endif %}
auth requisite pam_faillock.so preauth
{% if homed %}
-auth [success=2 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
-auth[success=1 default=ignore] pam_systemd_home.so
-{% else %}
-auth[success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+auth[success=2 default=ignore] pam_systemd_home.so
{% endif %}
+auth[success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
auth [default=die] pam_faillock.so authfail
{% if caps %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: c3471f99454e8d086e133beaaf28b129fb22fc40
Author: Sam James gentoo org>
AuthorDate: Tue Feb 2 15:50:25 2021 +
Commit: Sam James gentoo org>
CommitDate: Tue Feb 2 15:50:25 2021 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=c3471f99
templates/system-auth.tpl: fix try_first_pass typo
Closes: https://github.com/gentoo/pambase/issues/6
Signed-off-by: Sam James gentoo.org>
templates/system-auth.tpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 1adee05..62344ff 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -12,7 +12,7 @@ auth requisite pam_faillock.so preauth
auth [success=2 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
auth[success=1 default=ignore] pam_systemd_home.so
{% else %}
-auth[success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas
+auth[success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
{% endif %}
auth [default=die] pam_faillock.so authfail
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: fbbc2d49c860857b2fe4b2a6cdb967b0867261c9
Author: Mikle KOlyada gentoo org>
AuthorDate: Sat Jan 30 19:50:12 2021 +
Commit: Sam James gentoo org>
CommitDate: Sun Jan 31 21:37:17 2021 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=fbbc2d49
systemd-auth: add systemd-homed support
Signed-off-by: Mikle KOlyada gentoo.org>
Closes: https://github.com/gentoo/pambase/pull/5
Signed-off-by: Sam James gentoo.org>
pambase.py | 1 +
templates/system-auth.tpl| 18 --
templates/system-session.tpl | 4
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/pambase.py b/pambase.py
index 278d578..c078156 100755
--- a/pambase.py
+++ b/pambase.py
@@ -14,6 +14,7 @@ def main():
parser.add_argument('--pwquality', action="store_true", help='enable
pam_pwquality.so module')
parser.add_argument('--elogind', action="store_true", help='enable
pam_elogind.so module')
parser.add_argument('--systemd', action="store_true", help='enable
pam_systemd.so module')
+parser.add_argument('--homed', action="store_true", help='enable
pam_systemd_home.so module')
parser.add_argument('--selinux', action="store_true", help='enable
pam_selinux.so module')
parser.add_argument('--mktemp', action="store_true", help='enable
pam_mktemp.so module')
parser.add_argument('--pam-ssh', action="store_true", help='enable
pam_ssh.so module')
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 01a29db..1adee05 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -8,16 +8,26 @@ auth [success=3 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
auth requisite pam_faillock.so preauth
-auth [success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+{% if homed %}
+auth [success=2 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+auth[success=1 default=ignore] pam_systemd_home.so
+{% else %}
+auth[success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas
+{% endif %}
auth [default=die] pam_faillock.so authfail
{% if caps %}
--auth optionalpam_cap.so
+auth optionalpam_cap.so
{% endif %}
{% if krb5 %}
account[success=2 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
+
+{% if homed %}
+account [success=1 default=ignore] pam_systemd_home.so
+{% endif %}
+
accountrequiredpam_unix.so {{ debug|default('', true)
}}
account requiredpam_faillock.so
@@ -37,6 +47,10 @@ passwordrequiredpam_pwhistory.so use_authtok
remember=5 retry=3
password [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
+{% if homed %}
+password[success=1 default=ignore] pam_systemd_home.so
+{% endif %}
+
{% if passwdqc or pwquality %}
password requiredpam_unix.so try_first_pass {{
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
{% else %}
diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 2a7024b..536db49 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -8,4 +8,8 @@ session optionalpam_mktemp.so
session[success=1 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
+{% if homed %}
+session [success=1 default=ignore] pam_systemd_home.so
+{% endif %}
+
sessionrequiredpam_unix.so {{ debug|default('', true)
}}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: 93165fa671e7c6fe41a09302f3c00a140dd6ec9b
Author: Sam James gentoo org>
AuthorDate: Sun Jan 31 21:36:48 2021 +
Commit: Sam James gentoo org>
CommitDate: Sun Jan 31 21:37:12 2021 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=93165fa6
Revert "systemd-auth: add systemd-homed support"
This reverts commit 5a545eb14a1220af1ba8031f3669471e77edbc2f.
Auto-merged on a reverted commit.
Signed-off-by: Sam James gentoo.org>
pambase.py | 1 -
templates/system-auth.tpl| 18 ++
templates/system-session.tpl | 4
3 files changed, 2 insertions(+), 21 deletions(-)
diff --git a/pambase.py b/pambase.py
index c078156..278d578 100755
--- a/pambase.py
+++ b/pambase.py
@@ -14,7 +14,6 @@ def main():
parser.add_argument('--pwquality', action="store_true", help='enable
pam_pwquality.so module')
parser.add_argument('--elogind', action="store_true", help='enable
pam_elogind.so module')
parser.add_argument('--systemd', action="store_true", help='enable
pam_systemd.so module')
-parser.add_argument('--homed', action="store_true", help='enable
pam_systemd_home.so module')
parser.add_argument('--selinux', action="store_true", help='enable
pam_selinux.so module')
parser.add_argument('--mktemp', action="store_true", help='enable
pam_mktemp.so module')
parser.add_argument('--pam-ssh', action="store_true", help='enable
pam_ssh.so module')
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 1adee05..01a29db 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -8,26 +8,16 @@ auth [success=3 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
auth requisite pam_faillock.so preauth
-{% if homed %}
-auth [success=2 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
-auth[success=1 default=ignore] pam_systemd_home.so
-{% else %}
-auth[success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas
-{% endif %}
+auth [success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
auth [default=die] pam_faillock.so authfail
{% if caps %}
-auth optionalpam_cap.so
+-auth optionalpam_cap.so
{% endif %}
{% if krb5 %}
account[success=2 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
-
-{% if homed %}
-account [success=1 default=ignore] pam_systemd_home.so
-{% endif %}
-
accountrequiredpam_unix.so {{ debug|default('', true)
}}
account requiredpam_faillock.so
@@ -47,10 +37,6 @@ passwordrequiredpam_pwhistory.so use_authtok
remember=5 retry=3
password [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
-{% if homed %}
-password[success=1 default=ignore] pam_systemd_home.so
-{% endif %}
-
{% if passwdqc or pwquality %}
password requiredpam_unix.so try_first_pass {{
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
{% else %}
diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 536db49..2a7024b 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -8,8 +8,4 @@ session optionalpam_mktemp.so
session[success=1 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
-{% if homed %}
-session [success=1 default=ignore] pam_systemd_home.so
-{% endif %}
-
sessionrequiredpam_unix.so {{ debug|default('', true)
}}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: 2c873cb38ef20d7eb83b5e4aee723c34d64bde3d
Author: Sam James gentoo org>
AuthorDate: Sun Jan 31 21:36:41 2021 +
Commit: Sam James gentoo org>
CommitDate: Sun Jan 31 21:37:04 2021 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=2c873cb3
Revert "Add systemd-homed support"
This reverts commit 639b45ccb986de7314372a4a841e6f04c536c49a.
Unintentionally had this staged still.
Signed-off-by: Sam James gentoo.org>
pambase.py | 1 -
templates/system-auth.tpl| 6 --
templates/system-session.tpl | 4
3 files changed, 11 deletions(-)
diff --git a/pambase.py b/pambase.py
index b306ca4..c078156 100755
--- a/pambase.py
+++ b/pambase.py
@@ -9,7 +9,6 @@ def main():
parser = argparse.ArgumentParser(description='basic Gentoo PAM
configuration files')
parser.add_argument('--gnome-keyring', action="store_true", help='enable
pam_gnome_keyring.so module')
parser.add_argument('--caps', action="store_true", help='enable pam_cap.so
module')
-parser.add_argument('--homed', action="store_true", help='enable
pam_systemd_homed.so module')
parser.add_argument('--passwdqc', action="store_true", help='enable
pam_passwdqc.so module')
parser.add_argument('--pwhistory', action="store_true", help='enable
pam_pwhistory.so module')
parser.add_argument('--pwquality', action="store_true", help='enable
pam_pwquality.so module')
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 174aacf..1adee05 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -2,9 +2,6 @@ authrequiredpam_env.so {{ debug|default('',
true) }}
{% if pam_ssh %}
auth sufficient pam_ssh.so
{% endif %}
-{% if homed %}
--auth sufficient pam_systemd_home.so
-{% endif %}
{% if krb5 %}
auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }}
@@ -23,9 +20,6 @@ auth [default=die] pam_faillock.so authfail
auth optionalpam_cap.so
{% endif %}
-{% if homed %}
--account sufficient pam_systemd_home.so
-{% endif %}
{% if krb5 %}
account[success=2 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 48653d4..536db49 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -4,10 +4,6 @@ sessionrequiredpam_env.so {{
debug|default('', true) }}
sessionoptionalpam_mktemp.so
{% endif %}
-{% if homed %}
--session optionalpam_systemd_home.so
-{% endif %}
-
{%if krb5 %}
session[success=1 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: 5a545eb14a1220af1ba8031f3669471e77edbc2f
Author: Mikle KOlyada gentoo org>
AuthorDate: Sat Jan 30 19:50:12 2021 +
Commit: Sam James gentoo org>
CommitDate: Sun Jan 31 21:36:01 2021 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=5a545eb1
systemd-auth: add systemd-homed support
Signed-off-by: Mikle KOlyada gentoo.org>
Closes: https://github.com/gentoo/pambase/pull/5
Signed-off-by: Sam James gentoo.org>
pambase.py | 1 +
templates/system-auth.tpl| 18 --
templates/system-session.tpl | 4
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/pambase.py b/pambase.py
index eb3d4fe..b306ca4 100755
--- a/pambase.py
+++ b/pambase.py
@@ -15,6 +15,7 @@ def main():
parser.add_argument('--pwquality', action="store_true", help='enable
pam_pwquality.so module')
parser.add_argument('--elogind', action="store_true", help='enable
pam_elogind.so module')
parser.add_argument('--systemd', action="store_true", help='enable
pam_systemd.so module')
+parser.add_argument('--homed', action="store_true", help='enable
pam_systemd_home.so module')
parser.add_argument('--selinux', action="store_true", help='enable
pam_selinux.so module')
parser.add_argument('--mktemp', action="store_true", help='enable
pam_mktemp.so module')
parser.add_argument('--pam-ssh', action="store_true", help='enable
pam_ssh.so module')
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 53557dc..174aacf 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -11,11 +11,16 @@ auth[success=3 default=ignore]
pam_krb5.so {{ krb5_params }}
{% endif %}
auth requisite pam_faillock.so preauth
-auth [success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+{% if homed %}
+auth [success=2 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+auth[success=1 default=ignore] pam_systemd_home.so
+{% else %}
+auth[success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas
+{% endif %}
auth [default=die] pam_faillock.so authfail
{% if caps %}
--auth optionalpam_cap.so
+auth optionalpam_cap.so
{% endif %}
{% if homed %}
@@ -24,6 +29,11 @@ auth [default=die] pam_faillock.so authfail
{% if krb5 %}
account[success=2 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
+
+{% if homed %}
+account [success=1 default=ignore] pam_systemd_home.so
+{% endif %}
+
accountrequiredpam_unix.so {{ debug|default('', true)
}}
account requiredpam_faillock.so
@@ -43,6 +53,10 @@ passwordrequiredpam_pwhistory.so use_authtok
remember=5 retry=3
password [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
+{% if homed %}
+password[success=1 default=ignore] pam_systemd_home.so
+{% endif %}
+
{% if passwdqc or pwquality %}
password requiredpam_unix.so try_first_pass {{
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
{% else %}
diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 3dd1d70..48653d4 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -12,4 +12,8 @@ session optionalpam_mktemp.so
session[success=1 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
+{% if homed %}
+session [success=1 default=ignore] pam_systemd_home.so
+{% endif %}
+
sessionrequiredpam_unix.so {{ debug|default('', true)
}}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: 639b45ccb986de7314372a4a841e6f04c536c49a
Author: Sam James gentoo org>
AuthorDate: Fri Jan 29 03:46:42 2021 +
Commit: Sam James gentoo org>
CommitDate: Fri Jan 29 03:46:42 2021 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=639b45cc
Add systemd-homed support
Bug: https://bugs.gentoo.org/767784
Signed-off-by: Sam James gentoo.org>
pambase.py | 1 +
templates/system-auth.tpl| 6 ++
templates/system-session.tpl | 4
3 files changed, 11 insertions(+)
diff --git a/pambase.py b/pambase.py
index 278d578..eb3d4fe 100755
--- a/pambase.py
+++ b/pambase.py
@@ -9,6 +9,7 @@ def main():
parser = argparse.ArgumentParser(description='basic Gentoo PAM
configuration files')
parser.add_argument('--gnome-keyring', action="store_true", help='enable
pam_gnome_keyring.so module')
parser.add_argument('--caps', action="store_true", help='enable pam_cap.so
module')
+parser.add_argument('--homed', action="store_true", help='enable
pam_systemd_homed.so module')
parser.add_argument('--passwdqc', action="store_true", help='enable
pam_passwdqc.so module')
parser.add_argument('--pwhistory', action="store_true", help='enable
pam_pwhistory.so module')
parser.add_argument('--pwquality', action="store_true", help='enable
pam_pwquality.so module')
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 01a29db..53557dc 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -2,6 +2,9 @@ authrequiredpam_env.so {{ debug|default('',
true) }}
{% if pam_ssh %}
auth sufficient pam_ssh.so
{% endif %}
+{% if homed %}
+-auth sufficient pam_systemd_home.so
+{% endif %}
{% if krb5 %}
auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }}
@@ -15,6 +18,9 @@ auth [default=die] pam_faillock.so authfail
-auth optionalpam_cap.so
{% endif %}
+{% if homed %}
+-account sufficient pam_systemd_home.so
+{% endif %}
{% if krb5 %}
account[success=2 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 2a7024b..3dd1d70 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -4,6 +4,10 @@ sessionrequiredpam_env.so {{
debug|default('', true) }}
sessionoptionalpam_mktemp.so
{% endif %}
+{% if homed %}
+-session optionalpam_systemd_home.so
+{% endif %}
+
{%if krb5 %}
session[success=1 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: ee4f6b1a6b402ebdf3c5763d934f1aaa6b32e633
Author: Mikle KOlyada gentoo org>
AuthorDate: Sun Dec 20 17:52:38 2020 +
Commit: Mikle Kolyada gentoo org>
CommitDate: Sun Dec 20 17:52:38 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ee4f6b1a
system-login: add pam_time.so
Signed-off-by: Mikle KOlyada gentoo.org>
templates/system-login.tpl | 1 +
1 file changed, 1 insertion(+)
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index 0c60bb6..b4b74cf 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -4,6 +4,7 @@ authinclude system-auth
accountrequiredpam_access.so {{ debug|default('',
true) }}
accountrequiredpam_nologin.so
+account requiredpam_time.so
accountinclude system-auth
password include system-auth
[gentoo-commits] proj/pambase:master commit in: templates/
commit: b725e39af14b57b69a256818bc1c98f98122c6a1
Author: Mikle KOlyada gentoo org>
AuthorDate: Sat Dec 19 22:30:15 2020 +
Commit: Mikle Kolyada gentoo org>
CommitDate: Sat Dec 19 22:30:15 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=b725e39a
strip pam_permit.so from system-auth
Signed-off-by: Mikle KOlyada gentoo.org>
templates/system-auth.tpl| 4
templates/system-session.tpl | 2 --
2 files changed, 6 deletions(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 19e08fa..01a29db 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -10,7 +10,6 @@ auth [success=3 default=ignore] pam_krb5.so {{
krb5_params }}
auth requisite pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
auth [default=die] pam_faillock.so authfail
-auth optionalpam_permit.so
{% if caps %}
-auth optionalpam_cap.so
@@ -21,7 +20,6 @@ account [success=2 default=ignore]
pam_krb5.so {{ krb5_params }}
{% endif %}
accountrequiredpam_unix.so {{ debug|default('', true)
}}
account requiredpam_faillock.so
-account optionalpam_permit.so
{% if passwdqc %}
password requiredpam_passwdqc.so
config=/etc/security/passwdqc.conf
@@ -45,8 +43,6 @@ password requiredpam_unix.so try_first_pass {{
unix_authtok|default('', true) }
passwordrequiredpam_unix.so try_first_pass {{
nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{
debug|default('', true) }}
{% endif %}
-password optionalpam_permit.so
-
{% if pam_ssh %}
sessionoptionalpam_ssh.so
{% endif %}
diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index ce3afa5..2a7024b 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -9,5 +9,3 @@ session [success=1 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
sessionrequiredpam_unix.so {{ debug|default('', true)
}}
-
-sessionoptionalpam_permit.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 3f36e2c3de28b3cde25a27d05e49d354e098c368
Author: Sam James gentoo org>
AuthorDate: Tue Nov 3 07:19:16 2020 +
Commit: Sam James gentoo org>
CommitDate: Tue Nov 3 07:19:16 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=3f36e2c3
templates/system-auth.tpl: shift cap to be with other auth
Signed-off-by: Sam James gentoo.org>
templates/system-auth.tpl | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 4ff78e4..19e08fa 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -12,6 +12,10 @@ auth [success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ d
auth [default=die] pam_faillock.so authfail
auth optionalpam_permit.so
+{% if caps %}
+-auth optionalpam_cap.so
+{% endif %}
+
{% if krb5 %}
account[success=2 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
@@ -47,8 +51,4 @@ password optionalpam_permit.so
sessionoptionalpam_ssh.so
{% endif %}
-{% if caps %}
--auth optionalpam_cap.so
-{% endif %}
-
{% include "templates/system-session.tpl" %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: daeb59effa26ace52bf699229a1bc22afe8808fd
Author: Sam James gentoo org>
AuthorDate: Mon Nov 2 23:38:12 2020 +
Commit: Sam James gentoo org>
CommitDate: Mon Nov 2 23:39:38 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=daeb59ef
templates/system-auth.tpl: fix pam_cap realm
This fixes the pam_cap realm which can only
be auth. This is a regression from old pre-rewrite
pambase.
It was however exposed by the fixing of an incorrect
module name (pam_libcap -> pam_cap) not long ago.
Bug: https://bugs.gentoo.org/751946
Signed-off-by: Sam James gentoo.org>
templates/system-auth.tpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 6964e05..2f2fe76 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -48,7 +48,7 @@ session optionalpam_ssh.so
{% endif %}
{% if libcap %}
--sessionoptionalpam_cap.so
+-auth optionalpam_cap.so
{% endif %}
{% include "templates/system-session.tpl" %}
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: 94a9b5f76fc8fa1a3c6c34c5baa3fb25825e1dc2
Author: Sam James gentoo org>
AuthorDate: Mon Nov 2 23:40:50 2020 +
Commit: Sam James gentoo org>
CommitDate: Mon Nov 2 23:40:50 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=94a9b5f7
pambase.py: rename --libcap -> --caps
Signed-off-by: Sam James gentoo.org>
pambase.py| 2 +-
templates/system-auth.tpl | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/pambase.py b/pambase.py
index de5dddb..278d578 100755
--- a/pambase.py
+++ b/pambase.py
@@ -8,7 +8,7 @@ import pathlib
def main():
parser = argparse.ArgumentParser(description='basic Gentoo PAM
configuration files')
parser.add_argument('--gnome-keyring', action="store_true", help='enable
pam_gnome_keyring.so module')
-parser.add_argument('--libcap', action="store_true", help='enable
pam_caps.so module')
+parser.add_argument('--caps', action="store_true", help='enable pam_cap.so
module')
parser.add_argument('--passwdqc', action="store_true", help='enable
pam_passwdqc.so module')
parser.add_argument('--pwhistory', action="store_true", help='enable
pam_pwhistory.so module')
parser.add_argument('--pwquality', action="store_true", help='enable
pam_pwquality.so module')
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 2f2fe76..4ff78e4 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -47,7 +47,7 @@ password optionalpam_permit.so
sessionoptionalpam_ssh.so
{% endif %}
-{% if libcap %}
+{% if caps %}
-auth optionalpam_cap.so
{% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: de5f97873c345b69c44df5a9d06fcd69ee6c5ccf
Author: Mikle Kolyada gentoo org>
AuthorDate: Wed Oct 28 19:24:04 2020 +
Commit: Mikle Kolyada gentoo org>
CommitDate: Wed Oct 28 19:24:04 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=de5f9787
fix number of jumps when pam_krb5 used
Signed-off-by: Mikle Kolyada gentoo.org>
templates/system-auth.tpl | 2 +-
templates/system-login.tpl | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 6edba8d..6964e05 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -4,7 +4,7 @@ authsufficient pam_ssh.so
{% endif %}
{% if krb5 %}
-auth [success=4 default=ignore] pam_krb5.so {{ krb5_params }}
+auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
auth requisite pam_faillock.so preauth
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index 6a0d544..0c60bb6 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -5,7 +5,6 @@ authinclude system-auth
accountrequiredpam_access.so {{ debug|default('',
true) }}
accountrequiredpam_nologin.so
accountinclude system-auth
-account requiredpam_faillock.so
password include system-auth
session optionalpam_loginuid.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 74b99b4462138ed6b496725b2499fb5d17ad9371
Author: Mikle Kolyada gentoo org>
AuthorDate: Wed Oct 28 16:07:21 2020 +
Commit: Mikle Kolyada gentoo org>
CommitDate: Wed Oct 28 16:13:35 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=74b99b44
Do not use use_authtok if no passwd module was stacked
Signed-off-by: Mikle Kolyada gentoo.org>
templates/system-auth.tpl | 5 +
1 file changed, 5 insertions(+)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 2ffd7ea..6edba8d 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -35,7 +35,12 @@ passwordrequiredpam_pwhistory.so use_authtok
remember=5 retry=3
password [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
+{% if passwdqc or pwquality %}
password requiredpam_unix.so try_first_pass {{
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+{% else %}
+passwordrequiredpam_unix.so try_first_pass {{
nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{
debug|default('', true) }}
+{% endif %}
+
password optionalpam_permit.so
{% if pam_ssh %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 99919c4b2b59af27e7ad1daa6fbe8c614a8463c0
Author: Sam James gentoo org>
AuthorDate: Mon Oct 26 08:32:29 2020 +
Commit: Sam James gentoo org>
CommitDate: Mon Oct 26 22:48:06 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=99919c4b
templates/system-auth.tpl: skip pam_unix with krb5
Before this change, success on pam_krb5 would result in jumping
one line (over pam_permit) back into pam_unix.
Incidentally, we did the later stanza correctly. This was a regression
from old pambase.
Bug: https://bugs.gentoo.org/748405
Signed-off-by: Sam James gentoo.org>
templates/system-auth.tpl | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 8b61701..668303f 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -4,20 +4,20 @@ auth sufficient pam_ssh.so
{% endif %}
{% if krb5 %}
-auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }}
+auth [success=4 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
-auth optionalpam_permit.so
auth requisite pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
auth [default=die] pam_faillock.so authfail
+auth optionalpam_permit.so
{% if krb5 %}
-account[success=1 default=ignore] pam_krb5.so {{
krb5_params }}
+account[success=2 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
accountrequiredpam_unix.so {{ debug|default('', true)
}}
-accountoptionalpam_permit.so
account requiredpam_faillock.so
+account optionalpam_permit.so
{% if passwdqc %}
password requiredpam_passwdqc.so
config=/etc/security/passwdqc.conf
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 473b931a56c9387cc6a1e1eddef2260fc9f3896f
Author: Sam James gentoo org>
AuthorDate: Mon Oct 26 08:33:23 2020 +
Commit: Sam James gentoo org>
CommitDate: Mon Oct 26 21:14:00 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=473b931a
templates/system-login.tpl: always need faillock
Fixes: eb138196aa2d3cb860d5eb5ab1d05985df34ad2c
Signed-off-by: Sam James gentoo.org>
templates/system-auth.tpl | 2 --
templates/system-login.tpl | 2 --
2 files changed, 4 deletions(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index faf18ee..8b61701 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -17,9 +17,7 @@ account [success=1 default=ignore]
pam_krb5.so {{ krb5_params }}
{% endif %}
accountrequiredpam_unix.so {{ debug|default('', true)
}}
accountoptionalpam_permit.so
-{% if not minimal %}
account requiredpam_faillock.so
-{% endif %}
{% if passwdqc %}
password requiredpam_passwdqc.so
config=/etc/security/passwdqc.conf
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index 889c2d7..6a0d544 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -5,9 +5,7 @@ authinclude system-auth
accountrequiredpam_access.so {{ debug|default('',
true) }}
accountrequiredpam_nologin.so
accountinclude system-auth
-{% if not minimal %}
account requiredpam_faillock.so
-{% endif %}
password include system-auth
session optionalpam_loginuid.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 47a7d6f7477ac279b271babd970d2b4b6839fdb5
Author: Sam James gentoo org>
AuthorDate: Mon Oct 26 21:15:18 2020 +
Commit: Sam James gentoo org>
CommitDate: Mon Oct 26 22:48:39 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=47a7d6f7
templates/system-auth.tpl: fix libcap module name
Bug: https://bugs.gentoo.org/750524
Signed-off-by: Sam James gentoo.org>
templates/system-auth.tpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 668303f..2ffd7ea 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -43,7 +43,7 @@ session optionalpam_ssh.so
{% endif %}
{% if libcap %}
--sessionoptionalpam_libcap.so
+-sessionoptionalpam_cap.so
{% endif %}
{% include "templates/system-session.tpl" %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: eb138196aa2d3cb860d5eb5ab1d05985df34ad2c
Author: Sam James gentoo org>
AuthorDate: Tue Oct 20 02:32:28 2020 +
Commit: Sam James gentoo org>
CommitDate: Tue Oct 20 02:38:20 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=eb138196
templates/system-auth.tpl: use faillock in minimal case
Bug: https://bugs.gentoo.org/748405
Signed-off-by: Sam James gentoo.org>
templates/system-auth.tpl | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index bc28468..faf18ee 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -7,13 +7,10 @@ auth sufficient pam_ssh.so
auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
-auth requiredpam_unix.so try_first_pass {{ likeauth }} {{
nullok|default('', true) }} {{ debug|default('', true) }}
auth optionalpam_permit.so
-{% if not minimal %}
-auth requiredpam_faillock.so preauth
-auth sufficient pam_unix.so nullok try_first_pass
+auth requisite pam_faillock.so preauth
+auth [success=1 default=ignore] pam_unix.so {{
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
auth [default=die] pam_faillock.so authfail
-{% endif %}
{% if krb5 %}
account[success=1 default=ignore] pam_krb5.so {{
krb5_params }}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: e0835e729bcf04f501d4610cf3925ec41b37c5f5
Author: Sam James gentoo org>
AuthorDate: Mon Oct 12 17:30:18 2020 +
Commit: Sam James gentoo org>
CommitDate: Mon Oct 12 17:30:18 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=e0835e72
templates/system-auth.tpl: drop superfluous conf param on faillock
pam_faillock defaults to /etc/security/faillock.conf anyway.
Closes: https://bugs.gentoo.org/747967
Signed-off-by: Sam James gentoo.org>
templates/system-auth.tpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 557da9b..bc28468 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -10,7 +10,7 @@ auth[success=1 default=ignore] pam_krb5.so {{
krb5_params }}
auth requiredpam_unix.so try_first_pass {{ likeauth }} {{
nullok|default('', true) }} {{ debug|default('', true) }}
auth optionalpam_permit.so
{% if not minimal %}
-auth requiredpam_faillock.so preauth
conf=/etc/security/faillock.conf
+auth requiredpam_faillock.so preauth
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail
{% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: abca630446236ddf83c7686ca8742b305bf8a050
Author: Sam James gentoo org>
AuthorDate: Mon Oct 12 15:30:28 2020 +
Commit: Sam James gentoo org>
CommitDate: Mon Oct 12 15:30:28 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=abca6304
templates/system-login.tpl: remove duplicate block already in system-auth
Do it right this time!
Signed-off-by: Sam James gentoo.org>
templates/system-auth.tpl | 5 +
templates/system-login.tpl | 6 --
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 11319d6..557da9b 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -9,6 +9,11 @@ auth[success=1 default=ignore] pam_krb5.so {{
krb5_params }}
auth requiredpam_unix.so try_first_pass {{ likeauth }} {{
nullok|default('', true) }} {{ debug|default('', true) }}
auth optionalpam_permit.so
+{% if not minimal %}
+auth requiredpam_faillock.so preauth
conf=/etc/security/faillock.conf
+auth sufficient pam_unix.so nullok try_first_pass
+auth [default=die] pam_faillock.so authfail
+{% endif %}
{% if krb5 %}
account[success=1 default=ignore] pam_krb5.so {{
krb5_params }}
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index 25843f5..889c2d7 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -2,12 +2,6 @@ auth requiredpam_shells.so {{
debug|default('', true) }}
auth requiredpam_nologin.so
auth include system-auth
-{% if not minimal %}
-authrequiredpam_faillock.so preauth
conf=/etc/security/faillock.conf
-authsufficient pam_unix.so nullok try_first_pass
-auth[default=die] pam_faillock.so authfail
-{% endif %}
-
accountrequiredpam_access.so {{ debug|default('',
true) }}
accountrequiredpam_nologin.so
accountinclude system-auth
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 949722adbb7187b68f392164865a964610221604
Author: Sam James gentoo org>
AuthorDate: Sun Oct 11 20:48:41 2020 +
Commit: Sam James gentoo org>
CommitDate: Mon Oct 12 14:32:12 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=949722ad
templates/system-session.tpl: include pam_krb5.so module name
Signed-off-by: Sam James gentoo.org>
templates/system-session.tpl | 5 +
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 1538429..ce3afa5 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -5,12 +5,9 @@ sessionoptionalpam_mktemp.so
{% endif %}
{%if krb5 %}
-session[success=1 default=ignore] {{ krb5_params }}
+session[success=1 default=ignore] pam_krb5.so {{
krb5_params }}
{% endif %}
sessionrequiredpam_unix.so {{ debug|default('', true)
}}
-{%if krb5 %}
-session [success=1 default=ignore] {{ krb5_params }}
-{% endif %}
sessionoptionalpam_permit.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 37a3f41da6fa3136c46c9d76a18ad36f4f680303
Author: Sam James gentoo org>
AuthorDate: Sun Oct 11 20:57:19 2020 +
Commit: Sam James gentoo org>
CommitDate: Mon Oct 12 14:32:12 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=37a3f41d
templates/system-login.tpl: move systemd, elogind blocks here
Signed-off-by: Sam James gentoo.org>
templates/system-auth.tpl | 8
templates/system-login.tpl | 8
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 46fc131..f8484f1 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -47,14 +47,6 @@ password optionalpam_permit.so
sessionoptionalpam_ssh.so
{% endif %}
-{% if systemd %}
--sessionoptionalpam_systemd.so
-{% endif %}
-
-{% if elogind %}
--sessionoptionalpam_elogind.so
-{% endif %}
-
{% if libcap %}
-sessionoptionalpam_libcap.so
{% endif %}
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index 99801a1..889c2d7 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -32,3 +32,11 @@ session optionalpam_motd.so
motd=/etc/motd
{% if not minimal %}
sessionoptionalpam_mail.so
{% endif %}
+
+{% if systemd %}
+-sessionoptionalpam_systemd.so
+{% endif %}
+
+{% if elogind %}
+-sessionoptionalpam_elogind.so
+{% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: da499cca70c5e77c851c5f75440df188fe2eeabe
Author: Sam James gentoo org>
AuthorDate: Sun Oct 11 20:55:39 2020 +
Commit: Sam James gentoo org>
CommitDate: Mon Oct 12 14:32:12 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=da499cca
templates/system-login.tpl: remove duplicate block from system-auth
Bug: https://bugs.gentoo.org/747868
Signed-off-by: Sam James gentoo.org>
templates/system-login.tpl | 5 -
1 file changed, 5 deletions(-)
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index d51481b..99801a1 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -1,11 +1,6 @@
auth requiredpam_shells.so {{ debug|default('', true) }}
auth requiredpam_nologin.so
auth include system-auth
-{% if not minimal %}
-authrequiredpam_faillock.so preauth silent audit deny=3
unlock_time=600
-authsufficient pam_unix.so nullok try_first_pass
-auth[default=die] pam_faillock.so authfail audit deny=3
unlock_time=600
-{% endif %}
accountrequiredpam_access.so {{ debug|default('',
true) }}
accountrequiredpam_nologin.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: b54edff3a6724bba19fd803042909cc448d169fd
Author: Mikle Kolyada gentoo org>
AuthorDate: Sat Oct 10 15:35:39 2020 +
Commit: Mikle Kolyada gentoo org>
CommitDate: Sat Oct 10 15:37:14 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=b54edff3
switch pam_faillock.so to its config file
Signed-off-by: Mikle Kolyada gentoo.org>
templates/system-auth.tpl | 4 ++--
templates/system-login.tpl | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 46fc131..1bb53ae 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -10,9 +10,9 @@ auth[success=1 default=ignore] pam_krb5.so {{
krb5_params }}
auth requiredpam_unix.so try_first_pass {{ likeauth }} {{
nullok|default('', true) }} {{ debug|default('', true) }}
auth optionalpam_permit.so
{% if not minimal %}
-authrequiredpam_faillock.so preauth silent audit deny=3
unlock_time=600
+authrequiredpam_faillock.so preauth
conf=/etc/security/faillock.conf
authsufficient pam_unix.so {{ nullok|default('', true) }}
try_first_pass
-auth[default=die] pam_faillock.so authfail audit deny=3
unlock_time=600
+auth[default=die] pam_faillock.so authfail
{% endif %}
{% if krb5 %}
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index d51481b..bb4f093 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -2,9 +2,9 @@ authrequiredpam_shells.so {{
debug|default('', true) }}
auth requiredpam_nologin.so
auth include system-auth
{% if not minimal %}
-authrequiredpam_faillock.so preauth silent audit deny=3
unlock_time=600
+authrequiredpam_faillock.so preauth
conf=/etc/security/faillock.conf
authsufficient pam_unix.so nullok try_first_pass
-auth[default=die] pam_faillock.so authfail audit deny=3
unlock_time=600
+auth[default=die] pam_faillock.so authfail
{% endif %}
accountrequiredpam_access.so {{ debug|default('',
true) }}
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: 46e6f29b1f9b7edd9541382fddd9b0837900e649
Author: Mikle Kolyada gentoo org>
AuthorDate: Sun Sep 13 09:59:15 2020 +
Commit: Mikle Kolyada gentoo org>
CommitDate: Sun Sep 13 10:00:50 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=46e6f29b
system-auth: introduce pam_pwhistory
Signed-off-by: Mikle Kolyada gentoo.org>
pambase.py| 1 +
templates/system-auth.tpl | 4
2 files changed, 5 insertions(+)
diff --git a/pambase.py b/pambase.py
index 83ee97c..de5dddb 100755
--- a/pambase.py
+++ b/pambase.py
@@ -10,6 +10,7 @@ def main():
parser.add_argument('--gnome-keyring', action="store_true", help='enable
pam_gnome_keyring.so module')
parser.add_argument('--libcap', action="store_true", help='enable
pam_caps.so module')
parser.add_argument('--passwdqc', action="store_true", help='enable
pam_passwdqc.so module')
+parser.add_argument('--pwhistory', action="store_true", help='enable
pam_pwhistory.so module')
parser.add_argument('--pwquality', action="store_true", help='enable
pam_pwquality.so module')
parser.add_argument('--elogind', action="store_true", help='enable
pam_elogind.so module')
parser.add_argument('--systemd', action="store_true", help='enable
pam_systemd.so module')
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 0381e66..46fc131 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -32,6 +32,10 @@ password requiredpam_passwdqc.so
config=/etc/security/passwdqc.conf
passwordrequiredpam_pwquality.so
{% endif %}
+{% if pwhistory %}
+passwordrequiredpam_pwhistory.so use_authtok remember=5 retry=3
+{% endif %}
+
{% if krb5 %}
password [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 1b7c7f7678a6402a0b0aec80b3883fd98516be4e
Author: Mikle Kolyada gentoo org>
AuthorDate: Wed Sep 9 16:32:10 2020 +
Commit: Mikle Kolyada gentoo org>
CommitDate: Wed Sep 9 16:32:10 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=1b7c7f76
system-auth: switch password modules to configs
* pam_passwdqc.so can by managed by the /etc/security/passwdqc.conf
* pam_pwquality.so can be managed by the /etc/security/pwquality.conf
Both allow users to create their own password polices without touching
files in the /etc/pam.d directory
Signed-off-by: Mikle Kolyada gentoo.org>
templates/system-auth.tpl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 69cc472..0381e66 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -25,11 +25,11 @@ account requiredpam_faillock.so
{% endif %}
{% if passwdqc %}
-password requiredpam_passwdqc.so min=8,8,8,8,8 retry=3
+password requiredpam_passwdqc.so
config=/etc/security/passwdqc.conf
{% endif %}
{% if pwquality %}
-passwordrequiredpam_pwquality.so retry=3 minlen=8 lcredit=2
ucredit=2 dcredit=2 ocredit=2 difok=3 enforce_for_root
+passwordrequiredpam_pwquality.so
{% endif %}
{% if krb5 %}
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: ed4f15348fa950b02016154790bb6d180cccf5f9
Author: Mikle Kolyada gentoo org>
AuthorDate: Mon Aug 17 07:30:39 2020 +
Commit: Mikle Kolyada gentoo org>
CommitDate: Mon Aug 17 07:30:39 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ed4f1534
make pam_gnome_keyring optional
Signed-off-by: Mikle Kolyada gentoo.org>
pambase.py | 143 ++-
templates/passwd.tpl | 5 +-
2 files changed, 76 insertions(+), 72 deletions(-)
diff --git a/pambase.py b/pambase.py
index 07e458d..83ee97c 100755
--- a/pambase.py
+++ b/pambase.py
@@ -6,96 +6,97 @@ import pathlib
def main():
- parser = argparse.ArgumentParser(description='basic Gentoo PAM
configuration files')
- parser.add_argument('--libcap', action="store_true", help='enable
pam_caps.so module')
- parser.add_argument('--passwdqc', action="store_true", help='enable
pam_passwdqc.so module')
- parser.add_argument('--pwquality', action="store_true", help='enable
pam_pwquality.so module')
- parser.add_argument('--elogind', action="store_true", help='enable
pam_elogind.so module')
- parser.add_argument('--systemd', action="store_true", help='enable
pam_systemd.so module')
- parser.add_argument('--selinux', action="store_true", help='enable
pam_selinux.so module')
- parser.add_argument('--mktemp', action="store_true", help='enable
pam_mktemp.so module')
- parser.add_argument('--pam-ssh', action="store_true", help='enable
pam_ssh.so module')
- parser.add_argument('--securetty', action="store_true", help='enable
pam_securetty.so module')
- parser.add_argument('--sha512', action="store_true", help='enable
sha512 option for pam_unix.so module')
- parser.add_argument('--krb5', action="store_true", help='enable
pam_krb5.so module')
- parser.add_argument('--minimal', action="store_true", help='install
minimalistic PAM stack')
- parser.add_argument('--debug', action="store_true", help='enable debug
for selected modules')
- parser.add_argument('--nullok', action="store_true", help='enable
nullok option for pam_unix.so module')
-
- parsed_args = parser.parse_args()
- processed = process_args(parsed_args)
-
- parse_templates(processed)
+parser = argparse.ArgumentParser(description='basic Gentoo PAM
configuration files')
+parser.add_argument('--gnome-keyring', action="store_true", help='enable
pam_gnome_keyring.so module')
+parser.add_argument('--libcap', action="store_true", help='enable
pam_caps.so module')
+parser.add_argument('--passwdqc', action="store_true", help='enable
pam_passwdqc.so module')
+parser.add_argument('--pwquality', action="store_true", help='enable
pam_pwquality.so module')
+parser.add_argument('--elogind', action="store_true", help='enable
pam_elogind.so module')
+parser.add_argument('--systemd', action="store_true", help='enable
pam_systemd.so module')
+parser.add_argument('--selinux', action="store_true", help='enable
pam_selinux.so module')
+parser.add_argument('--mktemp', action="store_true", help='enable
pam_mktemp.so module')
+parser.add_argument('--pam-ssh', action="store_true", help='enable
pam_ssh.so module')
+parser.add_argument('--securetty', action="store_true", help='enable
pam_securetty.so module')
+parser.add_argument('--sha512', action="store_true", help='enable sha512
option for pam_unix.so module')
+parser.add_argument('--krb5', action="store_true", help='enable
pam_krb5.so module')
+parser.add_argument('--minimal', action="store_true", help='install
minimalistic PAM stack')
+parser.add_argument('--debug', action="store_true", help='enable debug for
selected modules')
+parser.add_argument('--nullok', action="store_true", help='enable nullok
option for pam_unix.so module')
+
+parsed_args = parser.parse_args()
+processed = process_args(parsed_args)
+
+parse_templates(processed)
def process_args(args):
- # make sure that output directory exists
- pathlib.Path("stack").mkdir(parents=True, exist_ok=True)
+# make sure that output directory exists
+pathlib.Path("stack").mkdir(parents=True, exist_ok=True)
- blank_variables = [
- "krb5_authtok",
- "unix_authtok",
- "unix_extended_encryption",
- "likeauth",
- "nullok"
- ]
+blank_variables = [
+"krb5_authtok",
+"unix_authtok",
+"unix_extended_encryption",
+"likeauth",
+"nullok"
+]
- # create a blank dictionary
- # then add in our parsed args
- output = dict.fromkeys(blank_variables, "")
- output.update(vars(args))
+# create a blank dictionary
+# then add in our parsed args
+output = dict.fromkeys(blank_variables, "")
+output.update(vars(args))
- # unconditional variables
-
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: 1e2706575348150992737c5415df36f6517b20fe
Author: Mikle Kolyada gentoo org>
AuthorDate: Sat Aug 15 08:44:57 2020 +
Commit: Mikle Kolyada gentoo org>
CommitDate: Sat Aug 15 08:50:19 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=1e270657
Add pam_pwquality.so support
Signed-off-by: Mikle Kolyada gentoo.org>
pambase.py| 1 +
templates/system-auth.tpl | 4
2 files changed, 5 insertions(+)
diff --git a/pambase.py b/pambase.py
index d021b81..07e458d 100755
--- a/pambase.py
+++ b/pambase.py
@@ -9,6 +9,7 @@ def main():
parser = argparse.ArgumentParser(description='basic Gentoo PAM
configuration files')
parser.add_argument('--libcap', action="store_true", help='enable
pam_caps.so module')
parser.add_argument('--passwdqc', action="store_true", help='enable
pam_passwdqc.so module')
+ parser.add_argument('--pwquality', action="store_true", help='enable
pam_pwquality.so module')
parser.add_argument('--elogind', action="store_true", help='enable
pam_elogind.so module')
parser.add_argument('--systemd', action="store_true", help='enable
pam_systemd.so module')
parser.add_argument('--selinux', action="store_true", help='enable
pam_selinux.so module')
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 298e45c..69cc472 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -28,6 +28,10 @@ account requiredpam_faillock.so
password requiredpam_passwdqc.so min=8,8,8,8,8 retry=3
{% endif %}
+{% if pwquality %}
+passwordrequiredpam_pwquality.so retry=3 minlen=8 lcredit=2
ucredit=2 dcredit=2 ocredit=2 difok=3 enforce_for_root
+{% endif %}
+
{% if krb5 %}
password [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: ca96d2bc6bbcf860d12b9d610509c155029fe3cc
Author: Sam James gentoo org>
AuthorDate: Thu Aug 6 22:46:40 2020 +
Commit: Sam James gentoo org>
CommitDate: Thu Aug 6 22:46:40 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ca96d2bc
pambase.py: rename system-service -> system-services
Some of e.g. OpenRC's installed pam files assume 'system-services':
./supervise-daemon:2:session include system-services
./start-stop-daemon:2:session include system-services
Signed-off-by: Sam James gentoo.org>
pambase.py| 2 +-
templates/{system-service.tpl => system-services.tpl} | 0
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/pambase.py b/pambase.py
index 8f04870..d021b81 100755
--- a/pambase.py
+++ b/pambase.py
@@ -78,7 +78,7 @@ def parse_templates(processed_args):
"su",
"system-auth",
"system-login",
- "system-service"
+ "system-services"
]
for template_name in templates:
diff --git a/templates/system-service.tpl b/templates/system-services.tpl
similarity index 100%
rename from templates/system-service.tpl
rename to templates/system-services.tpl
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 4e5e41c2e5607a298f30f679aa7ba8c4994033e3
Author: Sam James gentoo org>
AuthorDate: Wed Aug 5 06:10:02 2020 +
Commit: Sam James gentoo org>
CommitDate: Wed Aug 5 06:10:16 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=4e5e41c2
templates/*: remove unnecessary strips
Now obsolete as of 732fb3bbfd7d007fdca78dd4587f1a7bd34bfa6c.
Signed-off-by: Sam James gentoo.org>
templates/login.tpl | 4 ++--
templates/system-auth.tpl| 44 ++--
templates/system-login.tpl | 28 ++--
templates/system-session.tpl | 12 ++--
4 files changed, 44 insertions(+), 44 deletions(-)
diff --git a/templates/login.tpl b/templates/login.tpl
index 7476cb7..23e262a 100644
--- a/templates/login.tpl
+++ b/templates/login.tpl
@@ -1,6 +1,6 @@
-{% if securetty -%}
+{% if securetty %}
auth requiredpam_securetty.so
-{% endif -%}
+{% endif %}
auth include system-local-login
accountinclude system-local-login
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index e8a6d91..298e45c 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -1,54 +1,54 @@
auth requiredpam_env.so {{ debug|default('', true) }}
-{% if pam_ssh -%}
+{% if pam_ssh %}
auth sufficient pam_ssh.so
-{% endif -%}
+{% endif %}
-{% if krb5 -%}
+{% if krb5 %}
auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }}
-{% endif -%}
+{% endif %}
auth requiredpam_unix.so try_first_pass {{ likeauth }} {{
nullok|default('', true) }} {{ debug|default('', true) }}
auth optionalpam_permit.so
-{% if not minimal -%}
+{% if not minimal %}
authrequiredpam_faillock.so preauth silent audit deny=3
unlock_time=600
authsufficient pam_unix.so {{ nullok|default('', true) }}
try_first_pass
auth[default=die] pam_faillock.so authfail audit deny=3
unlock_time=600
-{% endif -%}
+{% endif %}
-{% if krb5 -%}
+{% if krb5 %}
account[success=1 default=ignore] pam_krb5.so {{
krb5_params }}
-{% endif -%}
+{% endif %}
accountrequiredpam_unix.so {{ debug|default('', true)
}}
accountoptionalpam_permit.so
-{% if not minimal -%}
+{% if not minimal %}
account requiredpam_faillock.so
-{% endif -%}
+{% endif %}
-{% if passwdqc -%}
+{% if passwdqc %}
password requiredpam_passwdqc.so min=8,8,8,8,8 retry=3
-{% endif -%}
+{% endif %}
-{% if krb5 -%}
+{% if krb5 %}
password [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
-{% endif -%}
+{% endif %}
password requiredpam_unix.so try_first_pass {{
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
password optionalpam_permit.so
-{%- if pam_ssh %}
+{% if pam_ssh %}
sessionoptionalpam_ssh.so
-{% endif -%}
+{% endif %}
-{% if systemd -%}
+{% if systemd %}
-sessionoptionalpam_systemd.so
-{% endif -%}
+{% endif %}
-{% if elogind -%}
+{% if elogind %}
-sessionoptionalpam_elogind.so
-{% endif -%}
+{% endif %}
-{% if libcap -%}
+{% if libcap %}
-sessionoptionalpam_libcap.so
-{% endif -%}
+{% endif %}
{% include "templates/system-session.tpl" %}
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index d8df530..d51481b 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -1,39 +1,39 @@
auth requiredpam_shells.so {{ debug|default('', true) }}
auth requiredpam_nologin.so
auth include system-auth
-{% if not minimal -%}
+{% if not minimal %}
authrequiredpam_faillock.so preauth silent audit deny=3
unlock_time=600
authsufficient pam_unix.so nullok try_first_pass
auth[default=die] pam_faillock.so authfail audit deny=3
unlock_time=600
-{% endif -%}
+{% endif %}
accountrequiredpam_access.so {{ debug|default('',
true) }}
accountrequiredpam_nologin.so
accountinclude system-auth
-{% if not minimal -%}
+{% if not minimal %}
account requiredpam_faillock.so
-{% endif -%}
+{% endif %}
password include system-auth
session optionalpam_loginuid.so
-{% if selinux -%}
+{% if selinux %}
sessionrequiredpam_selinux.so close
-{% endif -%}
+{% endif %}
sessionrequiredpam_env.so envfile=/etc/profile.env {{
debug|default('', true) }}
-{% if not minimal -%}
+{% if not minimal %}
sessionoptionalpam_lastlog.so silent {{
[gentoo-commits] proj/pambase:master commit in: templates/
commit: acd1f9046c8d79ba5e232043131f6c9842d357e7
Author: Mikle Kolyada gentoo org>
AuthorDate: Tue Aug 4 13:35:41 2020 +
Commit: Mikle Kolyada gentoo org>
CommitDate: Tue Aug 4 13:35:41 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=acd1f904
fix pam_ssh formatting
Signed-off-by: Mikle Kolyada gentoo.org>
templates/system-auth.tpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 13f5c0d..e8a6d91 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -35,7 +35,7 @@ password [success=1 default=ignore] pam_krb5.so {{
krb5_params }}
password requiredpam_unix.so try_first_pass {{
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
password optionalpam_permit.so
-{%- if pam_ssh -%}
+{%- if pam_ssh %}
sessionoptionalpam_ssh.so
{% endif -%}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 7f7b677eca0487d304e114714890feadae06b9a2
Author: Mikle Kolyada gentoo org>
AuthorDate: Tue Aug 4 12:41:04 2020 +
Commit: Mikle Kolyada gentoo org>
CommitDate: Tue Aug 4 12:41:04 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=7f7b677e
fix a typo in logic
Signed-off-by: Mikle Kolyada gentoo.org>
templates/system-login.tpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index 2f404bc..d8df530 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -21,7 +21,7 @@ session requiredpam_selinux.so close
{% endif -%}
sessionrequiredpam_env.so envfile=/etc/profile.env {{
debug|default('', true) }}
-{% if not miniaml -%}
+{% if not minimal -%}
sessionoptionalpam_lastlog.so silent {{
debug|default('', true) }}
{% endif -%}
sessioninclude system-auth
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: 405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c Author: Mikle Kolyada gentoo org> AuthorDate: Tue Aug 4 11:20:43 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Tue Aug 4 11:20:43 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=405452a4 New pambase era pambase was simplified and rewritten in python Signed-off-by: Mikle Kolyada gentoo.org> .gitignore | 12 +-- LICENSE| 23 ++ Makefile | 96 -- README | 8 -- basic-conf | 52 linux-pam-conf | 26 -- login.in | 10 --- other.in | 4 - pambase.py | 95 + su.in | 11 --- system-auth.in | 57 - system-login.in| 58 - system-session.inc | 25 -- templates/login.tpl| 9 ++ templates/other.tpl| 4 + passwd.in => templates/passwd.tpl | 4 +- templates/su.tpl | 8 ++ templates/system-auth.tpl | 54 .../system-local-login.tpl | 0 templates/system-login.tpl | 39 + .../system-remote-login.tpl| 0 system-services.in => templates/system-service.tpl | 6 +- templates/system-session.tpl | 16 23 files changed, 252 insertions(+), 365 deletions(-) diff --git a/.gitignore b/.gitignore index 2c63905..844c82f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,10 +1,2 @@ -login -passwd -su -system-auth -system-login -system-local-login -system-remote-login -system-services -other -pambase-*.tar.bz2 +stack/ +.idea/ diff --git a/LICENSE b/LICENSE new file mode 100644 index 000..6e891ee --- /dev/null +++ b/LICENSE @@ -0,0 +1,23 @@ +MIT License + +Copyright (c) 2020 Mikhail Koliada +Copyright (c) 2020 Sam James +Copyright (c) 2020 Gentoo Authors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/Makefile b/Makefile deleted file mode 100644 index 941edfb..000 --- a/Makefile +++ /dev/null @@ -1,96 +0,0 @@ -# Reset this to 'cpp' so it gets traditional syntax; cc -E will not work -# properly. -CPP=cpp - -# The pam.d file to create -PAMD=login passwd su system-auth system-login system-local-login system-remote-login system-services other - -# command for git (the DVCS); set this to "true" to ignore GIT support -# (i.e.: in the ebuild) -GIT=git - -PAMFLAGS = -include linux-pam-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION) - -ifeq "$(PASSWDQC)" "yes" -PAMFLAGS += -DHAVE_PASSWDQC=1 -endif - -ifeq "$(CONSOLEKIT)" "yes" -PAMFLAGS += -DHAVE_CONSOLEKIT=1 -endif - -ifeq "$(SYSTEMD)" "yes" -PAMFLAGS += -DHAVE_SYSTEMD=1 -endif - -ifeq "$(ELOGIND)" "yes" -PAMFLAGS += -DHAVE_ELOGIND=1 -endif - -ifeq "$(GNOME_KEYRING)" "yes" -PAMFLAGS += -DHAVE_GNOME_KEYRING=1 -endif - -ifeq "$(SECURETTY)" "yes" -PAMFLAGS += -DHAVE_SECURETTY=1 -endif - -ifeq "$(SELINUX)" "yes" -PAMFLAGS += -DHAVE_SELINUX=1 -endif - -ifeq "$(MKTEMP)" "yes" -PAMFLAGS += -DHAVE_MKTEMP=1 -endif - -ifeq "$(PAM_SSH)" "yes" -PAMFLAGS += -DHAVE_PAM_SSH=1 -endif - -ifeq "$(KRB5)" "yes" -PAMFLAGS += -DHAVE_KRB5=1 -endif - -ifeq "$(NULLOK)" "yes" -PAMFLAGS += -DWANT_NULLOK=1 -endif - -ifeq "$(SHA512)" "yes" -PAMFLAGS += -DWANT_SHA512=1 -endif - -ifeq "$(DEBUG)" "yes" -PAMFLAGS += -DDEBUG=debug -endif - -ifeq "$(MINIMAL)" "yes" -PAMFLAGS += -DMINIMAL -endif - -ifeq "$(LIBCAP)" "yes" -PAMFLAGS +=
