From c2060f499d483e11ba4524283c2d95a6a8beb8dc Mon Sep 17 00:00:00 2001 From: Christopher Byrne Date: Sun, 3 Sep 2023 11:32:19 -0500 Subject: Add sssd support Bug: https://bugs.gentoo.org/726050 Closes: https://github.com/gentoo/pambase/issues/1 Signed-off-by: Christopher Byrne Closes: https://github.com/gentoo/pambase/pull/17 Signed-off-by: Sam James --- pambase.py | 7 ++++++- templates/system-auth.tpl | 38 ++++++++++++++++++++++++++++++++------ templates/system-session.tpl | 4 ++++ 3 files changed, 42 insertions(+), 7 deletions(-) diff --git a/pambase.py b/pambase.py index 3875e89..ceec8cb 100755 --- a/pambase.py +++ b/pambase.py @@ -19,6 +19,7 @@ def main(): parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module') + parser.add_argument('--sssd', action="store_true", help='enable sssd.so module') parser.add_argument('--yescrypt', action="store_true", help='enable yescrypt option for pam_unix.so module') parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module') parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module') @@ -41,7 +42,8 @@ def process_args(args): "unix_authtok", "unix_extended_encryption", "likeauth", - "nullok" + "nullok", + "local_users_only" ] # create a blank dictionary @@ -62,6 +64,9 @@ def process_args(args): if args.krb5: output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip() + if args.sssd: + output["local_users_only"] = "local_users_only" + if args.yescrypt: output["unix_extended_encryption"] = "yescrypt shadow" elif args.sha512: diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 9b078f3..4065e89 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -7,34 +7,55 @@ auth sufficient pam_ssh.so auth [success={{ 4 if homed else 3 }} default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} +{% if sssd %} +auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular +auth [default=3 ignore=ignore success=ok] pam_localuser.so +{% endif %} + auth requisite pam_faillock.so preauth + {% if homed %} auth [success=2 default=ignore] pam_systemd_home.so {% endif %} + +{% if sssd %} +auth sufficient pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} +{% else %} auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +{% endif %} auth [default=die] pam_faillock.so authfail - +{% if sssd %} +auth sufficient pam_sss.so forward_pass {{ debug|default('', true) }} +{% endif %} {% if caps %} auth optional pam_cap.so {% endif %} - +{% if sssd %} +auth sufficient pam_deny.so +{% endif %} {% if krb5 %} account [success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} {% if homed %} -account [success=1 default=ignore] pam_systemd_home.so +account [success={{ 2 if sssd else 1 }} default=ignore] pam_systemd_home.so {% endif %} account required pam_unix.so {{ debug|default('', true) }} account required pam_faillock.so +{% if sssd %} +account sufficient pam_localuser.so +account sufficient pam_usertype.so issystem +account [default=bad success=ok user_unknown=ignore] pam_sss.so {{ debug|default('', true) }} +account required pam_permit.so +{% endif %} {% if passwdqc %} password required pam_passwdqc.so config=/etc/security/passwdqc.conf {% endif %} {% if pwquality %} -password required pam_pwquality.so +password required pam_pwquality.so {{ local_users_only|default('', true ) }} {% endif %} {% if pwhistory %} @@ -50,9 +71,14 @@ password [success=1 default=ignore] pam_systemd_home.so {% endif %} {% if passwdqc or pwquality %} -password required pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} +password {{ 'sufficient' if sssd else 'required' }} pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} {% else %} -password required pam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} +password {{ 'sufficient' if sssd else 'required' }} pam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} +{% endif %} + +{% if sssd %} +password sufficient pam_sss.so use_authtok +password required pam_deny.so {% endif %} {% if pam_ssh %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl index 536db49..4c5585b 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -13,3 +13,7 @@ session [success=1 default=ignore] pam_systemd_home.so {% endif %} session required pam_unix.so {{ debug|default('', true) }} + +{% if sssd %} +session optional pam_sss.so {{ debug|default('', true) }} +{% endif %} -- cgit v1.2.3-65-gdbad