diff options
-rw-r--r-- | .gitignore | 12 | ||||
-rw-r--r-- | LICENSE | 23 | ||||
-rw-r--r-- | Makefile | 96 | ||||
-rw-r--r-- | README | 8 | ||||
-rw-r--r-- | basic-conf | 52 | ||||
-rw-r--r-- | linux-pam-conf | 26 | ||||
-rw-r--r-- | login.in | 10 | ||||
-rw-r--r-- | other.in | 4 | ||||
-rwxr-xr-x | pambase.py | 95 | ||||
-rw-r--r-- | su.in | 11 | ||||
-rw-r--r-- | system-auth.in | 57 | ||||
-rw-r--r-- | system-login.in | 58 | ||||
-rw-r--r-- | system-session.inc | 25 | ||||
-rw-r--r-- | templates/login.tpl | 9 | ||||
-rw-r--r-- | templates/other.tpl | 4 | ||||
-rw-r--r-- | templates/passwd.tpl (renamed from passwd.in) | 4 | ||||
-rw-r--r-- | templates/su.tpl | 8 | ||||
-rw-r--r-- | templates/system-auth.tpl | 54 | ||||
-rw-r--r-- | templates/system-local-login.tpl (renamed from system-local-login.in) | 0 | ||||
-rw-r--r-- | templates/system-login.tpl | 39 | ||||
-rw-r--r-- | templates/system-remote-login.tpl (renamed from system-remote-login.in) | 0 | ||||
-rw-r--r-- | templates/system-service.tpl (renamed from system-services.in) | 6 | ||||
-rw-r--r-- | templates/system-session.tpl | 16 |
23 files changed, 252 insertions, 365 deletions
@@ -1,10 +1,2 @@ -login -passwd -su -system-auth -system-login -system-local-login -system-remote-login -system-services -other -pambase-*.tar.bz2 +stack/ +.idea/ @@ -0,0 +1,23 @@ +MIT License + +Copyright (c) 2020 Mikhail Koliada +Copyright (c) 2020 Sam James +Copyright (c) 2020 Gentoo Authors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/Makefile b/Makefile deleted file mode 100644 index 941edfb..0000000 --- a/Makefile +++ /dev/null @@ -1,96 +0,0 @@ -# Reset this to 'cpp' so it gets traditional syntax; cc -E will not work -# properly. -CPP=cpp - -# The pam.d file to create -PAMD=login passwd su system-auth system-login system-local-login system-remote-login system-services other - -# command for git (the DVCS); set this to "true" to ignore GIT support -# (i.e.: in the ebuild) -GIT=git - -PAMFLAGS = -include linux-pam-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION) - -ifeq "$(PASSWDQC)" "yes" -PAMFLAGS += -DHAVE_PASSWDQC=1 -endif - -ifeq "$(CONSOLEKIT)" "yes" -PAMFLAGS += -DHAVE_CONSOLEKIT=1 -endif - -ifeq "$(SYSTEMD)" "yes" -PAMFLAGS += -DHAVE_SYSTEMD=1 -endif - -ifeq "$(ELOGIND)" "yes" -PAMFLAGS += -DHAVE_ELOGIND=1 -endif - -ifeq "$(GNOME_KEYRING)" "yes" -PAMFLAGS += -DHAVE_GNOME_KEYRING=1 -endif - -ifeq "$(SECURETTY)" "yes" -PAMFLAGS += -DHAVE_SECURETTY=1 -endif - -ifeq "$(SELINUX)" "yes" -PAMFLAGS += -DHAVE_SELINUX=1 -endif - -ifeq "$(MKTEMP)" "yes" -PAMFLAGS += -DHAVE_MKTEMP=1 -endif - -ifeq "$(PAM_SSH)" "yes" -PAMFLAGS += -DHAVE_PAM_SSH=1 -endif - -ifeq "$(KRB5)" "yes" -PAMFLAGS += -DHAVE_KRB5=1 -endif - -ifeq "$(NULLOK)" "yes" -PAMFLAGS += -DWANT_NULLOK=1 -endif - -ifeq "$(SHA512)" "yes" -PAMFLAGS += -DWANT_SHA512=1 -endif - -ifeq "$(DEBUG)" "yes" -PAMFLAGS += -DDEBUG=debug -endif - -ifeq "$(MINIMAL)" "yes" -PAMFLAGS += -DMINIMAL -endif - -ifeq "$(LIBCAP)" "yes" -PAMFLAGS += -DHAVE_LIBCAP=1 -endif - -all: $(PAMD) - -install: $(PAMD) - install -d "$(DESTDIR)/etc/pam.d" - install -m0644 $(PAMD) "$(DESTDIR)/etc/pam.d" - -PACKAGE=pambase -ifeq "$(VERSION)" "" -VERSION = $(shell date +"%Y%m%d") -endif - -dist: $(PACKAGE)-$(VERSION).tar.xz - -$(PACKAGE)-$(VERSION).tar.xz: $(shell $(GIT) ls-files) - $(GIT) tag $(PACKAGE)-$(VERSION) - $(GIT) archive --format=tar --prefix=$(PACKAGE)-$(VERSION)/ HEAD | xz > $@ - -$(PAMD): %: %.in - $(CPP) -traditional-cpp -P $(PAMFLAGS) $< -o $@ - sed -i -e '/^$$/d' -e '/^\/\//d' $@ - -clean: - rm -f $(PAMD) *~ @@ -1,8 +0,0 @@ -This repository contains the PAM configuration base for Gentoo Linux -and Gentoo FreeBSD, this mostly means the system-auth and system-login -configuration file that provides the basic support for generical -authentication for services, and console login (on tty or on various -desktop managers). - -The Makefile manages the choice of optional features that will be -enabled in the final file. diff --git a/basic-conf b/basic-conf deleted file mode 100644 index 7b1bf00..0000000 --- a/basic-conf +++ /dev/null @@ -1,52 +0,0 @@ -// Only use_authtok (authentication token) when using passwdqc or some other module -// that checks for passwords, or pam_krb5 -#define AUTHTOK use_authtok - -#if HAVE_PASSWDQC -# define PASSWORD_STRENGTH 1 -#endif - -#if HAVE_KRB5 && PASSWORD_STRENGTH -# define KRB5_AUTHTOK AUTHTOK -#endif - -#if HAVE_KRB5 || PASSWORD_STRENGTH -# define UNIX_AUTHTOK AUTHTOK -#else -# define UNIX_AUTHTOK -#endif - -// Define DEBUG to an empty string unless it was required by the user -#ifndef DEBUG -#define DEBUG -#endif - -#ifndef UNIX_EXTENDED_ENCRYPTION -#define UNIX_EXTENDED_ENCRYPTION -#endif - -#ifndef LIKEAUTH -#define LIKEAUTH -#endif - -#if WANT_NULLOK -#define NULLOK nullok -#else -#define NULLOK -#endif - -#define KRB5_PARAMS DEBUG ignore_root try_first_pass - -/* By using the extended Linux-PAM syntax for this, it is possible to - fine-tune the Kerberos handling so that it works out of hte box on - most desktop systems. - - What this control operation does is ignore failures and errors from - Kerberos (falling back on local pam_unix auth), but if it's good, - it'll skip over the following module (pam_unix) with an accepted - status. - - IMPORTANT! Make sure that the only thing that comes right after - pam_krb5 with KRB5_CONTROL is pam_unix! - */ -#define KRB5_CONTROL [success=1 default=ignore] diff --git a/linux-pam-conf b/linux-pam-conf deleted file mode 100644 index 962b2eb..0000000 --- a/linux-pam-conf +++ /dev/null @@ -1,26 +0,0 @@ -#define HAVE_LIMITS 1 -#define HAVE_ENV 1 -#define HAVE_ACCESS 1 -#define HAVE_SHELLS 1 -#define HAVE_LOGINUID 1 - -#define SUPPORT_UNIX_SESSION 1 -#define SUPPORT_NOLOGIN_ACCOUNT 1 -#define SUPPORT_NOLOGIN_AUTH 1 - -#if !MINIMAL -# define HAVE_MOTD 1 -# define HAVE_MAIL 1 -# define HAVE_LASTLOG 1 -# define HAVE_FAILLOCK 1 - -#endif - -#if WANT_SHA512 -# define UNIX_EXTENDED_ENCRYPTION sha512 shadow -#else -# define UNIX_EXTENDED_ENCRYPTION md5 shadow -#endif - -#define LIKEAUTH likeauth -#define DEBUG_NOLOGIN diff --git a/login.in b/login.in deleted file mode 100644 index 5067bc7..0000000 --- a/login.in +++ /dev/null @@ -1,10 +0,0 @@ -#if HAVE_SECURETTY -auth required pam_securetty.so -#endif -auth include system-local-login - -account include system-local-login -password include system-local-login - -session optional pam_lastlog.so DEBUG -session include system-local-login diff --git a/other.in b/other.in deleted file mode 100644 index d8cb1fe..0000000 --- a/other.in +++ /dev/null @@ -1,4 +0,0 @@ -auth required pam_deny.so -account required pam_deny.so -password required pam_deny.so -session required pam_deny.so diff --git a/pambase.py b/pambase.py new file mode 100755 index 0000000..1ebafbe --- /dev/null +++ b/pambase.py @@ -0,0 +1,95 @@ +#!/usr/bin/env python3 + +import argparse +from jinja2 import Template, Environment, FileSystemLoader +import pathlib + + +def main(): + parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') + parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module') + parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') + parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') + parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') + parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') + parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') + parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') + parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module') + parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module') + parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module') + parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack') + parser.add_argument('--debug', action="store_true", help='enable debug for selected modules') + parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module') + + parsed_args = parser.parse_args() + processed = process_args(parsed_args) + + parse_templates(processed) + + +def process_args(args): + # make sure that output directory exists + pathlib.Path("stack").mkdir(parents=True, exist_ok=True) + + blank_variables = [ + "krb5_authtok", + "unix_authtok", + "unix_extended_encryption", + "likeauth", + "nullok" + ] + + # create a blank dictionary + # then add in our parsed args + output = dict.fromkeys(blank_variables, "") + output.update(vars(args)) + + # unconditional variables + output["likeauth"] = "likeauth" + output["unix_authtok"] = "use_authtok" + + if args.debug: + output["debug"] = "debug" + + if args.nullok: + output["nullok"] = "nullok" + + if args.krb5: + output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip() + + if args.sha512: + output["unix_extended_encryption"] = "sha512 shadow" + else: + output["unix_extended_encryption"] = "md5 shadow" + + return output + + +def parse_templates(processed_args): + load = FileSystemLoader('') + env = Environment(loader=load) + + templates = [ + "login", + "other", + "passwd", + "system-local-login", + "system-remote-login", + "su", + "system-auth", + "system-login", + "system-service" + ] + + for template_name in templates: + template = env.get_template('templates/{0}.tpl'.format(template_name)) + + with open('stack/{0}'.format(template_name), "w+") as output: + rendered_template = template.render(processed_args) + + if rendered_template: + output.write(rendered_template + "\n") + + +if __name__ == "__main__": + main() @@ -1,11 +0,0 @@ -auth sufficient pam_rootok.so -auth required pam_wheel.so use_uid -auth include system-auth - -account include system-auth - -password include system-auth - -session include system-auth -session required pam_env.so -session optional pam_xauth.so diff --git a/system-auth.in b/system-auth.in deleted file mode 100644 index 9ae09e4..0000000 --- a/system-auth.in +++ /dev/null @@ -1,57 +0,0 @@ -#if HAVE_ENV -auth required pam_env.so DEBUG -#endif - -#if HAVE_PAM_SSH -auth sufficient pam_ssh.so -#endif -#if HAVE_KRB5 -auth KRB5_CONTROL pam_krb5.so KRB5_PARAMS -#endif -auth required pam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG -/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ -auth optional pam_permit.so - -#if HAVE_FAILLOCK -auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 -auth sufficient pam_unix.so nullok try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 -#endif - -#if HAVE_KRB5 -account KRB5_CONTROL pam_krb5.so KRB5_PARAMS -#endif -account required pam_unix.so DEBUG -/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ -account optional pam_permit.so - -#if HAVE_FAILLOCK -account required pam_faillock.so -#endif - -#if HAVE_PASSWDQC -password required pam_passwdqc.so min=8,8,8,8,8 retry=3 -#endif -#if HAVE_KRB5 -password KRB5_CONTROL pam_krb5.so KRB5_PARAMS -#endif -password required pam_unix.so try_first_pass UNIX_AUTHTOK NULLOK UNIX_EXTENDED_ENCRYPTION DEBUG -/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ -password optional pam_permit.so - -#if HAVE_PAM_SSH -session optional pam_ssh.so -#endif - -#if HAVE_SYSTEMD --session optional pam_systemd.so -#endif - -#if HAVE_ELOGIND --session optional pam_elogind.so -#endif - -#if HAVE_LIBCAP -auth optional pam_cap.so -#endif -#include "system-session.inc" diff --git a/system-login.in b/system-login.in deleted file mode 100644 index ee03613..0000000 --- a/system-login.in +++ /dev/null @@ -1,58 +0,0 @@ - -#if HAVE_SHELLS -auth required pam_shells.so DEBUG -#endif -#if SUPPORT_NOLOGIN_AUTH -auth required pam_nologin.so DEBUG_NOLOGIN -#endif -auth include system-auth - -#if HAVE_FAILLOCK -auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 -auth sufficient pam_unix.so nullok try_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 -#endif - -#if HAVE_ACCESS -account required pam_access.so DEBUG -#endif -#if HAVE_LOGIN_ACCESS -account required pam_login_access.so -#endif -#if SUPPORT_NOLOGIN_ACCOUNT -account required pam_nologin.so DEBUG_NOLOGIN -#endif -account include system-auth - -#if HAVE_FAILLOCK -account required pam_faillock.so -#endif - -password include system-auth - -#if HAVE_LOGINUID -session optional pam_loginuid.so -#endif -#if HAVE_SELINUX -session required pam_selinux.so close -#endif -#if HAVE_ENV -session required pam_env.so envfile=/etc/profile.env DEBUG -#endif -#if HAVE_LASTLOG -session optional pam_lastlog.so silent DEBUG -#endif -session include system-auth -#if HAVE_CONSOLEKIT -session optional pam_ck_connector.so nox11 -#endif -#if HAVE_SELINUX - # Note: modules that run in the user's context must come after this line. -session required pam_selinux.so multiple open -#endif -#if HAVE_MOTD -session optional pam_motd.so motd=/etc/motd -#endif -#if HAVE_MAIL -session optional pam_mail.so -#endif diff --git a/system-session.inc b/system-session.inc deleted file mode 100644 index 2ba6964..0000000 --- a/system-session.inc +++ /dev/null @@ -1,25 +0,0 @@ -#if HAVE_LIMITS -session required pam_limits.so DEBUG -#endif -#if HAVE_ENV -session required pam_env.so DEBUG -#endif -#if HAVE_MKTEMP -session optional pam_mktemp.so -#endif - -/* Only Linux-PAM supports session chain for pam_unix; but if it were - to not support it for whatever reason, still execute pam_krb5, with - sufficient level instead. */ -#if SUPPORT_UNIX_SESSION -# if HAVE_KRB5 -session KRB5_CONTROL pam_krb5.so KRB5_PARAMS -# endif -session required pam_unix.so DEBUG -#else -# if HAVE_KRB5 -session sufficient pam_krb5.so KRB5_PARAMS -# endif -#endif - -session optional pam_permit.so diff --git a/templates/login.tpl b/templates/login.tpl new file mode 100644 index 0000000..7476cb7 --- /dev/null +++ b/templates/login.tpl @@ -0,0 +1,9 @@ +{% if securetty -%} +auth required pam_securetty.so +{% endif -%} + +auth include system-local-login +account include system-local-login +password include system-local-login +session optional pam_lastlog.so {{ debug|default('', true) }} +session include system-local-login diff --git a/templates/other.tpl b/templates/other.tpl new file mode 100644 index 0000000..f3b7198 --- /dev/null +++ b/templates/other.tpl @@ -0,0 +1,4 @@ +auth required pam_deny.so +account required pam_deny.so +password required pam_deny.so +session required pam_deny.so diff --git a/passwd.in b/templates/passwd.tpl index 248bb7c..5f4f739 100644 --- a/passwd.in +++ b/templates/passwd.tpl @@ -1,7 +1,5 @@ auth sufficient pam_rootok.so auth include system-auth - account include system-auth - password include system-auth --password optional pam_gnome_keyring.so UNIX_AUTHTOK +-password optional pam_gnome_keyring.so {{ unix_authtok }} diff --git a/templates/su.tpl b/templates/su.tpl new file mode 100644 index 0000000..a36b633 --- /dev/null +++ b/templates/su.tpl @@ -0,0 +1,8 @@ +auth sufficient pam_rootok.so +auth required pam_wheel.so use_uid +auth include system-auth +account include system-auth +password include system-auth +session include system-auth +session required pam_env.so +session optional pam_xauth.so diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl new file mode 100644 index 0000000..13f5c0d --- /dev/null +++ b/templates/system-auth.tpl @@ -0,0 +1,54 @@ +auth required pam_env.so {{ debug|default('', true) }} +{% if pam_ssh -%} +auth sufficient pam_ssh.so +{% endif -%} + +{% if krb5 -%} +auth [success=1 default=ignore] pam_krb5.so {{ krb5_params }} +{% endif -%} + +auth required pam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} +auth optional pam_permit.so +{% if not minimal -%} +auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 +auth sufficient pam_unix.so {{ nullok|default('', true) }} try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 +{% endif -%} + +{% if krb5 -%} +account [success=1 default=ignore] pam_krb5.so {{ krb5_params }} +{% endif -%} +account required pam_unix.so {{ debug|default('', true) }} +account optional pam_permit.so +{% if not minimal -%} +account required pam_faillock.so +{% endif -%} + +{% if passwdqc -%} +password required pam_passwdqc.so min=8,8,8,8,8 retry=3 +{% endif -%} + +{% if krb5 -%} +password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} +{% endif -%} + +password required pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} +password optional pam_permit.so + +{%- if pam_ssh -%} +session optional pam_ssh.so +{% endif -%} + +{% if systemd -%} +-session optional pam_systemd.so +{% endif -%} + +{% if elogind -%} +-session optional pam_elogind.so +{% endif -%} + +{% if libcap -%} +-session optional pam_libcap.so +{% endif -%} + +{% include "templates/system-session.tpl" %} diff --git a/system-local-login.in b/templates/system-local-login.tpl index 2f415ed..2f415ed 100644 --- a/system-local-login.in +++ b/templates/system-local-login.tpl diff --git a/templates/system-login.tpl b/templates/system-login.tpl new file mode 100644 index 0000000..2f404bc --- /dev/null +++ b/templates/system-login.tpl @@ -0,0 +1,39 @@ +auth required pam_shells.so {{ debug|default('', true) }} +auth required pam_nologin.so +auth include system-auth +{% if not minimal -%} +auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 +auth sufficient pam_unix.so nullok try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 +{% endif -%} + +account required pam_access.so {{ debug|default('', true) }} +account required pam_nologin.so +account include system-auth +{% if not minimal -%} +account required pam_faillock.so +{% endif -%} + +password include system-auth +session optional pam_loginuid.so +{% if selinux -%} +session required pam_selinux.so close +{% endif -%} + +session required pam_env.so envfile=/etc/profile.env {{ debug|default('', true) }} +{% if not miniaml -%} +session optional pam_lastlog.so silent {{ debug|default('', true) }} +{% endif -%} +session include system-auth +{% if selinux -%} + # Note: modules that run in the user's context must come after this line. +session required pam_selinux.so multiple open +{% endif -%} + +{% if not minimal -%} +session optional pam_motd.so motd=/etc/motd +{% endif -%} + +{% if not minimal -%} +session optional pam_mail.so +{% endif -%} diff --git a/system-remote-login.in b/templates/system-remote-login.tpl index 2f415ed..2f415ed 100644 --- a/system-remote-login.in +++ b/templates/system-remote-login.tpl diff --git a/system-services.in b/templates/system-service.tpl index 989267f..cbfab6f 100644 --- a/system-services.in +++ b/templates/system-service.tpl @@ -1,8 +1,4 @@ auth sufficient pam_permit.so - account include system-auth - -#if HAVE_LOGINUID session optional pam_loginuid.so -#endif -#include "system-session.inc" +{% include "templates/system-session.tpl" %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl new file mode 100644 index 0000000..f2622a8 --- /dev/null +++ b/templates/system-session.tpl @@ -0,0 +1,16 @@ +session required pam_limits.so {{ debug|default('', true) }} +session required pam_env.so {{ debug|default('', true) }} +{% if mktemp -%} +session optional pam_mktemp.so +{% endif -%} + +{%if krb5 -%} +session [success=1 default=ignore] {{ krb5_params }} +{% endif -%} + +session required pam_unix.so {{ debug|default('', true) }} +{%if krb5 -%} +session [success=1 default=ignore] {{ krb5_params }} +{% endif -%} + +session optional pam_permit.so |