crans/crans_bcfg2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[wheezy] On met à jour les fichiers de pam.d, et on bugfix groups.xml en attendant une amélioration

Browse source
This commit is contained in:
Pierre-Elliott Bécue 2013-04-19 16:49:19 +02:00
parent cdec12422b
commit ceaf481894
5 changed files with 110 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Metadata/groups.xml
View file

@ -515,6 +515,7 @@
<Group name="backup-client"/> <Group name="backup-client"/>
<Group name="rsyslog-client"/> <Group name="rsyslog-client"/>
<Group name="iscsi"/> <Group name="iscsi"/>
<Group name="nslcd"/>
<Bundle name="apt"/> <Bundle name="apt"/>
<Bundle name="apt-keys"/> <Bundle name="apt-keys"/>
@ -538,6 +539,7 @@
<Group name="backup-client"/> <Group name="backup-client"/>
<Group name="rsyslog-client"/> <Group name="rsyslog-client"/>
<Group name="iscsi"/> <Group name="iscsi"/>
<Group name="nslcd"/>
<Bundle name="apt"/> <Bundle name="apt"/>
<Bundle name="apt-keys"/> <Bundle name="apt-keys"/>

27
Python/etc/pam.d/common-account
View file

@ -3,13 +3,36 @@
include("pam") include("pam")
header(""" header("""
/etc/pam.d/common-account - authorization settings common to all services /etc/pam.d/common-account - authorization settings common to all services
This file is included from other service-specific PAM config files, This file is included from other service-specific PAM config files,
and should contain a list of the authorization modules that define and should contain a list of the authorization modules that define
the central access policy for use on the system. The default is to the central access policy for use on the system. The default is to
only deny service to users whose accounts are expired in /etc/shadow. only deny service to users whose accounts are expired in /etc/shadow.
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
""") """)
print "account sufficient %s" % pam_module if not has('wheezy'):
print "account required pam_unix.so use_first_pass" print "session required pam_unix.so use_first_pass"
print "session sufficient %s" %pam_module
else:
@# here are the per-package modules (the "Primary" block)
@account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so use_first_pass
@# here's the fallback if no module succeeds
@account requisite pam_deny.so
@# prime the stack with a positive return value if there isn't one already;
@# this avoids us returning an error just because nothing sets a success code
@# since the modules above will each just jump around
@account required pam_permit.so
@# and here are more per-package modules (the "Additional" block)
if has("ldap"):
print "account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] %s minimum_uid=1000" % pam_module
@# end of pam-auth-update config

25
Python/etc/pam.d/common-auth
View file

@ -10,7 +10,28 @@ and should contain a list of the authentication modules that define
the central authentication scheme for use on the system the central authentication scheme for use on the system
(e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
traditional Unix authentication mechanisms. traditional Unix authentication mechanisms.
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
""") """)
print "auth sufficient %s" % pam_module if not has('wheezy'):
print "auth required pam_unix.so nullok_secure use_first_pass" print "auth sufficient %s" % pam_module
print "auth required pam_unix.so nullok_secure use_first_pass"
else:
@# here are the per-package modules (the "Primary" block)
@auth [success=2 default=ignore] pam_unix.so nullok_secure use_first_pass
if has('ldap'):
print "auth [success=1 default=ignore] %s minimum_uid=1000" % pam_module
@# here's the fallback if no module succeeds
@auth requisite pam_deny.so
@# prime the stack with a positive return value if there isn't one already;
@# this avoids us returning an error just because nothing sets a success code
@# since the modules above will each just jump around
@auth required pam_permit.so
@# and here are more per-package modules (the "Additional" block)
@# end of pam-auth-update config

39
Python/etc/pam.d/common-password
View file

@ -6,8 +6,24 @@ header("""
/etc/pam.d/common-password - password-related modules common to all services /etc/pam.d/common-password - password-related modules common to all services
This file is included from other service-specific PAM config files, This file is included from other service-specific PAM config files,
and should contain a list of modules that define the services to be and should contain a list of modules that define the services to be
used to change user passwords. The default is pam_unix used to change user passwords. The default is pam_unix.
Explanation of pam_unix options:
The "sha512" option enables salted SHA512 passwords. Without this option,
the default is Unix crypt. Prior releases used the option "md5".
The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
login.defs.
See the pam_unix manpage for other options.
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
""") """)
@# The "nullok" option allows users to change an empty password, else @# The "nullok" option allows users to change an empty password, else
@ -19,12 +35,25 @@ used to change user passwords. The default is pam_unix
@# login.defs. Also the "min" and "max" options enforce the length of the @# login.defs. Also the "min" and "max" options enforce the length of the
@# new password. @# new password.
print "password sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
print "password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
@# Alternate strength checking for password. Note that this @# Alternate strength checking for password. Note that this
@# requires the libpam-cracklib package to be installed. @# requires the libpam-cracklib package to be installed.
@# You will need to comment out the password line above and @# You will need to comment out the password line above and
@# uncomment the next two in order to use this. @# uncomment the next two in order to use this.
@# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH') @# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
if not has('wheezy'):
print "password sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
print "password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
else:
@# here are the per-package modules (the "Primary" block)
@password [success=2 default=ignore] pam_unix.so nullok obscure sha512 min=4 max=8 md5 try_first_pass
print "password [success=1 default=ignore] %s minimum_uid=1000 ignore_unkown_user md5 try_first_pass" % pam_module
@# here's the fallback if no module succeeds
@password requisite pam_deny.so
@# prime the stack with a positive return value if there isn't one already;
@# this avoids us returning an error just because nothing sets a success code
@# since the modules above will each just jump around
@password required pam_permit.so
@# and here are more per-package modules (the "Additional" block)
@# end of pam-auth-update config

30
Python/etc/pam.d/common-session
View file

@ -8,9 +8,31 @@ header("""
This file is included from other service-specific PAM config files, This file is included from other service-specific PAM config files,
and should contain a list of modules that define tasks to be performed and should contain a list of modules that define tasks to be performed
at the start and end of sessions of *any* kind (both interactive and at the start and end of sessions of *any* kind (both interactive and
non-interactive). The default is pam_unix. non-interactive).
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
""") """)
print "session sufficient %s" % pam_module if not has('wheezy'):
print "session required pam_unix.so" print "session sufficient %s" % pam_module
print "session required pam_mkhomedir.so" print "session required pam_unix.so"
print "session required pam_mkhomedir.so"
else:
@# here are the per-package modules (the "Primary" block)
@session [default=1] pam_permit.so
@# here's the fallback if no module succeeds
@session requisite pam_deny.so
@# prime the stack with a positive return value if there isn't one already;
@# this avoids us returning an error just because nothing sets a success code
@# since the modules above will each just jump around
@session required pam_permit.so
@# and here are more per-package modules (the "Additional" block)
@session required pam_unix.so
if has('ldap'):
print "session [success=ok default=ignore] %s minimum_uid=1000" % pam_module
@# end of pam-auth-update config