crans/crans_bcfg2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[wheezy] On met à jour les fichiers de pam.d, et on bugfix groups.xml en attendant une amélioration

Browse source
This commit is contained in:
Pierre-Elliott Bécue 2013-04-19 16:49:19 +02:00
parent cdec12422b
commit ceaf481894
5 changed files with 110 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Metadata/groups.xml
View file

@ -515,6 +515,7 @@
<Group name="backup-client"/>
<Group name="rsyslog-client"/>
<Group name="iscsi"/>
<Group name="nslcd"/>
<Bundle name="apt"/>
<Bundle name="apt-keys"/>
@ -538,6 +539,7 @@
<Group name="backup-client"/>
<Group name="rsyslog-client"/>
<Group name="iscsi"/>
<Group name="nslcd"/>
<Bundle name="apt"/>
<Bundle name="apt-keys"/>

27
Python/etc/pam.d/common-account
View file

@ -3,13 +3,36 @@
include("pam")
header("""
/etc/pam.d/common-account - authorization settings common to all services
This file is included from other service-specific PAM config files,
and should contain a list of the authorization modules that define
the central access policy for use on the system. The default is to
only deny service to users whose accounts are expired in /etc/shadow.
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
""")
print "account sufficient %s" % pam_module
print "account required pam_unix.so use_first_pass"
if not has('wheezy'):
print "session required pam_unix.so use_first_pass"
print "session sufficient %s" %pam_module
else:
@# here are the per-package modules (the "Primary" block)
@account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so use_first_pass
@# here's the fallback if no module succeeds
@account requisite pam_deny.so
@# prime the stack with a positive return value if there isn't one already;
@# this avoids us returning an error just because nothing sets a success code
@# since the modules above will each just jump around
@account required pam_permit.so
@# and here are more per-package modules (the "Additional" block)
if has("ldap"):
print "account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] %s minimum_uid=1000" % pam_module
@# end of pam-auth-update config

25
Python/etc/pam.d/common-auth
View file

@ -10,7 +10,28 @@ and should contain a list of the authentication modules that define
the central authentication scheme for use on the system
(e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
traditional Unix authentication mechanisms.
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
""")
print "auth sufficient %s" % pam_module
print "auth required pam_unix.so nullok_secure use_first_pass"
if not has('wheezy'):
print "auth sufficient %s" % pam_module
print "auth required pam_unix.so nullok_secure use_first_pass"
else:
@# here are the per-package modules (the "Primary" block)
@auth [success=2 default=ignore] pam_unix.so nullok_secure use_first_pass
if has('ldap'):
print "auth [success=1 default=ignore] %s minimum_uid=1000" % pam_module
@# here's the fallback if no module succeeds
@auth requisite pam_deny.so
@# prime the stack with a positive return value if there isn't one already;
@# this avoids us returning an error just because nothing sets a success code
@# since the modules above will each just jump around
@auth required pam_permit.so
@# and here are more per-package modules (the "Additional" block)
@# end of pam-auth-update config

37
Python/etc/pam.d/common-password
View file

@ -7,7 +7,23 @@ header("""
This file is included from other service-specific PAM config files,
and should contain a list of modules that define the services to be
used to change user passwords. The default is pam_unix
used to change user passwords. The default is pam_unix.
Explanation of pam_unix options:
The "sha512" option enables salted SHA512 passwords. Without this option,
the default is Unix crypt. Prior releases used the option "md5".
The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
login.defs.
See the pam_unix manpage for other options.
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
""")
@# The "nullok" option allows users to change an empty password, else
@ -19,12 +35,25 @@ used to change user passwords. The default is pam_unix
@# login.defs. Also the "min" and "max" options enforce the length of the
@# new password.
print "password sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
print "password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
@# Alternate strength checking for password. Note that this
@# requires the libpam-cracklib package to be installed.
@# You will need to comment out the password line above and
@# uncomment the next two in order to use this.
@# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
if not has('wheezy'):
print "password sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
print "password required pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
else:
@# here are the per-package modules (the "Primary" block)
@password [success=2 default=ignore] pam_unix.so nullok obscure sha512 min=4 max=8 md5 try_first_pass
print "password [success=1 default=ignore] %s minimum_uid=1000 ignore_unkown_user md5 try_first_pass" % pam_module
@# here's the fallback if no module succeeds
@password requisite pam_deny.so
@# prime the stack with a positive return value if there isn't one already;
@# this avoids us returning an error just because nothing sets a success code
@# since the modules above will each just jump around
@password required pam_permit.so
@# and here are more per-package modules (the "Additional" block)
@# end of pam-auth-update config

30
Python/etc/pam.d/common-session
View file

@ -8,9 +8,31 @@ header("""
This file is included from other service-specific PAM config files,
and should contain a list of modules that define tasks to be performed
at the start and end of sessions of *any* kind (both interactive and
non-interactive). The default is pam_unix.
non-interactive).
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
To take advantage of this, it is recommended that you configure any
local modules either before or after the default block, and use
pam-auth-update to manage selection of other modules. See
pam-auth-update(8) for details.
""")
print "session sufficient %s" % pam_module
print "session required pam_unix.so"
print "session required pam_mkhomedir.so"
if not has('wheezy'):
print "session sufficient %s" % pam_module
print "session required pam_unix.so"
print "session required pam_mkhomedir.so"
else:
@# here are the per-package modules (the "Primary" block)
@session [default=1] pam_permit.so
@# here's the fallback if no module succeeds
@session requisite pam_deny.so
@# prime the stack with a positive return value if there isn't one already;
@# this avoids us returning an error just because nothing sets a success code
@# since the modules above will each just jump around
@session required pam_permit.so
@# and here are more per-package modules (the "Additional" block)
@session required pam_unix.so
if has('ldap'):
print "session [success=ok default=ignore] %s minimum_uid=1000" % pam_module
@# end of pam-auth-update config