[gnome-build-meta/abderrahim/gnome-boot] add pam config

From: Abderrahim Kitouni <akitouni src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-build-meta/abderrahim/gnome-boot] add pam config
Date: Fri, 3 May 2019 22:01:41 +0000 (UTC)
commit a2d3c6879cf22fbafb538b88c813f874de9374c4
Author: Abderrahim Kitouni <akitouni gnome org>
Date:   Fri May 3 23:01:16 2019 +0100

    add pam config

 elements/vm/desktop-vm.bst              |  2 ++
 elements/vm/linux-pam-config.bst        | 23 +++++++++++++++++++++++
 files/linux-pam-config/config-util      |  7 +++++++
 files/linux-pam-config/fingerprint-auth | 16 ++++++++++++++++
 files/linux-pam-config/other            |  4 ++++
 files/linux-pam-config/password-auth    | 15 +++++++++++++++
 files/linux-pam-config/postlogin        |  4 ++++
 files/linux-pam-config/smartcard-auth   | 16 ++++++++++++++++
 files/linux-pam-config/system-auth      | 15 +++++++++++++++
 9 files changed, 102 insertions(+)
---
diff --git a/elements/vm/desktop-vm.bst b/elements/vm/desktop-vm.bst
index c9f27eee..078de78d 100644
--- a/elements/vm/desktop-vm.bst
+++ b/elements/vm/desktop-vm.bst
@@ -34,6 +34,8 @@ depends:
 - filename: vm/systemd-firstboot-integration.bst
   junction: freedesktop-sdk.bst
   type: build
+- filename: vm/linux-pam-config.bst
+  type: build
 
 # And add GNOME core on top !
 - filename: sdk.bst
diff --git a/elements/vm/linux-pam-config.bst b/elements/vm/linux-pam-config.bst
new file mode 100644
index 00000000..f81e9987
--- /dev/null
+++ b/elements/vm/linux-pam-config.bst
@@ -0,0 +1,23 @@
+kind: manual
+sources:
+- kind: local
+  path: files/linux-pam-config
+  directory: linux-pam-config
+depends:
+- filename: bootstrap-import.bst
+  junction: freedesktop-sdk.bst
+  type: build
+
+variables:
+  pamconfdir: "%{sysconfdir}/pam.d"
+
+config:
+  install-commands:
+  - mkdir -p %{install-root}%{pamconfdir}
+  - install -m 644 linux-pam-config/other %{install-root}%{pamconfdir}
+  - install -m 644 linux-pam-config/system-auth %{install-root}%{pamconfdir}
+  - install -m 644 linux-pam-config/password-auth %{install-root}%{pamconfdir}
+  - install -m 644 linux-pam-config/fingerprint-auth %{install-root}%{pamconfdir}
+  - install -m 644 linux-pam-config/smartcard-auth %{install-root}%{pamconfdir}
+  - install -m 644 linux-pam-config/config-util %{install-root}%{pamconfdir}
+  - install -m 644 linux-pam-config/postlogin %{install-root}%{pamconfdir}
diff --git a/files/linux-pam-config/config-util b/files/linux-pam-config/config-util
new file mode 100644
index 00000000..2e35e396
--- /dev/null
+++ b/files/linux-pam-config/config-util
@@ -0,0 +1,7 @@
+auth           sufficient      pam_rootok.so
+auth           sufficient      pam_timestamp.so
+auth           include         system-auth
+account                required        pam_permit.so
+session                required        pam_permit.so
+session                optional        pam_xauth.so
+session                optional        pam_timestamp.so
diff --git a/files/linux-pam-config/fingerprint-auth b/files/linux-pam-config/fingerprint-auth
new file mode 100644
index 00000000..ca152fba
--- /dev/null
+++ b/files/linux-pam-config/fingerprint-auth
@@ -0,0 +1,16 @@
+auth        required      pam_env.so
+auth        sufficient    pam_fprintd.so
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     required      pam_permit.so
+
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
diff --git a/files/linux-pam-config/other b/files/linux-pam-config/other
new file mode 100644
index 00000000..8059b66a
--- /dev/null
+++ b/files/linux-pam-config/other
@@ -0,0 +1,4 @@
+auth     required       pam_deny.so
+account  required       pam_deny.so
+password required       pam_deny.so
+session  required       pam_deny.so
diff --git a/files/linux-pam-config/password-auth b/files/linux-pam-config/password-auth
new file mode 100644
index 00000000..2657624d
--- /dev/null
+++ b/files/linux-pam-config/password-auth
@@ -0,0 +1,15 @@
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so try_first_pass nullok
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
diff --git a/files/linux-pam-config/postlogin b/files/linux-pam-config/postlogin
new file mode 100644
index 00000000..f71e4ebf
--- /dev/null
+++ b/files/linux-pam-config/postlogin
@@ -0,0 +1,4 @@
+session optional                   pam_umask.so silent
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session [default=1]                pam_lastlog.so nowtmp showfailed
+session optional                   pam_lastlog.so silent noupdate showfailed
diff --git a/files/linux-pam-config/smartcard-auth b/files/linux-pam-config/smartcard-auth
new file mode 100644
index 00000000..f0843beb
--- /dev/null
+++ b/files/linux-pam-config/smartcard-auth
@@ -0,0 +1,16 @@
+auth        required      pam_env.so
+auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     required      pam_permit.so
+
+password    optional      pam_pkcs11.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
diff --git a/files/linux-pam-config/system-auth b/files/linux-pam-config/system-auth
new file mode 100644
index 00000000..2657624d
--- /dev/null
+++ b/files/linux-pam-config/system-auth
@@ -0,0 +1,15 @@
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so try_first_pass nullok
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]