[gnome-build-meta/abderrahim/gnome-boot] add pam config
- From: Abderrahim Kitouni <akitouni src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-build-meta/abderrahim/gnome-boot] add pam config
- Date: Fri, 3 May 2019 22:01:41 +0000 (UTC)
commit a2d3c6879cf22fbafb538b88c813f874de9374c4
Author: Abderrahim Kitouni <akitouni gnome org>
Date: Fri May 3 23:01:16 2019 +0100
add pam config
elements/vm/desktop-vm.bst | 2 ++
elements/vm/linux-pam-config.bst | 23 +++++++++++++++++++++++
files/linux-pam-config/config-util | 7 +++++++
files/linux-pam-config/fingerprint-auth | 16 ++++++++++++++++
files/linux-pam-config/other | 4 ++++
files/linux-pam-config/password-auth | 15 +++++++++++++++
files/linux-pam-config/postlogin | 4 ++++
files/linux-pam-config/smartcard-auth | 16 ++++++++++++++++
files/linux-pam-config/system-auth | 15 +++++++++++++++
9 files changed, 102 insertions(+)
---
diff --git a/elements/vm/desktop-vm.bst b/elements/vm/desktop-vm.bst
index c9f27eee..078de78d 100644
--- a/elements/vm/desktop-vm.bst
+++ b/elements/vm/desktop-vm.bst
@@ -34,6 +34,8 @@ depends:
- filename: vm/systemd-firstboot-integration.bst
junction: freedesktop-sdk.bst
type: build
+- filename: vm/linux-pam-config.bst
+ type: build
# And add GNOME core on top !
- filename: sdk.bst
diff --git a/elements/vm/linux-pam-config.bst b/elements/vm/linux-pam-config.bst
new file mode 100644
index 00000000..f81e9987
--- /dev/null
+++ b/elements/vm/linux-pam-config.bst
@@ -0,0 +1,23 @@
+kind: manual
+sources:
+- kind: local
+ path: files/linux-pam-config
+ directory: linux-pam-config
+depends:
+- filename: bootstrap-import.bst
+ junction: freedesktop-sdk.bst
+ type: build
+
+variables:
+ pamconfdir: "%{sysconfdir}/pam.d"
+
+config:
+ install-commands:
+ - mkdir -p %{install-root}%{pamconfdir}
+ - install -m 644 linux-pam-config/other %{install-root}%{pamconfdir}
+ - install -m 644 linux-pam-config/system-auth %{install-root}%{pamconfdir}
+ - install -m 644 linux-pam-config/password-auth %{install-root}%{pamconfdir}
+ - install -m 644 linux-pam-config/fingerprint-auth %{install-root}%{pamconfdir}
+ - install -m 644 linux-pam-config/smartcard-auth %{install-root}%{pamconfdir}
+ - install -m 644 linux-pam-config/config-util %{install-root}%{pamconfdir}
+ - install -m 644 linux-pam-config/postlogin %{install-root}%{pamconfdir}
diff --git a/files/linux-pam-config/config-util b/files/linux-pam-config/config-util
new file mode 100644
index 00000000..2e35e396
--- /dev/null
+++ b/files/linux-pam-config/config-util
@@ -0,0 +1,7 @@
+auth sufficient pam_rootok.so
+auth sufficient pam_timestamp.so
+auth include system-auth
+account required pam_permit.so
+session required pam_permit.so
+session optional pam_xauth.so
+session optional pam_timestamp.so
diff --git a/files/linux-pam-config/fingerprint-auth b/files/linux-pam-config/fingerprint-auth
new file mode 100644
index 00000000..ca152fba
--- /dev/null
+++ b/files/linux-pam-config/fingerprint-auth
@@ -0,0 +1,16 @@
+auth required pam_env.so
+auth sufficient pam_fprintd.so
+auth required pam_deny.so
+
+account required pam_unix.so
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 500 quiet
+account required pam_permit.so
+
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/files/linux-pam-config/other b/files/linux-pam-config/other
new file mode 100644
index 00000000..8059b66a
--- /dev/null
+++ b/files/linux-pam-config/other
@@ -0,0 +1,4 @@
+auth required pam_deny.so
+account required pam_deny.so
+password required pam_deny.so
+session required pam_deny.so
diff --git a/files/linux-pam-config/password-auth b/files/linux-pam-config/password-auth
new file mode 100644
index 00000000..2657624d
--- /dev/null
+++ b/files/linux-pam-config/password-auth
@@ -0,0 +1,15 @@
+auth required pam_env.so
+auth sufficient pam_unix.so try_first_pass nullok
+auth required pam_deny.so
+
+account required pam_unix.so
+
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/files/linux-pam-config/postlogin b/files/linux-pam-config/postlogin
new file mode 100644
index 00000000..f71e4ebf
--- /dev/null
+++ b/files/linux-pam-config/postlogin
@@ -0,0 +1,4 @@
+session optional pam_umask.so silent
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session [default=1] pam_lastlog.so nowtmp showfailed
+session optional pam_lastlog.so silent noupdate showfailed
diff --git a/files/linux-pam-config/smartcard-auth b/files/linux-pam-config/smartcard-auth
new file mode 100644
index 00000000..f0843beb
--- /dev/null
+++ b/files/linux-pam-config/smartcard-auth
@@ -0,0 +1,16 @@
+auth required pam_env.so
+auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
+auth required pam_deny.so
+
+account required pam_unix.so
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 500 quiet
+account required pam_permit.so
+
+password optional pam_pkcs11.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/files/linux-pam-config/system-auth b/files/linux-pam-config/system-auth
new file mode 100644
index 00000000..2657624d
--- /dev/null
+++ b/files/linux-pam-config/system-auth
@@ -0,0 +1,15 @@
+auth required pam_env.so
+auth sufficient pam_unix.so try_first_pass nullok
+auth required pam_deny.so
+
+account required pam_unix.so
+
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]