Attachment 869482 Details for Bug 726050 – Add sssd support

[patch] Add sssd support

0001-Add-sssd-support.patch (text/plain), 5.34 KB, created by Christopher Byrne on 2023-09-03 16:46:03 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Christopher Byrne

Created: 2023-09-03 16:46:03 UTC

Size: 5.34 KB

patch

obsolete

>From 91ad9c3f8f9e13ada4449c5eca0ccb181ca0fe1a Mon Sep 17 00:00:00 2001
>From: Christopher Byrne <salah.coronya@gmail.com>
>Date: Sun, 3 Sep 2023 11:32:19 -0500
>Subject: [PATCH] Add sssd support
>
>Signed-off-by: Christopher Byrne <salah.coronya@gmail.com>
>---
> pambase.py                   |  7 ++++++-
> templates/system-auth.tpl    | 38 ++++++++++++++++++++++++++++++------
> templates/system-session.tpl |  4 ++++
> 3 files changed, 42 insertions(+), 7 deletions(-)
>
>diff --git a/pambase.py b/pambase.py
>index 3875e89..ceec8cb 100755
>--- a/pambase.py
>+++ b/pambase.py
>@@ -19,6 +19,7 @@ def main():
>     parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
>     parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
>     parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module')
>+    parser.add_argument('--sssd', action="store_true", help='enable sssd.so module')
>     parser.add_argument('--yescrypt', action="store_true", help='enable yescrypt option for pam_unix.so module')
>     parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module')
>     parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module')
>@@ -41,7 +42,8 @@ def process_args(args):
>         "unix_authtok",
>         "unix_extended_encryption",
>         "likeauth",
>-        "nullok"
>+        "nullok",
>+        "local_users_only"
>     ]
> 
>     # create a blank dictionary
>@@ -62,6 +64,9 @@ def process_args(args):
>     if args.krb5:
>         output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip()
> 
>+    if args.sssd:
>+        output["local_users_only"] = "local_users_only"
>+
>     if args.yescrypt:
>         output["unix_extended_encryption"] = "yescrypt shadow"
>     elif args.sha512:
>diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
>index 9739b6f..570d968 100644
>--- a/templates/system-auth.tpl
>+++ b/templates/system-auth.tpl
>@@ -7,34 +7,55 @@ auth		sufficient	pam_ssh.so
> auth		[success={{ 4 if homed else 3 }} default=ignore]      pam_krb5.so {{ krb5_params }}
> {% endif %}
> 
>+{% if sssd %}
>+auth		[default=1 ignore=ignore success=ok]	pam_usertype.so isregular
>+auth		[default=3 ignore=ignore success=ok]	pam_localuser.so
>+{% endif %}
>+
> auth		requisite	pam_faillock.so preauth
>+
> {% if homed %}
> auth            [success=2 default=ignore]      pam_systemd_home.so
> {% endif %}
>+
>+{% if sssd %}
>+auth            sufficient    pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }}
>+{% else %}
> auth            [success=1 default=ignore]      pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
>+{% endif %}
> auth		[default=die]	pam_faillock.so authfail
>-
>+{% if sssd %}
>+auth		sufficient	pam_sss.so forward_pass {{ debug|default('', true) }}
>+{% endif %}
> {% if caps %}
> auth		optional	pam_cap.so
> {% endif %}
>-
>+{% if sssd %}
>+auth		sufficient	pam_deny.so
>+{% endif %}
> {% if krb5 %}
> account		[success=2 default=ignore]	pam_krb5.so {{ krb5_params }}
> {% endif %}
> 
> {% if homed %}
>-account         [success=1 default=ignore]      pam_systemd_home.so
>+account         [success={{ 2 if sssd else 1 }} default=ignore]      pam_systemd_home.so
> {% endif %}
> 
> account		required	pam_unix.so {{ debug|default('', true) }}
> account         required        pam_faillock.so
>+{% if sssd %}
>+account		sufficient	pam_localuser.so
>+account		sufficient	pam_usertype.so issystem
>+account		[default=bad success=ok user_unknown=ignore] pam_sss.so {{ debug|default('', true) }}
>+account		required	pam_permit.so
>+{% endif %}
> 
> {% if passwdqc %}
> password	required	pam_passwdqc.so config=/etc/security/passwdqc.conf
> {% endif %}
> 
> {% if pwquality %}
>-password        required        pam_pwquality.so
>+password        required        pam_pwquality.so {{ local_users_only|default('', true ) }}
> {% endif %}
> 
> {% if pwhistory %}
>@@ -50,9 +71,14 @@ password        [success=1 default=ignore]      pam_systemd_home.so
> {% endif %}
> 
> {% if passwdqc or pwquality %}
>-password	required	pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
>+password	{{ 'sufficient' if sssd else 'required' }}	pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
> {% else %}
>-password        required        pam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
>+password        {{ 'sufficient' if sssd else 'required' }}        pam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
>+{% endif %}
>+
>+{% if sssd %}
>+password	sufficient	pam_sss.so use_authtok
>+password	required	pam_deny.so
> {% endif %}
> 
> {% if pam_ssh %}
>diff --git a/templates/system-session.tpl b/templates/system-session.tpl
>index 536db49..4c5585b 100644
>--- a/templates/system-session.tpl
>+++ b/templates/system-session.tpl
>@@ -13,3 +13,7 @@ session         [success=1 default=ignore]      pam_systemd_home.so
> {% endif %}
> 
> session		required	pam_unix.so {{ debug|default('', true) }}
>+
>+{% if sssd %}
>+session		optional	pam_sss.so {{ debug|default('', true) }}
>+{% endif %}
>-- 
>2.41.0
>

Actions: View | Diff

Attachments on bug 726050: 869482 | 882661