From 4789c3f482e87c9fcf28460de292f9a15ac960bc Mon Sep 17 00:00:00 2001 From: Matthijs Date: Tue, 16 Aug 2011 19:49:12 +0000 Subject: [PATCH 01/16] nullmailer: Add configuration. These files were created by debconf. --- etc/nullmailer/adminaddr | 0 etc/nullmailer/remotes | 1 + 2 files changed, 1 insertion(+) create mode 100644 etc/nullmailer/adminaddr create mode 100644 etc/nullmailer/remotes diff --git a/etc/nullmailer/adminaddr b/etc/nullmailer/adminaddr new file mode 100644 index 0000000..e69de29 diff --git a/etc/nullmailer/remotes b/etc/nullmailer/remotes new file mode 100644 index 0000000..990078e --- /dev/null +++ b/etc/nullmailer/remotes @@ -0,0 +1 @@ +mail.local -- 2.30.2 From 321fc6824f703276588b60e29b90f59b538107db Mon Sep 17 00:00:00 2001 From: Matthijs Date: Tue, 16 Aug 2011 21:53:28 +0200 Subject: [PATCH 02/16] rsyslog: Add default configuration Also includes the logrotate config for rsyslog. --- etc/logrotate.d/rsyslog | 37 +++++++++++++ etc/rsyslog.conf | 116 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 153 insertions(+) create mode 100644 etc/logrotate.d/rsyslog create mode 100644 etc/rsyslog.conf diff --git a/etc/logrotate.d/rsyslog b/etc/logrotate.d/rsyslog new file mode 100644 index 0000000..9ce5a44 --- /dev/null +++ b/etc/logrotate.d/rsyslog @@ -0,0 +1,37 @@ +/var/log/syslog +{ + rotate 7 + daily + missingok + notifempty + delaycompress + compress + postrotate + invoke-rc.d rsyslog reload > /dev/null + endscript +} + +/var/log/mail.info +/var/log/mail.warn +/var/log/mail.err +/var/log/mail.log +/var/log/daemon.log +/var/log/kern.log +/var/log/auth.log +/var/log/user.log +/var/log/lpr.log +/var/log/cron.log +/var/log/debug +/var/log/messages +{ + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog reload > /dev/null + endscript +} diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf new file mode 100644 index 0000000..2a7f9f9 --- /dev/null +++ b/etc/rsyslog.conf @@ -0,0 +1,116 @@ +# /etc/rsyslog.conf Configuration file for rsyslog. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +$ModLoad imuxsock # provides support for local system logging +$ModLoad imklog # provides kernel logging support (previously done by rklogd) +#$ModLoad immark # provides --MARK-- message capability + +# provides UDP syslog reception +#$ModLoad imudp +#$UDPServerRun 514 + +# provides TCP syslog reception +#$ModLoad imtcp +#$InputTCPServerRun 514 + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + + +############### +#### RULES #### +############### + +# +# First some standard log files. Log by facility. +# +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none -/var/log/syslog +#cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +# +# Logging for INN news system. +# +news.crit /var/log/news/news.crit +news.err /var/log/news/news.err +news.notice -/var/log/news/news.notice + +# +# Some "catch-all" log files. +# +*.=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg * + +# +# I like to have messages displayed on the console, but only on a virtual +# console I usually leave idle. +# +#daemon,mail.*;\ +# news.=crit;news.=err;news.=notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn /dev/tty8 + +# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, +# you must invoke `xconsole' with the `-file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +# NOTE: adjust the list below, or you'll go crazy if you have a reasonably +# busy site.. +# +daemon.*;mail.*;\ + news.err;\ + *.=debug;*.=info;\ + *.=notice;*.=warn |/dev/xconsole -- 2.30.2 From 865bbbf744cea26bdc94ce5932fa30ff74d46dee Mon Sep 17 00:00:00 2001 From: Matthijs Date: Tue, 16 Aug 2011 22:10:05 +0200 Subject: [PATCH 03/16] rsyslog: Update configuration. This adds the rsyslog configuration taken from drsnuggles, nearly verbatim. This splits out the syslog messages into different files, keeps a work queue and contains configuration to send log messages to a central server (still disabled). --- etc/rsyslog.conf | 134 ++++++++++++++++++++++------------------------- 1 file changed, 62 insertions(+), 72 deletions(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index 2a7f9f9..5dfd304 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -9,17 +9,8 @@ ################# $ModLoad imuxsock # provides support for local system logging -$ModLoad imklog # provides kernel logging support (previously done by rklogd) -#$ModLoad immark # provides --MARK-- message capability - -# provides UDP syslog reception -#$ModLoad imudp -#$UDPServerRun 514 - -# provides TCP syslog reception -#$ModLoad imtcp -#$InputTCPServerRun 514 - +$ModLoad immark # provides --MARK-- message capability +$MarkMessagePeriod 900 # mark messages appear every 15 Minutes ########################### #### GLOBAL DIRECTIVES #### @@ -45,72 +36,71 @@ $Umask 0022 # $IncludeConfig /etc/rsyslog.d/*.conf +# Store any queues here. This directory is not created automatically, so it +# must already exist! +$WorkDirectory /var/spool/rsyslog + +# Use a (disk-assisted) main queue +# Use a linked list for queueing +$MainMsgQueueType LinkedList +# Name to use for the queue file +$MainMsgQueueFileName main +# save in-memory data if rsyslog shuts down +$MainMsgQueueSaveOnShutdown on + +####################### +#### Local logging #### +####################### + +# +# Log each facility into its own log +auth,authpriv.* /var/log/rsyslog/auth.log +cron.* -/var/log/rsyslog/user.log +daemon.* -/var/log/rsyslog/daemon.log +kern.* -/var/log/rsyslog/kern.log +lpr.* -/var/log/rsyslog/lpr.log +mail.* -/var/log/rsyslog/mail.log +user.* -/var/log/rsyslog/user.log +local0,local1,local2,\ + local3,local4,local5,\ + local6,local7.* -/var/log/rsyslog/local.log + +# Omitted facilities: syslog, news, uucp, ftp + +# All logs end up in syslog as weel as the corresponding facility log above +# (except for auth, mail which only end up in the facility log for privacy +# reasons and debug which only ends up in the debug log below to prevent +# flooding). +*.*;\ + *.!=debug;\ + auth,authpriv.none;\ + mail.none -/var/log/rsyslog/syslog -############### -#### RULES #### -############### - -# -# First some standard log files. Log by facility. -# -auth,authpriv.* /var/log/auth.log -*.*;auth,authpriv.none -/var/log/syslog -#cron.* /var/log/cron.log -daemon.* -/var/log/daemon.log -kern.* -/var/log/kern.log -lpr.* -/var/log/lpr.log -mail.* -/var/log/mail.log -user.* -/var/log/user.log - -# -# Logging for the mail system. Split it up so that -# it is easy to write scripts to parse these files. -# -mail.info -/var/log/mail.info -mail.warn -/var/log/mail.warn -mail.err /var/log/mail.err - -# -# Logging for INN news system. -# -news.crit /var/log/news/news.crit -news.err /var/log/news/news.err -news.notice -/var/log/news/news.notice - -# -# Some "catch-all" log files. -# +# Debug entries end up in debug.log as well as the corresponding facility log +# above (except for auth and mail, which only end up in the facility logs for +# privacy reasons). *.=debug;\ auth,authpriv.none;\ - news.none;mail.none -/var/log/debug -*.=info;*.=notice;*.=warn;\ - auth,authpriv.none;\ - cron,daemon.none;\ - mail,news.none -/var/log/messages - + news.none;mail.none -/var/log/rsyslog/debug.log # # Emergencies are sent to everybody logged in. # *.emerg * -# -# I like to have messages displayed on the console, but only on a virtual -# console I usually leave idle. -# -#daemon,mail.*;\ -# news.=crit;news.=err;news.=notice;\ -# *.=debug;*.=info;\ -# *.=notice;*.=warn /dev/tty8 - -# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, -# you must invoke `xconsole' with the `-file' option: -# -# $ xconsole -file /dev/xconsole [...] -# -# NOTE: adjust the list below, or you'll go crazy if you have a reasonably -# busy site.. -# -daemon.*;mail.*;\ - news.err;\ - *.=debug;*.=info;\ - *.=notice;*.=warn |/dev/xconsole +######################## +#### Remote logging #### +######################## + +# Send all log entries to the log vserver, but queue them in memory as well as +# on disk if needed. +# Use a linked list for queueing +$ActionQueueType LinkedList +# Name to use for the queue file +$ActionQueueFileName remote +# infinite retries on insert failure +$ActionResumeRetryCount -1 +# save in-memory data if rsyslog shuts down +$ActionQueueSaveOnShutdown on +# Disabled for now +#*.* @@log.local;RSYSLOG_SyslogProtocol23Format + -- 2.30.2 From 70a4c658c606c743501f5e720688df7b7bd77c9e Mon Sep 17 00:00:00 2001 From: root Date: Thu, 22 Sep 2011 22:21:34 +0200 Subject: [PATCH 04/16] nss: Add default nsswitch.conf. --- etc/nsswitch.conf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 etc/nsswitch.conf diff --git a/etc/nsswitch.conf b/etc/nsswitch.conf new file mode 100644 index 0000000..6886def --- /dev/null +++ b/etc/nsswitch.conf @@ -0,0 +1,19 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: compat +group: compat +shadow: compat + +hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis -- 2.30.2 From 3268a4c3db16f4c587c204021d9e3dfb42372471 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 3 Oct 2011 18:13:57 +0200 Subject: [PATCH 05/16] nslcd: Add working configuration files. This adds the configuration files neede to talk to the LDAP server running at "ldap.local", using the NSS schema. --- etc/nslcd.conf | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 etc/nslcd.conf diff --git a/etc/nslcd.conf b/etc/nslcd.conf new file mode 100644 index 0000000..15e1bf4 --- /dev/null +++ b/etc/nslcd.conf @@ -0,0 +1,29 @@ +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +uri ldap://ldap.local + +# The search base that will be used for all queries. +base passwd ou=Persons,dc=tika,dc=stderr,dc=nl +base shadow ou=Persons,dc=tika,dc=stderr,dc=nl +base group ou=Groups,dc=tika,dc=stderr,dc=nl + +filter passwd (objectClass=maroesjaSystemIdentity) +filter shadow (objectClass=maroesjaSystemIdentity) +filter group (objectClass=maroesjaSystemGroup) + +# Note that this uses maroesjaSystemLoginIdentity instead of +# maroesjaSystemIdentity above. This is important, since maroesjaSystemIdenties +# should show up in NSS, but should not be allowed to authenticate. They'll +# probably miss other attributes too, like host or uidNumber, but this makes +# sure they can never login. +pam_authz_search (&(objectClass=maroesjaSystemLoginIdentity)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*))) + +# This is needed with nss-pam-ldapd before 0.8.4 +#map group uniqueMember member -- 2.30.2 From 7002986cc9f43f45fe8ddc3bd8733261aeb5ffc9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 3 Oct 2011 18:16:47 +0200 Subject: [PATCH 06/16] nss: Use libnss-ldapd for user and group lookups. --- etc/nsswitch.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/nsswitch.conf b/etc/nsswitch.conf index 6886def..f431ccc 100644 --- a/etc/nsswitch.conf +++ b/etc/nsswitch.conf @@ -4,9 +4,9 @@ # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. -passwd: compat -group: compat -shadow: compat +passwd: compat ldap +group: compat ldap +shadow: compat ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files -- 2.30.2 From e49d2e87d702e4ef87d018bbc71c10448d4dc3b4 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 28 Feb 2012 12:18:30 +0100 Subject: [PATCH 07/16] nslcd: Update configuration for 0.7.x. We previously upgraded to the 0.8.4 testing version, to fix a segfault. It now seems that this segfault no longer occurs in 0.7.15+squeeze1, so we downgraded again. This needs a small configuration change, since 0.8.4 uses the "member" attribute instead of "uniqueMember". --- etc/nslcd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/nslcd.conf b/etc/nslcd.conf index 15e1bf4..afaccd6 100644 --- a/etc/nslcd.conf +++ b/etc/nslcd.conf @@ -26,4 +26,4 @@ filter group (objectClass=maroesjaSystemGroup) pam_authz_search (&(objectClass=maroesjaSystemLoginIdentity)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*))) # This is needed with nss-pam-ldapd before 0.8.4 -#map group uniqueMember member +map group uniqueMember member -- 2.30.2 From f0a96880c0310f312ad7c08653178cdeedf69c6d Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 28 Feb 2012 19:13:03 +0100 Subject: [PATCH 08/16] nslcd: Set rootpwmoddn so root can change ldap passwords. --- etc/nslcd.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/nslcd.conf b/etc/nslcd.conf index afaccd6..19c3cfb 100644 --- a/etc/nslcd.conf +++ b/etc/nslcd.conf @@ -27,3 +27,7 @@ pam_authz_search (&(objectClass=maroesjaSystemLoginIdentity)(uid=$username)(|(ho # This is needed with nss-pam-ldapd before 0.8.4 map group uniqueMember member + +# When root wants to change the password of an LDAP user, do a bind as this +# user (the password will be prompted) +rootpwmoddn cn=admin,dc=tika,dc=stderr,dc=nl -- 2.30.2 From db893de87844a32d12a67bc1077af3d89ba002c3 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 28 Feb 2012 19:23:40 +0100 Subject: [PATCH 09/16] pam: Add complete configuration. This configuration mixes local users and ldap users. This is a completely custom configuration, so the Debian's default configuration (managed with pam-auth-update) is completely removed. --- etc/pam.d/atd | 7 +++++++ etc/pam.d/common-account | 17 +++++++++++++++++ etc/pam.d/common-auth | 11 +++++++++++ etc/pam.d/common-ldap | 37 +++++++++++++++++++++++++++++++++++++ etc/pam.d/common-password | 9 +++++++++ etc/pam.d/common-session | 18 ++++++++++++++++++ etc/pam.d/cron | 11 +++++++++++ etc/pam.d/login | 19 +++++++++++++++++++ etc/pam.d/other | 13 +++++++++++++ etc/pam.d/passwd | 5 +++++ etc/pam.d/sshd | 18 ++++++++++++++++++ etc/pam.d/su | 9 +++++++++ etc/pam.d/sudo | 7 +++++++ 13 files changed, 181 insertions(+) create mode 100644 etc/pam.d/atd create mode 100644 etc/pam.d/common-account create mode 100644 etc/pam.d/common-auth create mode 100644 etc/pam.d/common-ldap create mode 100644 etc/pam.d/common-password create mode 100644 etc/pam.d/common-session create mode 100644 etc/pam.d/cron create mode 100644 etc/pam.d/login create mode 100644 etc/pam.d/other create mode 100644 etc/pam.d/passwd create mode 100644 etc/pam.d/sshd create mode 100644 etc/pam.d/su create mode 100644 etc/pam.d/sudo diff --git a/etc/pam.d/atd b/etc/pam.d/atd new file mode 100644 index 0000000..311e440 --- /dev/null +++ b/etc/pam.d/atd @@ -0,0 +1,7 @@ +# +# The PAM configuration file for the at daemon +# + +@include common-auth +@include common-account +@include common-session diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account new file mode 100644 index 0000000..cc1157f --- /dev/null +++ b/etc/pam.d/common-account @@ -0,0 +1,17 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files. + +# pam_unix does general checks based on NSS info, so it also works for both +# local and ldap users. +account required pam_unix.so + +# pam_ldap does additional checks (in particular checking the host ldap +# attribute). Passing minimum_uid makes it work only for non-local users +# (checking this based on the uid is not really elegant, but there is no +# perfect way to do this anyway). We pass ignore_unknown_user to make the +# module return 'ignore' instead of 'user_unknown' for local users, which gets +# handled by 'required' properly (without having to specify a verbose custom +# thing). +account required pam_ldap.so ignore_unknown_user minimum_uid=1000 diff --git a/etc/pam.d/common-auth b/etc/pam.d/common-auth new file mode 100644 index 0000000..d034284 --- /dev/null +++ b/etc/pam.d/common-auth @@ -0,0 +1,11 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files. + +# Allow both local and ldap logins. +auth sufficient pam_unix.so nullok_secure + +auth sufficient pam_ldap.so use_first_pass + +auth required pam_deny.so diff --git a/etc/pam.d/common-ldap b/etc/pam.d/common-ldap new file mode 100644 index 0000000..3ba453b --- /dev/null +++ b/etc/pam.d/common-ldap @@ -0,0 +1,37 @@ +# /etc/pam.d/common-ldap - settings for ldap +# +# This file setups up auth for ldap users, but account, session and password +# for all users. +# +# This file is included from other service-specific PAM config files and +# contains the modules needed to get ldap users for all four sections. + + +# Do authentication for LDAP users +auth required pam_ldap.so + +# pam_unix does general checks based on NSS info, so it also works for ldap +# users. +account required pam_unix.so + +# pam_ldap does additional checks (in particular checking the host ldap +# attribute) but needs to be ignored when it does not know about a user. +account [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \ + pam_ldap.so + + +password sufficient pam_unix.so obscure sha512 +password sufficient pam_ldap.so +password required pam_deny.so + +# Set resource limits from /etc/security/limits.conf +session required pam_limits.so + +# Write logins to syslog +session required pam_unix.so + +# Tell pam_ldap about sessions as well, though it does not currently do +# anything. +session required pam_ldap.so + +#session required pam_mkhomedir.so skel=/etc/skel umask=0022 diff --git a/etc/pam.d/common-password b/etc/pam.d/common-password new file mode 100644 index 0000000..078093e --- /dev/null +++ b/etc/pam.d/common-password @@ -0,0 +1,9 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files. + + +# Use pam_unix for local users, pam_ldap otherwise. +password sufficient pam_unix.so obscure sha512 debug +password required pam_ldap.so debug diff --git a/etc/pam.d/common-session b/etc/pam.d/common-session new file mode 100644 index 0000000..8f4eaa6 --- /dev/null +++ b/etc/pam.d/common-session @@ -0,0 +1,18 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files. + +session required pam_limits.so + +# Write logins to syslog +session required pam_unix.so + +# Tell pam_ldap about sessions as well, though it does not currently do +# anything. +session required pam_ldap.so + +# Load locale variables +session required pam_env.so envfile=/etc/default/locale + +#session required pam_mkhomedir.so skel=/etc/skel umask=0022 diff --git a/etc/pam.d/cron b/etc/pam.d/cron new file mode 100644 index 0000000..9df4905 --- /dev/null +++ b/etc/pam.d/cron @@ -0,0 +1,11 @@ +# +# The PAM configuration file for the cron daemon +# + +# cron uses pam_set_cred so it needs a working auth section. It does not do +# any other real authentication. +@include common-auth + +@include common-account + +@include common-session diff --git a/etc/pam.d/login b/etc/pam.d/login new file mode 100644 index 0000000..7f15a0f --- /dev/null +++ b/etc/pam.d/login @@ -0,0 +1,19 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Standard Un*x authentication. +@include common-auth + +# Standard Un*x authorization. +@include common-account + +# Standard Un*x session setup and teardown. +@include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so # [1] + +# Standard Un*x password updating (not sure if login actually uses this, but +# well...) +@include common-password diff --git a/etc/pam.d/other b/etc/pam.d/other new file mode 100644 index 0000000..804cc35 --- /dev/null +++ b/etc/pam.d/other @@ -0,0 +1,13 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +# if /etc/pam.d/cron specifies no session modules but cron calls +# pam_open_session, the session module out of /etc/pam.d/other is #used. +# +# We deny any pam calls not explicitely allowed elsewhere. + +auth required pam_deny.so +account required pam_deny.so +session required pam_deny.so +password required pam_deny.so diff --git a/etc/pam.d/passwd b/etc/pam.d/passwd new file mode 100644 index 0000000..3cd4c3b --- /dev/null +++ b/etc/pam.d/passwd @@ -0,0 +1,5 @@ +# +# The PAM configuration file for the Shadow `passwd' service +# + +@include common-password diff --git a/etc/pam.d/sshd b/etc/pam.d/sshd new file mode 100644 index 0000000..adf7c8a --- /dev/null +++ b/etc/pam.d/sshd @@ -0,0 +1,18 @@ +# PAM configuration for the Secure Shell service + +# Standard Un*x authentication. +@include common-auth + +# Standard Un*x authorization. +@include common-account + +# Standard Un*x session setup and teardown. +@include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so +session required pam_permit.so + +# Standard Un*x password updating (not sure if OpenSSH actually uses this, but +# well...) +@include common-password diff --git a/etc/pam.d/su b/etc/pam.d/su new file mode 100644 index 0000000..3d936f8 --- /dev/null +++ b/etc/pam.d/su @@ -0,0 +1,9 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows (only) root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +@include common-account +@include common-session diff --git a/etc/pam.d/sudo b/etc/pam.d/sudo new file mode 100644 index 0000000..5ad980b --- /dev/null +++ b/etc/pam.d/sudo @@ -0,0 +1,7 @@ +# +# The PAM configuration file for the sudo service +# + +@include common-auth +@include common-account +@include common-session -- 2.30.2 From a3799c2363d102e5c9938889c7cf5f2e25d0bde9 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 28 Feb 2012 21:39:10 +0100 Subject: [PATCH 10/16] apt: Add wheezy mirror to sources.list This is needed now for git, possibly for other stuff in the future as well. The default release is already configured to squeeze in apt. --- etc/apt/sources.list | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/apt/sources.list b/etc/apt/sources.list index 726f39b..da21af2 100644 --- a/etc/apt/sources.list +++ b/etc/apt/sources.list @@ -1,3 +1,4 @@ deb http://cdn.debian.net/debian squeeze main +deb http://cdn.debian.net/debian wheezy main deb http://apt.stderr.nl stderr main -- 2.30.2 From cf038970495d0447a4f83d14915b10516bec8f9c Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 11:32:10 +0100 Subject: [PATCH 11/16] pam: Enable pam_mkhomedir for sshd and login. Note that we don't enable pam_mkhomedir in common-session, since there might be users (using the maroesjaSystemIdentity objectclass) that cannot login and do not need a regular homedir. --- etc/pam.d/common-session | 2 -- etc/pam.d/login | 2 ++ etc/pam.d/sshd | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/etc/pam.d/common-session b/etc/pam.d/common-session index 8f4eaa6..be1fadd 100644 --- a/etc/pam.d/common-session +++ b/etc/pam.d/common-session @@ -14,5 +14,3 @@ session required pam_ldap.so # Load locale variables session required pam_env.so envfile=/etc/default/locale - -#session required pam_mkhomedir.so skel=/etc/skel umask=0022 diff --git a/etc/pam.d/login b/etc/pam.d/login index 7f15a0f..cc6c2f0 100644 --- a/etc/pam.d/login +++ b/etc/pam.d/login @@ -13,6 +13,8 @@ # Print the message of the day upon successful login. session optional pam_motd.so # [1] +# Create a homedir for the user, if there is none yet. +session optional pam_mkhomedir.so # Standard Un*x password updating (not sure if login actually uses this, but # well...) diff --git a/etc/pam.d/sshd b/etc/pam.d/sshd index adf7c8a..ecb400c 100644 --- a/etc/pam.d/sshd +++ b/etc/pam.d/sshd @@ -11,7 +11,8 @@ # Print the message of the day upon successful login. session optional pam_motd.so -session required pam_permit.so +# Create a homedir for the user, if there is none yet. +session optional pam_mkhomedir.so # Standard Un*x password updating (not sure if OpenSSH actually uses this, but # well...) -- 2.30.2 From 25579b8cec73aa2504740530db6f4baa6bd987e2 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 13:05:00 +0100 Subject: [PATCH 12/16] bash: Enable colored prompts by default --- etc/bash.bashrc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/bash.bashrc b/etc/bash.bashrc index aa84d91..169413a 100644 --- a/etc/bash.bashrc +++ b/etc/bash.bashrc @@ -28,6 +28,12 @@ PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' # ;; #esac +# Enable colored prompts by default (note that unlike what the name suggests, +# this actually doesn't force anything, but triggers a color-detection snippet +# in ~/.bashrc). Users can override this value (or just throw out the snippet +# or customize the prompt) in their ~/.bashrc as well. +force_color_prompt=yes + # enable bash completion in interactive shells if [ -f /etc/bash_completion ] && ! shopt -oq posix; then . /etc/bash_completion -- 2.30.2 From 2194ef7a81f664d6f4f71cde7696c9cddbcd6ee1 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 14:29:18 +0100 Subject: [PATCH 13/16] pam: Use minimum_uid=2000 instead of 1000 LDAP users now use uids starting at 2000, to prevent confusion with the users in the host and to potentially allow local users to be created in the containers as well, if it's ever needed. --- etc/pam.d/common-account | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account index cc1157f..5f349fb 100644 --- a/etc/pam.d/common-account +++ b/etc/pam.d/common-account @@ -14,4 +14,4 @@ account required pam_unix.so # module return 'ignore' instead of 'user_unknown' for local users, which gets # handled by 'required' properly (without having to specify a verbose custom # thing). -account required pam_ldap.so ignore_unknown_user minimum_uid=1000 +account required pam_ldap.so ignore_unknown_user minimum_uid=2000 -- 2.30.2 From 100cfffe232a905c37f4ca068ed3ba4f39874ce3 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 15:03:37 +0100 Subject: [PATCH 14/16] system: Set nameserver to use Google DNS --- etc/resolv.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 etc/resolv.conf diff --git a/etc/resolv.conf b/etc/resolv.conf new file mode 100644 index 0000000..cae093a --- /dev/null +++ b/etc/resolv.conf @@ -0,0 +1 @@ +nameserver 8.8.8.8 -- 2.30.2 From a83cd79035ac2a16bb255228730eb12024367705 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 15:23:17 +0100 Subject: [PATCH 15/16] bash: Don't enable extended completion twice. It is already enabled in /etc/profile.d/bash_completion.sh, so don't bother doing it again in /etc/bash.bashrc. --- etc/bash.bashrc | 5 ----- 1 file changed, 5 deletions(-) diff --git a/etc/bash.bashrc b/etc/bash.bashrc index 169413a..0834c29 100644 --- a/etc/bash.bashrc +++ b/etc/bash.bashrc @@ -34,11 +34,6 @@ PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' # or customize the prompt) in their ~/.bashrc as well. force_color_prompt=yes -# enable bash completion in interactive shells -if [ -f /etc/bash_completion ] && ! shopt -oq posix; then - . /etc/bash_completion -fi - # if the command-not-found package is installed, use it if [ -x /usr/lib/command-not-found -o -x /usr/share/command-not-found ]; then function command_not_found_handle { -- 2.30.2 From 24ff3eb2f8428c458cb3670ed442a802f61e1c13 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Wed, 29 Feb 2012 16:57:55 +0100 Subject: [PATCH 16/16] rsyslog: Enable remote logging --- etc/rsyslog.conf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/etc/rsyslog.conf b/etc/rsyslog.conf index 5dfd304..cc838db 100644 --- a/etc/rsyslog.conf +++ b/etc/rsyslog.conf @@ -101,6 +101,5 @@ $ActionQueueFileName remote $ActionResumeRetryCount -1 # save in-memory data if rsyslog shuts down $ActionQueueSaveOnShutdown on -# Disabled for now -#*.* @@log.local;RSYSLOG_SyslogProtocol23Format +*.* @@log.local;RSYSLOG_SyslogProtocol23Format -- 2.30.2