From db893de87844a32d12a67bc1077af3d89ba002c3 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Tue, 28 Feb 2012 19:23:40 +0100 Subject: [PATCH] pam: Add complete configuration. This configuration mixes local users and ldap users. This is a completely custom configuration, so the Debian's default configuration (managed with pam-auth-update) is completely removed. --- etc/pam.d/atd | 7 +++++++ etc/pam.d/common-account | 17 +++++++++++++++++ etc/pam.d/common-auth | 11 +++++++++++ etc/pam.d/common-ldap | 37 +++++++++++++++++++++++++++++++++++++ etc/pam.d/common-password | 9 +++++++++ etc/pam.d/common-session | 18 ++++++++++++++++++ etc/pam.d/cron | 11 +++++++++++ etc/pam.d/login | 19 +++++++++++++++++++ etc/pam.d/other | 13 +++++++++++++ etc/pam.d/passwd | 5 +++++ etc/pam.d/sshd | 18 ++++++++++++++++++ etc/pam.d/su | 9 +++++++++ etc/pam.d/sudo | 7 +++++++ 13 files changed, 181 insertions(+) create mode 100644 etc/pam.d/atd create mode 100644 etc/pam.d/common-account create mode 100644 etc/pam.d/common-auth create mode 100644 etc/pam.d/common-ldap create mode 100644 etc/pam.d/common-password create mode 100644 etc/pam.d/common-session create mode 100644 etc/pam.d/cron create mode 100644 etc/pam.d/login create mode 100644 etc/pam.d/other create mode 100644 etc/pam.d/passwd create mode 100644 etc/pam.d/sshd create mode 100644 etc/pam.d/su create mode 100644 etc/pam.d/sudo diff --git a/etc/pam.d/atd b/etc/pam.d/atd new file mode 100644 index 0000000..311e440 --- /dev/null +++ b/etc/pam.d/atd @@ -0,0 +1,7 @@ +# +# The PAM configuration file for the at daemon +# + +@include common-auth +@include common-account +@include common-session diff --git a/etc/pam.d/common-account b/etc/pam.d/common-account new file mode 100644 index 0000000..cc1157f --- /dev/null +++ b/etc/pam.d/common-account @@ -0,0 +1,17 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files. + +# pam_unix does general checks based on NSS info, so it also works for both +# local and ldap users. +account required pam_unix.so + +# pam_ldap does additional checks (in particular checking the host ldap +# attribute). Passing minimum_uid makes it work only for non-local users +# (checking this based on the uid is not really elegant, but there is no +# perfect way to do this anyway). We pass ignore_unknown_user to make the +# module return 'ignore' instead of 'user_unknown' for local users, which gets +# handled by 'required' properly (without having to specify a verbose custom +# thing). +account required pam_ldap.so ignore_unknown_user minimum_uid=1000 diff --git a/etc/pam.d/common-auth b/etc/pam.d/common-auth new file mode 100644 index 0000000..d034284 --- /dev/null +++ b/etc/pam.d/common-auth @@ -0,0 +1,11 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files. + +# Allow both local and ldap logins. +auth sufficient pam_unix.so nullok_secure + +auth sufficient pam_ldap.so use_first_pass + +auth required pam_deny.so diff --git a/etc/pam.d/common-ldap b/etc/pam.d/common-ldap new file mode 100644 index 0000000..3ba453b --- /dev/null +++ b/etc/pam.d/common-ldap @@ -0,0 +1,37 @@ +# /etc/pam.d/common-ldap - settings for ldap +# +# This file setups up auth for ldap users, but account, session and password +# for all users. +# +# This file is included from other service-specific PAM config files and +# contains the modules needed to get ldap users for all four sections. + + +# Do authentication for LDAP users +auth required pam_ldap.so + +# pam_unix does general checks based on NSS info, so it also works for ldap +# users. +account required pam_unix.so + +# pam_ldap does additional checks (in particular checking the host ldap +# attribute) but needs to be ignored when it does not know about a user. +account [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \ + pam_ldap.so + + +password sufficient pam_unix.so obscure sha512 +password sufficient pam_ldap.so +password required pam_deny.so + +# Set resource limits from /etc/security/limits.conf +session required pam_limits.so + +# Write logins to syslog +session required pam_unix.so + +# Tell pam_ldap about sessions as well, though it does not currently do +# anything. +session required pam_ldap.so + +#session required pam_mkhomedir.so skel=/etc/skel umask=0022 diff --git a/etc/pam.d/common-password b/etc/pam.d/common-password new file mode 100644 index 0000000..078093e --- /dev/null +++ b/etc/pam.d/common-password @@ -0,0 +1,9 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files. + + +# Use pam_unix for local users, pam_ldap otherwise. +password sufficient pam_unix.so obscure sha512 debug +password required pam_ldap.so debug diff --git a/etc/pam.d/common-session b/etc/pam.d/common-session new file mode 100644 index 0000000..8f4eaa6 --- /dev/null +++ b/etc/pam.d/common-session @@ -0,0 +1,18 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files. + +session required pam_limits.so + +# Write logins to syslog +session required pam_unix.so + +# Tell pam_ldap about sessions as well, though it does not currently do +# anything. +session required pam_ldap.so + +# Load locale variables +session required pam_env.so envfile=/etc/default/locale + +#session required pam_mkhomedir.so skel=/etc/skel umask=0022 diff --git a/etc/pam.d/cron b/etc/pam.d/cron new file mode 100644 index 0000000..9df4905 --- /dev/null +++ b/etc/pam.d/cron @@ -0,0 +1,11 @@ +# +# The PAM configuration file for the cron daemon +# + +# cron uses pam_set_cred so it needs a working auth section. It does not do +# any other real authentication. +@include common-auth + +@include common-account + +@include common-session diff --git a/etc/pam.d/login b/etc/pam.d/login new file mode 100644 index 0000000..7f15a0f --- /dev/null +++ b/etc/pam.d/login @@ -0,0 +1,19 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Standard Un*x authentication. +@include common-auth + +# Standard Un*x authorization. +@include common-account + +# Standard Un*x session setup and teardown. +@include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so # [1] + +# Standard Un*x password updating (not sure if login actually uses this, but +# well...) +@include common-password diff --git a/etc/pam.d/other b/etc/pam.d/other new file mode 100644 index 0000000..804cc35 --- /dev/null +++ b/etc/pam.d/other @@ -0,0 +1,13 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +# if /etc/pam.d/cron specifies no session modules but cron calls +# pam_open_session, the session module out of /etc/pam.d/other is #used. +# +# We deny any pam calls not explicitely allowed elsewhere. + +auth required pam_deny.so +account required pam_deny.so +session required pam_deny.so +password required pam_deny.so diff --git a/etc/pam.d/passwd b/etc/pam.d/passwd new file mode 100644 index 0000000..3cd4c3b --- /dev/null +++ b/etc/pam.d/passwd @@ -0,0 +1,5 @@ +# +# The PAM configuration file for the Shadow `passwd' service +# + +@include common-password diff --git a/etc/pam.d/sshd b/etc/pam.d/sshd new file mode 100644 index 0000000..adf7c8a --- /dev/null +++ b/etc/pam.d/sshd @@ -0,0 +1,18 @@ +# PAM configuration for the Secure Shell service + +# Standard Un*x authentication. +@include common-auth + +# Standard Un*x authorization. +@include common-account + +# Standard Un*x session setup and teardown. +@include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so +session required pam_permit.so + +# Standard Un*x password updating (not sure if OpenSSH actually uses this, but +# well...) +@include common-password diff --git a/etc/pam.d/su b/etc/pam.d/su new file mode 100644 index 0000000..3d936f8 --- /dev/null +++ b/etc/pam.d/su @@ -0,0 +1,9 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows (only) root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +@include common-account +@include common-session diff --git a/etc/pam.d/sudo b/etc/pam.d/sudo new file mode 100644 index 0000000..5ad980b --- /dev/null +++ b/etc/pam.d/sudo @@ -0,0 +1,7 @@ +# +# The PAM configuration file for the sudo service +# + +@include common-auth +@include common-account +@include common-session -- 2.30.2