Skip to content

Commit

Permalink
Merge pull request #111 from foonix/pam-cracklib-options
Browse files Browse the repository at this point in the history
Pam options and fixes
  • Loading branch information
chris-rock committed Apr 29, 2016
2 parents a781dc9 + dd77928 commit ff9dbcd
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 41 deletions.
12 changes: 11 additions & 1 deletion attributes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,15 @@
default['packages']['pam_ccreds'] = 'pam_ccreds'
default['packages']['pam_passwdqc'] = 'pam_passwdqc'
default['packages']['pam_cracklib'] = 'pam_cracklib'
default['packages']['pam_pwquality'] = 'libpwquality'

if platform_version.to_f < 7
default['auth']['pam']['passwdqc']['enable'] = true
default['auth']['pam']['pwquality']['enable'] = false
else
default['auth']['pam']['passwdqc']['enable'] = false
default['auth']['pam']['pwquality']['enable'] = true
end

when 'debian'
default['packages']['pam_ccreds'] = 'libpam-ccreds'
Expand Down Expand Up @@ -59,8 +68,9 @@
default['auth']['lockout_time'] = 600 # 10min
default['auth']['timeout'] = 60
default['auth']['allow_homeless'] = false
default['auth']['pam']['passwdqc']['enable'] = true
default['auth']['pam']['passwdqc']['options'] = 'min=disabled,disabled,16,12,8'
default['auth']['pam']['cracklib']['options'] = 'try_first_pass retry=3 type='
default['auth']['pam']['pwquality']['options'] = 'try_first_pass retry=3 type='
default['auth']['root_ttys'] = %w(console tty1 tty2 tty3 tty4 tty5 tty6)
default['auth']['uid_min'] = 1000
default['auth']['gid_min'] = 1000
Expand Down
64 changes: 25 additions & 39 deletions recipes/pam.rb
Original file line number Diff line number Diff line change
Expand Up @@ -99,52 +99,38 @@
# therefore we edit /etc/pam.d/system-auth-ac/
# @see http://serverfault.com/questions/292406/puppet-configuration-using-augeas-fails-if-combined-with-notify

if node['auth']['pam']['passwdqc']['enable']
if node['platform_version'].to_f < 7
# remove pam_cracklib, because it does not play nice wiht passwdqc in versions less than 7
package 'pam-cracklib' do
package_name node['packages']['pam_cracklib']
action :remove
end

# get the package for strong password checking
package 'pam-passwdqc' do
package_name node['packages']['pam_passwdqc']
end

# deactivate passwdqc
else

# make sure the package is not on the system,
# if this feature is not wanted
package 'pam-passwdqc' do
package_name node['packages']['pam_passwdqc']
action :remove
end
if node['platform_version'].to_f < 7
# remove pam_cracklib, because it does not play nice with passwdqc in versions less than 7
package 'pam-cracklib' do
package_name node['packages']['pam_cracklib']
action node['auth']['pam']['passwdqc']['enable'] ? :remove : :nothing
end
else

# In RH-family distros > 7, 'pam_pwquality' contains both pam_cracklib and pam_passwdqc
package 'pam-passwdqc' do
package_name node['packages']['pam_passwdqc']
action node['auth']['pam']['passwdqc']['enable'] ? :install : :remove
end
else
# In RH-family distros > 7, 'pam_pwquality' obsoletes both pam_cracklib and pam_passwdqc
# See https://linux.web.cern.ch/linux/rhel/releasenotes/RELEASE-NOTES-7.0-x86_64/
package 'pam_pwquality' do
package_name node['packages']['pam_pwquality']
end
# run the standard config
end

# configure passwdqc and tally via central system-auth confic:
template '/etc/pam.d/system-auth-ac' do
source 'rhel_system_auth.erb'
mode 0640
owner 'root'
group 'root'
end
# configure passwdqc and tally via central system-auth confic:
template '/etc/pam.d/system-auth-ac' do
source 'rhel_system_auth.erb'
mode 0640
owner 'root'
group 'root'
end

# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
template '/etc/libuser.conf' do
source 'rhel_libuser.conf.erb'
mode 0640
owner 'root'
group 'root'
end
# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
template '/etc/libuser.conf' do
source 'rhel_libuser.conf.erb'
mode 0640
owner 'root'
group 'root'
end
end
4 changes: 3 additions & 1 deletion templates/default/rhel_system_auth.erb
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,10 @@ account required pam_permit.so

<% if node['auth']['pam']['passwdqc']['enable'] %>
password requisite pam_passwdqc.so <%= node['auth']['pam']['passwdqc']['options'] %>
<% elsif node['auth']['pam']['pwquality']['enable'] %>
password requisite pam_pwquality.so <%= node['auth']['pam']['pwquality']['options'] %>
<% else %>
password requisite pam_cracklib.so try_first_pass retry=3 type=
password requisite pam_cracklib.so <%= node['auth']['pam']['cracklib']['options'] %>
<% end %>

# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
Expand Down

0 comments on commit ff9dbcd

Please sign in to comment.