From f3e11a216d17fd1c7b57faf8179c15c08b373603 Mon Sep 17 00:00:00 2001 From: Jason McNew Date: Thu, 10 Mar 2016 16:49:08 -0800 Subject: [PATCH 1/2] Add options attribute for pam_cracklib --- attributes/default.rb | 1 + templates/default/rhel_system_auth.erb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/attributes/default.rb b/attributes/default.rb index 175383ee..324d979b 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -61,6 +61,7 @@ default['auth']['allow_homeless'] = false default['auth']['pam']['passwdqc']['enable'] = true default['auth']['pam']['passwdqc']['options'] = 'min=disabled,disabled,16,12,8' +default['auth']['pam']['cracklib']['options'] = 'try_first_pass retry=3 type=' default['auth']['root_ttys'] = %w(console tty1 tty2 tty3 tty4 tty5 tty6) default['auth']['uid_min'] = 1000 default['auth']['gid_min'] = 1000 diff --git a/templates/default/rhel_system_auth.erb b/templates/default/rhel_system_auth.erb index b0b24f9b..64775309 100644 --- a/templates/default/rhel_system_auth.erb +++ b/templates/default/rhel_system_auth.erb @@ -23,7 +23,7 @@ account required pam_permit.so <% if node['auth']['pam']['passwdqc']['enable'] %> password requisite pam_passwdqc.so <%= node['auth']['pam']['passwdqc']['options'] %> <% else %> -password requisite pam_cracklib.so try_first_pass retry=3 type= +password requisite pam_cracklib.so <%= node['auth']['pam']['cracklib']['options'] %> <% end %> # NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 From dd77928f3d78414f9b0e7e4a759ba7d040c834c8 Mon Sep 17 00:00:00 2001 From: Jason McNew Date: Mon, 14 Mar 2016 14:44:13 -0700 Subject: [PATCH 2/2] Fix multiple issues with PAM configuration - Fixed templates not being applied if pam_passwdqc is enabled. - Install correct package for pam_pwquality in centos 7. - Add a flag to turn on/off pam_pwquality in rhel7 and set defaults appropriately based on platform_version - Add an attribute to set options to pam_pwquality. - Fall back to pam_cracklib on all patforms if neither pam_pwquality nor pam_passwdqc are enabled. - Don't attempt to install pam_cracklib (It comes with the pam package on rhel 5, 6, & 7) --- attributes/default.rb | 11 ++++- recipes/pam.rb | 64 ++++++++++---------------- templates/default/rhel_system_auth.erb | 2 + 3 files changed, 37 insertions(+), 40 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 324d979b..35b5629f 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -24,6 +24,15 @@ default['packages']['pam_ccreds'] = 'pam_ccreds' default['packages']['pam_passwdqc'] = 'pam_passwdqc' default['packages']['pam_cracklib'] = 'pam_cracklib' + default['packages']['pam_pwquality'] = 'libpwquality' + + if platform_version.to_f < 7 + default['auth']['pam']['passwdqc']['enable'] = true + default['auth']['pam']['pwquality']['enable'] = false + else + default['auth']['pam']['passwdqc']['enable'] = false + default['auth']['pam']['pwquality']['enable'] = true + end when 'debian' default['packages']['pam_ccreds'] = 'libpam-ccreds' @@ -59,9 +68,9 @@ default['auth']['lockout_time'] = 600 # 10min default['auth']['timeout'] = 60 default['auth']['allow_homeless'] = false -default['auth']['pam']['passwdqc']['enable'] = true default['auth']['pam']['passwdqc']['options'] = 'min=disabled,disabled,16,12,8' default['auth']['pam']['cracklib']['options'] = 'try_first_pass retry=3 type=' +default['auth']['pam']['pwquality']['options'] = 'try_first_pass retry=3 type=' default['auth']['root_ttys'] = %w(console tty1 tty2 tty3 tty4 tty5 tty6) default['auth']['uid_min'] = 1000 default['auth']['gid_min'] = 1000 diff --git a/recipes/pam.rb b/recipes/pam.rb index daebef43..4b8a69d7 100644 --- a/recipes/pam.rb +++ b/recipes/pam.rb @@ -99,52 +99,38 @@ # therefore we edit /etc/pam.d/system-auth-ac/ # @see http://serverfault.com/questions/292406/puppet-configuration-using-augeas-fails-if-combined-with-notify - if node['auth']['pam']['passwdqc']['enable'] - if node['platform_version'].to_f < 7 - # remove pam_cracklib, because it does not play nice wiht passwdqc in versions less than 7 - package 'pam-cracklib' do - package_name node['packages']['pam_cracklib'] - action :remove - end - - # get the package for strong password checking - package 'pam-passwdqc' do - package_name node['packages']['pam_passwdqc'] - end - - # deactivate passwdqc - else - - # make sure the package is not on the system, - # if this feature is not wanted - package 'pam-passwdqc' do - package_name node['packages']['pam_passwdqc'] - action :remove - end + if node['platform_version'].to_f < 7 + # remove pam_cracklib, because it does not play nice with passwdqc in versions less than 7 + package 'pam-cracklib' do + package_name node['packages']['pam_cracklib'] + action node['auth']['pam']['passwdqc']['enable'] ? :remove : :nothing end - else - # In RH-family distros > 7, 'pam_pwquality' contains both pam_cracklib and pam_passwdqc + package 'pam-passwdqc' do + package_name node['packages']['pam_passwdqc'] + action node['auth']['pam']['passwdqc']['enable'] ? :install : :remove + end + else + # In RH-family distros > 7, 'pam_pwquality' obsoletes both pam_cracklib and pam_passwdqc # See https://linux.web.cern.ch/linux/rhel/releasenotes/RELEASE-NOTES-7.0-x86_64/ package 'pam_pwquality' do package_name node['packages']['pam_pwquality'] end - # run the standard config + end - # configure passwdqc and tally via central system-auth confic: - template '/etc/pam.d/system-auth-ac' do - source 'rhel_system_auth.erb' - mode 0640 - owner 'root' - group 'root' - end + # configure passwdqc and tally via central system-auth confic: + template '/etc/pam.d/system-auth-ac' do + source 'rhel_system_auth.erb' + mode 0640 + owner 'root' + group 'root' + end - # NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 - template '/etc/libuser.conf' do - source 'rhel_libuser.conf.erb' - mode 0640 - owner 'root' - group 'root' - end + # NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 + template '/etc/libuser.conf' do + source 'rhel_libuser.conf.erb' + mode 0640 + owner 'root' + group 'root' end end diff --git a/templates/default/rhel_system_auth.erb b/templates/default/rhel_system_auth.erb index 64775309..1e665758 100644 --- a/templates/default/rhel_system_auth.erb +++ b/templates/default/rhel_system_auth.erb @@ -22,6 +22,8 @@ account required pam_permit.so <% if node['auth']['pam']['passwdqc']['enable'] %> password requisite pam_passwdqc.so <%= node['auth']['pam']['passwdqc']['options'] %> +<% elsif node['auth']['pam']['pwquality']['enable'] %> +password requisite pam_pwquality.so <%= node['auth']['pam']['pwquality']['options'] %> <% else %> password requisite pam_cracklib.so <%= node['auth']['pam']['cracklib']['options'] %> <% end %>