Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pam options and fixes #111

Merged
merged 2 commits into from
Apr 29, 2016
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion attributes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,15 @@
default['packages']['pam_ccreds'] = 'pam_ccreds'
default['packages']['pam_passwdqc'] = 'pam_passwdqc'
default['packages']['pam_cracklib'] = 'pam_cracklib'
default['packages']['pam_pwquality'] = 'libpwquality'

if platform_version.to_f < 7
default['auth']['pam']['passwdqc']['enable'] = true
default['auth']['pam']['pwquality']['enable'] = false
else
default['auth']['pam']['passwdqc']['enable'] = false
default['auth']['pam']['pwquality']['enable'] = true
end

when 'debian'
default['packages']['pam_ccreds'] = 'libpam-ccreds'
Expand Down Expand Up @@ -59,8 +68,9 @@
default['auth']['lockout_time'] = 600 # 10min
default['auth']['timeout'] = 60
default['auth']['allow_homeless'] = false
default['auth']['pam']['passwdqc']['enable'] = true
default['auth']['pam']['passwdqc']['options'] = 'min=disabled,disabled,16,12,8'
default['auth']['pam']['cracklib']['options'] = 'try_first_pass retry=3 type='
default['auth']['pam']['pwquality']['options'] = 'try_first_pass retry=3 type='
default['auth']['root_ttys'] = %w(console tty1 tty2 tty3 tty4 tty5 tty6)
default['auth']['uid_min'] = 1000
default['auth']['gid_min'] = 1000
Expand Down
64 changes: 25 additions & 39 deletions recipes/pam.rb
Original file line number Diff line number Diff line change
Expand Up @@ -99,52 +99,38 @@
# therefore we edit /etc/pam.d/system-auth-ac/
# @see http://serverfault.com/questions/292406/puppet-configuration-using-augeas-fails-if-combined-with-notify

if node['auth']['pam']['passwdqc']['enable']
if node['platform_version'].to_f < 7
# remove pam_cracklib, because it does not play nice wiht passwdqc in versions less than 7
package 'pam-cracklib' do
package_name node['packages']['pam_cracklib']
action :remove
end

# get the package for strong password checking
package 'pam-passwdqc' do
package_name node['packages']['pam_passwdqc']
end

# deactivate passwdqc
else

# make sure the package is not on the system,
# if this feature is not wanted
package 'pam-passwdqc' do
package_name node['packages']['pam_passwdqc']
action :remove
end
if node['platform_version'].to_f < 7
# remove pam_cracklib, because it does not play nice with passwdqc in versions less than 7
package 'pam-cracklib' do
package_name node['packages']['pam_cracklib']
action node['auth']['pam']['passwdqc']['enable'] ? :remove : :nothing
end
else

# In RH-family distros > 7, 'pam_pwquality' contains both pam_cracklib and pam_passwdqc
package 'pam-passwdqc' do
package_name node['packages']['pam_passwdqc']
action node['auth']['pam']['passwdqc']['enable'] ? :install : :remove
end
else
# In RH-family distros > 7, 'pam_pwquality' obsoletes both pam_cracklib and pam_passwdqc
# See https://linux.web.cern.ch/linux/rhel/releasenotes/RELEASE-NOTES-7.0-x86_64/
package 'pam_pwquality' do
package_name node['packages']['pam_pwquality']
end
# run the standard config
end

# configure passwdqc and tally via central system-auth confic:
template '/etc/pam.d/system-auth-ac' do
source 'rhel_system_auth.erb'
mode 0640
owner 'root'
group 'root'
end
# configure passwdqc and tally via central system-auth confic:
template '/etc/pam.d/system-auth-ac' do
source 'rhel_system_auth.erb'
mode 0640
owner 'root'
group 'root'
end

# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
template '/etc/libuser.conf' do
source 'rhel_libuser.conf.erb'
mode 0640
owner 'root'
group 'root'
end
# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
template '/etc/libuser.conf' do
source 'rhel_libuser.conf.erb'
mode 0640
owner 'root'
group 'root'
end
end
4 changes: 3 additions & 1 deletion templates/default/rhel_system_auth.erb
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,10 @@ account required pam_permit.so

<% if node['auth']['pam']['passwdqc']['enable'] %>
password requisite pam_passwdqc.so <%= node['auth']['pam']['passwdqc']['options'] %>
<% elsif node['auth']['pam']['pwquality']['enable'] %>
password requisite pam_pwquality.so <%= node['auth']['pam']['pwquality']['options'] %>
<% else %>
password requisite pam_cracklib.so try_first_pass retry=3 type=
password requisite pam_cracklib.so <%= node['auth']['pam']['cracklib']['options'] %>
<% end %>

# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
Expand Down