Migrate pam-config package to Debian

Modified pam-config package to add support to Debian packaging.

Test Plan:

PASS: Package installed and ISO built sucessfully
PASS: Package files were copied with right permissions

Story: 2009256
Task: 43544

Signed-off-by: Yan Kabuki <Yan.HiroakiKabuki@windriver.com>
Change-Id: I1bc1704f795a9ca477aee479c83074bbbdf10a42

pam-config/debian/deb_folder/changelog

@@ -0,0 +1,5 @@
+pam-config (1.0-1) unstable; urgency=medium
+
+  * Initial release.
+
+  -- Yan Kabuki <Yan.HiroakiKabuki@windriver.com>  Thu, 6 Oct 2021 15:09:43 -0400

pam-config/debian/deb_folder/control

@@ -0,0 +1,14 @@
+Source: pam-config
+Section: admin
+Priority: optional
+Maintainer: StarlingX Developers <starlingx-discuss@lists.starlingx.io>
+Build-Depends: debhelper-compat (= 13)
+Standards-Version: 4.4.1
+Homepage: https://www.starlingx.io
+
+Package: pam-config
+Architecture: any
+Pre-Depends: puppet, openssh-client, openssh-server
+Depends: ${misc:Depends}, libpam-runtime
+Description: Config file named pam-config
+ StarlingX PAM configuration files

pam-config/debian/deb_folder/copyright

@@ -0,0 +1,27 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: pam-config
+Source: https://opendev.org/starlingx/config-files
+
+Files: *
+Copyright: (c) 2013-2021 Wind River Systems, Inc
+License: Apache-2
+
+Files: debian/*
+Copyright: 2021 Wind River Systems, Inc
+License: Apache-2
+
+License: Apache-2
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+    https://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian-based systems the full text of the Apache version 2.0 license
+ can be found in `/usr/share/common-licenses/Apache-2.0'.

pam-config/debian/deb_folder/pam-config.install

@@ -0,0 +1,8 @@
+common-auth /etc/pam.d
+common-password /etc/pam.d
+common-session /etc/pam.d
+common-session-noninteractive /etc/pam.d
+common-account /etc/pam.d
+
+system-auth.pamd /usr/share/starlingx
+sshd.pam /usr/share/starlingx

pam-config/debian/deb_folder/postinst

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+
+cp /usr/share/starlingx/system-auth.pamd /etc/pam.d/system-auth
+cp /usr/share/starlingx/sshd.pam /etc/pam.d/sshd
+
+#DEBHELPER#

pam-config/debian/deb_folder/postrm

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -e
+
+dpkg-divert --remove --package pam-config --rename \
+    /etc/pam.d/common-auth
+
+dpkg-divert --remove --package pam-config --rename \
+    /etc/pam.d/common-password
+
+dpkg-divert --remove --package pam-config --rename \
+    /etc/pam.d/common-session
+
+dpkg-divert --remove --package pam-config --rename \
+    /etc/pam.d/common-session-noninteractive
+
+dpkg-divert --remove --package pam-config --rename \
+    /etc/pam.d/common-account
+
+#DEBHELPER#

pam-config/debian/deb_folder/preinst

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -e
+
+dpkg-divert --add --package pam-config --rename \
+    --divert /etc/pam.d/common-auth.old \
+    /etc/pam.d/common-auth
+
+dpkg-divert --add --package pam-config --rename \
+    --divert /etc/pam.d/common-password.old \
+    /etc/pam.d/common-password
+
+dpkg-divert --add --package pam-config --rename \
+    --divert /etc/pam.d/common-session.old \
+    /etc/pam.d/common-session
+
+dpkg-divert --add --package pam-config --rename \
+    --divert /etc/pam.d/common-session-noninteractive.old \
+    /etc/pam.d/common-session-noninteractive
+
+dpkg-divert --add --package pam-config --rename \
+    --divert /etc/pam.d/common-account.old \
+    /etc/pam.d/common-account
+
+#DEBHELPER#

pam-config/debian/deb_folder/rules

@@ -0,0 +1,4 @@
+#!/usr/bin/make -f
+#export DH_VERBOSE = 1
+%:
+	dh $@

pam-config/debian/deb_folder/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

pam-config/debian/meta_data.yaml

@@ -0,0 +1,7 @@
+---
+debname: pam-config
+debver: 1.0-1
+src_path: source-debian
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true

pam-config/source-debian/common-account

@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system.  The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+account     required                                            pam_faillock.so
+account     [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so
+account     [success=1 new_authtok_reqd=done default=ignore]    pam_ldap.so
+# here's the fallback if no module succeeds
+account     requisite                                           pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account     required                                            pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

pam-config/source-debian/common-auth

@@ -0,0 +1,22 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+
+# here are the per-package modules (the "Primary" block)
+# auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+# auth  sufficient                      pam_ldap.so use_first_pass
+auth    required                        pam_faillock.so deny=5 unlock_time=300 audit
+auth    [success=2 default=ignore]      pam_unix.so nullok_secure
+auth    [success=1 default=ignore]      pam_ldap.so use_first_pass debug
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)

pam-config/source-debian/common-password

@@ -0,0 +1,36 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords.  Without this option,
+# the default is Unix crypt.  Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# here are the per-package modules (the "Primary" block)
+
+################## Titanium Cloud Password Rules #######################
+## Enforce a password containing atleast 1 lower case, 1 upper case,   #
+## 1 digit and 1 special character. Such a password will have a        #
+## minimum length of 7 characters. A user may not re-use the last most #
+## recent password and every password must differ from its previous    #
+## one by atleast 3 characters                                         #
+##  - Added enforce_for_root for pam_pwquality.so                      #
+########################################################################
+
+password    required                        pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug
+password    required                        pam_pwhistory.so use_authtok enforce_for_root remember=3 retry=3 debug
+
+password    sufficient                      pam_unix.so sha512 use_authtok debug
+password    [success=done authtok_err=die perm_denied=die default=ignore]  pam_ldap.so use_authtok debug
+
+# If we got this far then its clearly a DENY
+password    requisite                       pam_deny.so

pam-config/source-debian/common-session

@@ -0,0 +1,21 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+
+# here are the per-package modules (the "Primary" block)
+session     [default=1]     pam_permit.so
+# here's the fallback if no module succeeds
+session     requisite       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session     required        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session     [success=1 new_authtok_reqd=done default=ignore]    pam_unix.so
+session     [success=ok new_authtok_reqd=done default=bad]      pam_ldap.so
+session     required        pam_mkhomedir.so umask=0022 skel=/etc/skel

pam-config/source-debian/common-session-noninteractive

@@ -0,0 +1,20 @@
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+
+# here are the per-package modules (the "Primary" block)
+session     [default=1]     pam_permit.so
+# here's the fallback if no module succeeds
+session     requisite       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session     required        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session     [success=1 new_authtok_reqd=done default=ignore]    pam_unix.so
+session     [success=ok new_authtok_reqd=done default=bad]      pam_ldap.so

pam-config/source-debian/sshd.pam

@@ -0,0 +1,24 @@
+# WRSM-1.0
+
+auth       include      common-auth
+account    required     pam_nologin.so
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session    [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+account    include      common-account
+password   include      common-password
+session    optional     pam_keyinit.so force revoke
+session    include      common-session
+session    required     pam_loginuid.so
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

pam-config/source-debian/system-auth.pamd

@@ -0,0 +1,31 @@
+#%PAM-1.0
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
+account     required      pam_permit.so
+
+################# StarlingX Cloud Password Rules #######################
+# Enforce a password containing atleast 1 lower case, 1 upper case,   #
+# 1 digit and 1 special character. Such a password will have a        #
+# minimum length of 7 characters. A user may not re-use the last most #
+# recent password and every password must differ from its previous    #
+# one by atleast 3 characters                                         # 
+# - Added enforce_for_root for pam_pwquality.so             #
+#######################################################################
+
+password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug
+password    requisite     pam_pwhistory.so use_authtok enforce_for_root remember=2
+
+password    [success=2 default=ignore]      pam_unix.so sha512 shadow try_first_pass use_authtok
+password    [success=1 default=ignore]      pam_ldap.so use_authtok
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so