diff --git a/pam-config/debian/deb_folder/changelog b/pam-config/debian/deb_folder/changelog new file mode 100644 index 0000000..66a31da --- /dev/null +++ b/pam-config/debian/deb_folder/changelog @@ -0,0 +1,5 @@ +pam-config (1.0-1) unstable; urgency=medium + + * Initial release. + + -- Yan Kabuki Thu, 6 Oct 2021 15:09:43 -0400 diff --git a/pam-config/debian/deb_folder/control b/pam-config/debian/deb_folder/control new file mode 100644 index 0000000..0d4ffc9 --- /dev/null +++ b/pam-config/debian/deb_folder/control @@ -0,0 +1,14 @@ +Source: pam-config +Section: admin +Priority: optional +Maintainer: StarlingX Developers +Build-Depends: debhelper-compat (= 13) +Standards-Version: 4.4.1 +Homepage: https://www.starlingx.io + +Package: pam-config +Architecture: any +Pre-Depends: puppet, openssh-client, openssh-server +Depends: ${misc:Depends}, libpam-runtime +Description: Config file named pam-config + StarlingX PAM configuration files diff --git a/pam-config/debian/deb_folder/copyright b/pam-config/debian/deb_folder/copyright new file mode 100644 index 0000000..b9646d8 --- /dev/null +++ b/pam-config/debian/deb_folder/copyright @@ -0,0 +1,27 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: pam-config +Source: https://opendev.org/starlingx/config-files + +Files: * +Copyright: (c) 2013-2021 Wind River Systems, Inc +License: Apache-2 + +Files: debian/* +Copyright: 2021 Wind River Systems, Inc +License: Apache-2 + +License: Apache-2 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + https://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian-based systems the full text of the Apache version 2.0 license + can be found in `/usr/share/common-licenses/Apache-2.0'. diff --git a/pam-config/debian/deb_folder/pam-config.install b/pam-config/debian/deb_folder/pam-config.install new file mode 100644 index 0000000..0e0bbd5 --- /dev/null +++ b/pam-config/debian/deb_folder/pam-config.install @@ -0,0 +1,8 @@ +common-auth /etc/pam.d +common-password /etc/pam.d +common-session /etc/pam.d +common-session-noninteractive /etc/pam.d +common-account /etc/pam.d + +system-auth.pamd /usr/share/starlingx +sshd.pam /usr/share/starlingx diff --git a/pam-config/debian/deb_folder/postinst b/pam-config/debian/deb_folder/postinst new file mode 100644 index 0000000..d850010 --- /dev/null +++ b/pam-config/debian/deb_folder/postinst @@ -0,0 +1,8 @@ +#!/bin/sh + +set -e + +cp /usr/share/starlingx/system-auth.pamd /etc/pam.d/system-auth +cp /usr/share/starlingx/sshd.pam /etc/pam.d/sshd + +#DEBHELPER# diff --git a/pam-config/debian/deb_folder/postrm b/pam-config/debian/deb_folder/postrm new file mode 100644 index 0000000..4d43e0e --- /dev/null +++ b/pam-config/debian/deb_folder/postrm @@ -0,0 +1,20 @@ +#!/bin/sh + +set -e + +dpkg-divert --remove --package pam-config --rename \ + /etc/pam.d/common-auth + +dpkg-divert --remove --package pam-config --rename \ + /etc/pam.d/common-password + +dpkg-divert --remove --package pam-config --rename \ + /etc/pam.d/common-session + +dpkg-divert --remove --package pam-config --rename \ + /etc/pam.d/common-session-noninteractive + +dpkg-divert --remove --package pam-config --rename \ + /etc/pam.d/common-account + +#DEBHELPER# diff --git a/pam-config/debian/deb_folder/preinst b/pam-config/debian/deb_folder/preinst new file mode 100644 index 0000000..e226d71 --- /dev/null +++ b/pam-config/debian/deb_folder/preinst @@ -0,0 +1,25 @@ +#!/bin/sh + +set -e + +dpkg-divert --add --package pam-config --rename \ + --divert /etc/pam.d/common-auth.old \ + /etc/pam.d/common-auth + +dpkg-divert --add --package pam-config --rename \ + --divert /etc/pam.d/common-password.old \ + /etc/pam.d/common-password + +dpkg-divert --add --package pam-config --rename \ + --divert /etc/pam.d/common-session.old \ + /etc/pam.d/common-session + +dpkg-divert --add --package pam-config --rename \ + --divert /etc/pam.d/common-session-noninteractive.old \ + /etc/pam.d/common-session-noninteractive + +dpkg-divert --add --package pam-config --rename \ + --divert /etc/pam.d/common-account.old \ + /etc/pam.d/common-account + +#DEBHELPER# diff --git a/pam-config/debian/deb_folder/rules b/pam-config/debian/deb_folder/rules new file mode 100644 index 0000000..422c817 --- /dev/null +++ b/pam-config/debian/deb_folder/rules @@ -0,0 +1,4 @@ +#!/usr/bin/make -f +#export DH_VERBOSE = 1 +%: + dh $@ diff --git a/pam-config/debian/deb_folder/source/format b/pam-config/debian/deb_folder/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/pam-config/debian/deb_folder/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/pam-config/debian/meta_data.yaml b/pam-config/debian/meta_data.yaml new file mode 100644 index 0000000..c71e7e1 --- /dev/null +++ b/pam-config/debian/meta_data.yaml @@ -0,0 +1,7 @@ +--- +debname: pam-config +debver: 1.0-1 +src_path: source-debian +revision: + dist: $STX_DIST + PKG_GITREVCOUNT: true diff --git a/pam-config/source-debian/common-account b/pam-config/source-debian/common-account new file mode 100755 index 0000000..2f1dfa8 --- /dev/null +++ b/pam-config/source-debian/common-account @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account required pam_faillock.so +account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so +account [success=1 new_authtok_reqd=done default=ignore] pam_ldap.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/pam-config/source-debian/common-auth b/pam-config/source-debian/common-auth new file mode 100755 index 0000000..f767901 --- /dev/null +++ b/pam-config/source-debian/common-auth @@ -0,0 +1,22 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. + +# here are the per-package modules (the "Primary" block) +# auth [success=1 default=ignore] pam_unix.so nullok_secure +# auth sufficient pam_ldap.so use_first_pass +auth required pam_faillock.so deny=5 unlock_time=300 audit +auth [success=2 default=ignore] pam_unix.so nullok_secure +auth [success=1 default=ignore] pam_ldap.so use_first_pass debug +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) diff --git a/pam-config/source-debian/common-password b/pam-config/source-debian/common-password new file mode 100755 index 0000000..fe290b3 --- /dev/null +++ b/pam-config/source-debian/common-password @@ -0,0 +1,36 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# here are the per-package modules (the "Primary" block) + +################## Titanium Cloud Password Rules ####################### +## Enforce a password containing atleast 1 lower case, 1 upper case, # +## 1 digit and 1 special character. Such a password will have a # +## minimum length of 7 characters. A user may not re-use the last most # +## recent password and every password must differ from its previous # +## one by atleast 3 characters # +## - Added enforce_for_root for pam_pwquality.so # +######################################################################## + +password required pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug +password required pam_pwhistory.so use_authtok enforce_for_root remember=3 retry=3 debug + +password sufficient pam_unix.so sha512 use_authtok debug +password [success=done authtok_err=die perm_denied=die default=ignore] pam_ldap.so use_authtok debug + +# If we got this far then its clearly a DENY +password requisite pam_deny.so diff --git a/pam-config/source-debian/common-session b/pam-config/source-debian/common-session new file mode 100755 index 0000000..9ce31c4 --- /dev/null +++ b/pam-config/source-debian/common-session @@ -0,0 +1,21 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +session [success=ok new_authtok_reqd=done default=bad] pam_ldap.so +session required pam_mkhomedir.so umask=0022 skel=/etc/skel diff --git a/pam-config/source-debian/common-session-noninteractive b/pam-config/source-debian/common-session-noninteractive new file mode 100755 index 0000000..239055e --- /dev/null +++ b/pam-config/source-debian/common-session-noninteractive @@ -0,0 +1,20 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +session [success=ok new_authtok_reqd=done default=bad] pam_ldap.so diff --git a/pam-config/source-debian/sshd.pam b/pam-config/source-debian/sshd.pam new file mode 100644 index 0000000..3d6ce0a --- /dev/null +++ b/pam-config/source-debian/sshd.pam @@ -0,0 +1,24 @@ +# WRSM-1.0 + +auth include common-auth +account required pam_nologin.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +account include common-account +password include common-password +session optional pam_keyinit.so force revoke +session include common-session +session required pam_loginuid.so + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open diff --git a/pam-config/source-debian/system-auth.pamd b/pam-config/source-debian/system-auth.pamd new file mode 100755 index 0000000..7f25e71 --- /dev/null +++ b/pam-config/source-debian/system-auth.pamd @@ -0,0 +1,31 @@ +#%PAM-1.0 +auth required pam_env.so +auth sufficient pam_unix.so try_first_pass +auth requisite pam_succeed_if.so uid >= 1000 quiet_success +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account required pam_permit.so + +################# StarlingX Cloud Password Rules ####################### +# Enforce a password containing atleast 1 lower case, 1 upper case, # +# 1 digit and 1 special character. Such a password will have a # +# minimum length of 7 characters. A user may not re-use the last most # +# recent password and every password must differ from its previous # +# one by atleast 3 characters # +# - Added enforce_for_root for pam_pwquality.so # +####################################################################### + +password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug +password requisite pam_pwhistory.so use_authtok enforce_for_root remember=2 + +password [success=2 default=ignore] pam_unix.so sha512 shadow try_first_pass use_authtok +password [success=1 default=ignore] pam_ldap.so use_authtok + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so