From 7ed998436c39ff922f285fd73d87f0336973218f Mon Sep 17 00:00:00 2001 From: David-John Willis Date: Wed, 18 Nov 2009 14:01:30 +0000 Subject: libpam-base-files: Start to add default config files for libpam * This will start to get Linux-PAM into a usable state. Default config files derived from Debian with tweaks. Some are not needed and will be dropped later and some should really be packaged elsewhere. * Also update libpam_1.0.2 to depend on this package and the meta package with auth systems as it is not a lot of use without them (it works but can't do anything). * Add 1.1.0 and tweaks to 1.0.2. * Update all the pam.d base config files to support the suggested upstream layout not patches legacy layouts used but some Linux distros. * Use the proper include layouts * Still package some 'suggested' files for common services that do not pack there own pam.d files (TODO: move these to the package recipies not this one). --- recipes/pam/libpam-base-files/pam.d/atd | 10 +++++++ recipes/pam/libpam-base-files/pam.d/common-account | 25 ++++++++++++++++ recipes/pam/libpam-base-files/pam.d/common-auth | 18 ++++++++++++ .../pam/libpam-base-files/pam.d/common-password | 27 ++++++++++++++++++ recipes/pam/libpam-base-files/pam.d/common-session | 20 +++++++++++++ .../pam.d/common-session-noninteractive | 19 +++++++++++++ recipes/pam/libpam-base-files/pam.d/cron | 11 ++++++++ recipes/pam/libpam-base-files/pam.d/cups | 3 ++ recipes/pam/libpam-base-files/pam.d/cvs | 12 ++++++++ recipes/pam/libpam-base-files/pam.d/libcupsys2 | 3 ++ recipes/pam/libpam-base-files/pam.d/other | 27 ++++++++++++++++++ recipes/pam/libpam-base-files/pam.d/polkit | 6 ++++ recipes/pam/libpam-base-files/pam.d/polkit-1 | 6 ++++ recipes/pam/libpam-base-files/pam.d/ppp | 8 ++++++ recipes/pam/libpam-base-files/pam.d/sesman | 6 ++++ recipes/pam/libpam-base-files/pam.d/sshd | 33 ++++++++++++++++++++++ 16 files changed, 234 insertions(+) create mode 100644 recipes/pam/libpam-base-files/pam.d/atd create mode 100644 recipes/pam/libpam-base-files/pam.d/common-account create mode 100644 recipes/pam/libpam-base-files/pam.d/common-auth create mode 100644 recipes/pam/libpam-base-files/pam.d/common-password create mode 100644 recipes/pam/libpam-base-files/pam.d/common-session create mode 100644 recipes/pam/libpam-base-files/pam.d/common-session-noninteractive create mode 100644 recipes/pam/libpam-base-files/pam.d/cron create mode 100644 recipes/pam/libpam-base-files/pam.d/cups create mode 100644 recipes/pam/libpam-base-files/pam.d/cvs create mode 100644 recipes/pam/libpam-base-files/pam.d/libcupsys2 create mode 100644 recipes/pam/libpam-base-files/pam.d/other create mode 100644 recipes/pam/libpam-base-files/pam.d/polkit create mode 100644 recipes/pam/libpam-base-files/pam.d/polkit-1 create mode 100644 recipes/pam/libpam-base-files/pam.d/ppp create mode 100644 recipes/pam/libpam-base-files/pam.d/sesman create mode 100644 recipes/pam/libpam-base-files/pam.d/sshd (limited to 'recipes/pam/libpam-base-files/pam.d') diff --git a/recipes/pam/libpam-base-files/pam.d/atd b/recipes/pam/libpam-base-files/pam.d/atd new file mode 100644 index 0000000000..17ffb134d3 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/atd @@ -0,0 +1,10 @@ +# +# The PAM configuration file for the at daemon +# + +auth required pam_env.so +auth include common-auth +account include common-account +password include common-password +session required pam_limits.so +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/common-account b/recipes/pam/libpam-base-files/pam.d/common-account new file mode 100644 index 0000000000..316b17337b --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/common-account @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/recipes/pam/libpam-base-files/pam.d/common-auth b/recipes/pam/libpam-base-files/pam.d/common-auth new file mode 100644 index 0000000000..460b69f198 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/common-auth @@ -0,0 +1,18 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) diff --git a/recipes/pam/libpam-base-files/pam.d/common-password b/recipes/pam/libpam-base-files/pam.d/common-password new file mode 100644 index 0000000000..bc98f199b9 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/common-password @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so obscure sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +password optional pam_gnome_keyring.so diff --git a/recipes/pam/libpam-base-files/pam.d/common-session b/recipes/pam/libpam-base-files/pam.d/common-session new file mode 100644 index 0000000000..2123967d15 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/common-session @@ -0,0 +1,20 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +session optional pam_ck_connector.so nox11 diff --git a/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive b/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive new file mode 100644 index 0000000000..b110bb2b49 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/common-session-noninteractive @@ -0,0 +1,19 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so diff --git a/recipes/pam/libpam-base-files/pam.d/cron b/recipes/pam/libpam-base-files/pam.d/cron new file mode 100644 index 0000000000..743c0ed31f --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/cron @@ -0,0 +1,11 @@ +# +# The PAM configuration file for the cron daemon +# + +auth include common-auth +session required pam_env.so +account include common-account +session include common-session-noninteractive +# Sets up user limits, please define limits for cron tasks +# through /etc/security/limits.conf +session required pam_limits.so diff --git a/recipes/pam/libpam-base-files/pam.d/cups b/recipes/pam/libpam-base-files/pam.d/cups new file mode 100644 index 0000000000..8e7f973a2c --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/cups @@ -0,0 +1,3 @@ +auth include common-auth +account include common-account +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/cvs b/recipes/pam/libpam-base-files/pam.d/cvs new file mode 100644 index 0000000000..9627c4f7bf --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/cvs @@ -0,0 +1,12 @@ +# +# /etc/pam.d/cvs - specify the PAM behaviour of CVS +# + +# We fall back to the system default in /etc/pam.d/common-* + +auth include common-auth +account include common-account + +# We don't use password or session modules at all +# password include common-password +# session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/libcupsys2 b/recipes/pam/libpam-base-files/pam.d/libcupsys2 new file mode 100644 index 0000000000..8e7f973a2c --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/libcupsys2 @@ -0,0 +1,3 @@ +auth include common-auth +account include common-account +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/other b/recipes/pam/libpam-base-files/pam.d/other new file mode 100644 index 0000000000..6e40cd0c02 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/other @@ -0,0 +1,27 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. + +#If you really want nothing to happen then use pam_permit.so or +#pam_deny.so as appropriate. + +# We use pam_warn.so to generate syslog notes that the 'other' +#fallback rules are being used (as a hint to suggest you should setup +#specific PAM rules for the service and aid to debugging). We then +#fall back to the system default in /etc/pam.d/common-* + +auth required pam_warn.so +auth include common-auth + +account required pam_warn.so +account include common-account + +password required pam_warn.so +password include common-password + +session required pam_warn.so +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/polkit b/recipes/pam/libpam-base-files/pam.d/polkit new file mode 100644 index 0000000000..836b53d61a --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/polkit @@ -0,0 +1,6 @@ +#%PAM-1.0 + +auth include common-auth +account include common-account +password include common-password +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/polkit-1 b/recipes/pam/libpam-base-files/pam.d/polkit-1 new file mode 100644 index 0000000000..836b53d61a --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/polkit-1 @@ -0,0 +1,6 @@ +#%PAM-1.0 + +auth include common-auth +account include common-account +password include common-password +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/ppp b/recipes/pam/libpam-base-files/pam.d/ppp new file mode 100644 index 0000000000..aed08fd1b2 --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/ppp @@ -0,0 +1,8 @@ +#%PAM-1.0 +# Information for the PPPD process with the 'login' option. + +auth required pam_nologin.so +auth include common-auth +account include common-account +session include common-session + diff --git a/recipes/pam/libpam-base-files/pam.d/sesman b/recipes/pam/libpam-base-files/pam.d/sesman new file mode 100644 index 0000000000..836b53d61a --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/sesman @@ -0,0 +1,6 @@ +#%PAM-1.0 + +auth include common-auth +account include common-account +password include common-password +session include common-session diff --git a/recipes/pam/libpam-base-files/pam.d/sshd b/recipes/pam/libpam-base-files/pam.d/sshd new file mode 100644 index 0000000000..c0028ff3cb --- /dev/null +++ b/recipes/pam/libpam-base-files/pam.d/sshd @@ -0,0 +1,33 @@ +# PAM configuration for the Secure Shell service + +# Read environment variables from /etc/environment and +# /etc/security/pam_env.conf. +auth required pam_env.so # [1] + +# Standard Un*x authentication. +auth include common-auth + +# Disallow non-root logins when /etc/nologin exists. +account required pam_nologin.so + +# Uncomment and edit /etc/security/access.conf if you need to set complex +# access limits that are hard to express in sshd_config. +# account required pam_access.so + +# Standard Un*x authorization. +account include common-accountt + +# Standard Un*x session setup and teardown. +session include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so # [1] + +# Print the status of the user's mailbox upon successful login. +session optional pam_mail.so standard noenv # [1] + +# Set up user limits from /etc/security/limits.conf. +session required pam_limits.so + +# Standard Un*x password updating. +password include common-password -- cgit 1.2.3-korg