[gentoo-commits] proj/pambase:master commit in: templates/, /

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Sam James]

commit:     ca96d2bc6bbcf860d12b9d610509c155029fe3cc
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Thu Aug  6 22:46:40 2020 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Thu Aug  6 22:46:40 2020 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ca96d2bc

pambase.py: rename system-service -> system-services

Some of e.g. OpenRC's installed pam files assume 'system-services':
./supervise-daemon:2:session include system-services
./start-stop-daemon:2:session include system-services

Signed-off-by: Sam James <sam <AT> gentoo.org>

 pambase.py                                            | 2 +-
 templates/{system-service.tpl => system-services.tpl} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/pambase.py b/pambase.py
index 8f04870..d021b81 100755
--- a/pambase.py
+++ b/pambase.py
@@ -78,7 +78,7 @@ def parse_templates(processed_args):
 		"su",
 		"system-auth",
 		"system-login",
-		"system-service"
+		"system-services"
 	]
 
 	for template_name in templates:

diff --git a/templates/system-service.tpl b/templates/system-services.tpl
similarity index 100%
rename from templates/system-service.tpl
rename to templates/system-services.tpl

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Mikle Kolyada]

commit:     1e2706575348150992737c5415df36f6517b20fe
Author:     Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
AuthorDate: Sat Aug 15 08:44:57 2020 +0000
Commit:     Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
CommitDate: Sat Aug 15 08:50:19 2020 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=1e270657

Add pam_pwquality.so support

Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org>

 pambase.py                | 1 +
 templates/system-auth.tpl | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/pambase.py b/pambase.py
index d021b81..07e458d 100755
--- a/pambase.py
+++ b/pambase.py
@@ -9,6 +9,7 @@ def main():
 	parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
 	parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
 	parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
+	parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')
 	parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
 	parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
 	parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 298e45c..69cc472 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -28,6 +28,10 @@ account         required        pam_faillock.so
 password	required	pam_passwdqc.so min=8,8,8,8,8 retry=3
 {% endif %}
 
+{% if pwquality %}
+password        required        pam_pwquality.so retry=3 minlen=8 lcredit=2 ucredit=2 dcredit=2 ocredit=2 difok=3 enforce_for_root
+{% endif %}
+
 {% if krb5 %}
 password	[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Sam James]

commit:     639b45ccb986de7314372a4a841e6f04c536c49a
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Fri Jan 29 03:46:42 2021 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Jan 29 03:46:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=639b45cc

Add systemd-homed support

Bug: https://bugs.gentoo.org/767784
Signed-off-by: Sam James <sam <AT> gentoo.org>

 pambase.py                   | 1 +
 templates/system-auth.tpl    | 6 ++++++
 templates/system-session.tpl | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/pambase.py b/pambase.py
index 278d578..eb3d4fe 100755
--- a/pambase.py
+++ b/pambase.py
@@ -9,6 +9,7 @@ def main():
     parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
     parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module')
     parser.add_argument('--caps', action="store_true", help='enable pam_cap.so module')
+    parser.add_argument('--homed', action="store_true", help='enable pam_systemd_homed.so module')
     parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
     parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module')
     parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 01a29db..53557dc 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -2,6 +2,9 @@ auth		required	pam_env.so {{ debug|default('', true) }}
 {% if pam_ssh %}
 auth		sufficient	pam_ssh.so
 {% endif %}
+{% if homed %}
+-auth		sufficient	pam_systemd_home.so
+{% endif %}
 
 {% if krb5 %}
 auth		[success=3 default=ignore]      pam_krb5.so {{ krb5_params }}
@@ -15,6 +18,9 @@ auth		[default=die]	pam_faillock.so authfail
 -auth		optional	pam_cap.so
 {% endif %}
 
+{% if homed %}
+-account	sufficient	pam_systemd_home.so
+{% endif %}
 {% if krb5 %}
 account		[success=2 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 2a7024b..3dd1d70 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -4,6 +4,10 @@ session		required	pam_env.so {{ debug|default('', true) }}
 session		optional	pam_mktemp.so
 {% endif %}
 
+{% if homed %}
+-session	optional	pam_systemd_home.so
+{% endif %}
+
 {%if krb5 %}
 session		[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Sam James]

commit:     93165fa671e7c6fe41a09302f3c00a140dd6ec9b
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sun Jan 31 21:36:48 2021 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Jan 31 21:37:12 2021 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=93165fa6

Revert "systemd-auth: add systemd-homed support"

This reverts commit 5a545eb14a1220af1ba8031f3669471e77edbc2f.
Auto-merged on a reverted commit.

Signed-off-by: Sam James <sam <AT> gentoo.org>

 pambase.py                   |  1 -
 templates/system-auth.tpl    | 18 ++----------------
 templates/system-session.tpl |  4 ----
 3 files changed, 2 insertions(+), 21 deletions(-)

diff --git a/pambase.py b/pambase.py
index c078156..278d578 100755
--- a/pambase.py
+++ b/pambase.py
@@ -14,7 +14,6 @@ def main():
     parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')
     parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
     parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
-    parser.add_argument('--homed', action="store_true", help='enable pam_systemd_home.so module')
     parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')
     parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
     parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 1adee05..01a29db 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -8,26 +8,16 @@ auth		[success=3 default=ignore]      pam_krb5.so {{ krb5_params }}
 {% endif %}
 
 auth		requisite	pam_faillock.so preauth
-{% if homed %}
-auth		[success=2 default=ignore]	pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
-auth            [success=1 default=ignore]      pam_systemd_home.so
-{% else %}
-auth            [success=1 default=ignore]      pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas
-{% endif %}
+auth		[success=1 default=ignore]	pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
 auth		[default=die]	pam_faillock.so authfail
 
 {% if caps %}
-auth		optional	pam_cap.so
+-auth		optional	pam_cap.so
 {% endif %}
 
 {% if krb5 %}
 account		[success=2 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}
-
-{% if homed %}
-account         [success=1 default=ignore]      pam_systemd_home.so
-{% endif %}
-
 account		required	pam_unix.so {{ debug|default('', true) }}
 account         required        pam_faillock.so
 
@@ -47,10 +37,6 @@ password        required        pam_pwhistory.so use_authtok remember=5 retry=3
 password	[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}
 
-{% if homed %}
-password        [success=1 default=ignore]      pam_systemd_home.so
-{% endif %}
-
 {% if passwdqc or pwquality %}
 password	required	pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
 {% else %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 536db49..2a7024b 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -8,8 +8,4 @@ session		optional	pam_mktemp.so
 session		[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}
 
-{% if homed %}
-session         [success=1 default=ignore]      pam_systemd_home.so
-{% endif %}
-
 session		required	pam_unix.so {{ debug|default('', true) }}

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Sam James]

commit:     fbbc2d49c860857b2fe4b2a6cdb967b0867261c9
Author:     Mikle KOlyada <zlogene <AT> gentoo <DOT> org>
AuthorDate: Sat Jan 30 19:50:12 2021 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Jan 31 21:37:17 2021 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=fbbc2d49

systemd-auth: add systemd-homed support

Signed-off-by: Mikle KOlyada <zlogene <AT> gentoo.org>
Closes: https://github.com/gentoo/pambase/pull/5
Signed-off-by: Sam James <sam <AT> gentoo.org>

 pambase.py                   |  1 +
 templates/system-auth.tpl    | 18 ++++++++++++++++--
 templates/system-session.tpl |  4 ++++
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/pambase.py b/pambase.py
index 278d578..c078156 100755
--- a/pambase.py
+++ b/pambase.py
@@ -14,6 +14,7 @@ def main():
     parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')
     parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
     parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
+    parser.add_argument('--homed', action="store_true", help='enable pam_systemd_home.so module')
     parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')
     parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
     parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 01a29db..1adee05 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -8,16 +8,26 @@ auth		[success=3 default=ignore]      pam_krb5.so {{ krb5_params }}
 {% endif %}
 
 auth		requisite	pam_faillock.so preauth
-auth		[success=1 default=ignore]	pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+{% if homed %}
+auth		[success=2 default=ignore]	pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+auth            [success=1 default=ignore]      pam_systemd_home.so
+{% else %}
+auth            [success=1 default=ignore]      pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas
+{% endif %}
 auth		[default=die]	pam_faillock.so authfail
 
 {% if caps %}
--auth		optional	pam_cap.so
+auth		optional	pam_cap.so
 {% endif %}
 
 {% if krb5 %}
 account		[success=2 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}
+
+{% if homed %}
+account         [success=1 default=ignore]      pam_systemd_home.so
+{% endif %}
+
 account		required	pam_unix.so {{ debug|default('', true) }}
 account         required        pam_faillock.so
 
@@ -37,6 +47,10 @@ password        required        pam_pwhistory.so use_authtok remember=5 retry=3
 password	[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}
 
+{% if homed %}
+password        [success=1 default=ignore]      pam_systemd_home.so
+{% endif %}
+
 {% if passwdqc or pwquality %}
 password	required	pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
 {% else %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 2a7024b..536db49 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -8,4 +8,8 @@ session		optional	pam_mktemp.so
 session		[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}
 
+{% if homed %}
+session         [success=1 default=ignore]      pam_systemd_home.so
+{% endif %}
+
 session		required	pam_unix.so {{ debug|default('', true) }}

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Sam James]

commit:     2c873cb38ef20d7eb83b5e4aee723c34d64bde3d
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sun Jan 31 21:36:41 2021 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Jan 31 21:37:04 2021 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=2c873cb3

Revert "Add systemd-homed support"

This reverts commit 639b45ccb986de7314372a4a841e6f04c536c49a.
Unintentionally had this staged still.

Signed-off-by: Sam James <sam <AT> gentoo.org>

 pambase.py                   | 1 -
 templates/system-auth.tpl    | 6 ------
 templates/system-session.tpl | 4 ----
 3 files changed, 11 deletions(-)

diff --git a/pambase.py b/pambase.py
index b306ca4..c078156 100755
--- a/pambase.py
+++ b/pambase.py
@@ -9,7 +9,6 @@ def main():
     parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
     parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module')
     parser.add_argument('--caps', action="store_true", help='enable pam_cap.so module')
-    parser.add_argument('--homed', action="store_true", help='enable pam_systemd_homed.so module')
     parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
     parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module')
     parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 174aacf..1adee05 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -2,9 +2,6 @@ auth		required	pam_env.so {{ debug|default('', true) }}
 {% if pam_ssh %}
 auth		sufficient	pam_ssh.so
 {% endif %}
-{% if homed %}
--auth		sufficient	pam_systemd_home.so
-{% endif %}
 
 {% if krb5 %}
 auth		[success=3 default=ignore]      pam_krb5.so {{ krb5_params }}
@@ -23,9 +20,6 @@ auth		[default=die]	pam_faillock.so authfail
 auth		optional	pam_cap.so
 {% endif %}
 
-{% if homed %}
--account	sufficient	pam_systemd_home.so
-{% endif %}
 {% if krb5 %}
 account		[success=2 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 48653d4..536db49 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -4,10 +4,6 @@ session		required	pam_env.so {{ debug|default('', true) }}
 session		optional	pam_mktemp.so
 {% endif %}
 
-{% if homed %}
--session	optional	pam_systemd_home.so
-{% endif %}
-
 {%if krb5 %}
 session		[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Sam James]

commit:     c2060f499d483e11ba4524283c2d95a6a8beb8dc
Author:     Christopher Byrne <salah.coronya <AT> gmail <DOT> com>
AuthorDate: Sun Sep  3 16:32:19 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Jan 19 05:31:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=c2060f49

Add sssd support

Bug: https://bugs.gentoo.org/726050
Closes: https://github.com/gentoo/pambase/issues/1
Signed-off-by: Christopher Byrne <salah.coronya <AT> gmail.com>
Closes: https://github.com/gentoo/pambase/pull/17
Signed-off-by: Sam James <sam <AT> gentoo.org>

 pambase.py                   |  7 ++++++-
 templates/system-auth.tpl    | 38 ++++++++++++++++++++++++++++++++------
 templates/system-session.tpl |  4 ++++
 3 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/pambase.py b/pambase.py
index 3875e89..ceec8cb 100755
--- a/pambase.py
+++ b/pambase.py
@@ -19,6 +19,7 @@ def main():
     parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
     parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
     parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module')
+    parser.add_argument('--sssd', action="store_true", help='enable sssd.so module')
     parser.add_argument('--yescrypt', action="store_true", help='enable yescrypt option for pam_unix.so module')
     parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module')
     parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module')
@@ -41,7 +42,8 @@ def process_args(args):
         "unix_authtok",
         "unix_extended_encryption",
         "likeauth",
-        "nullok"
+        "nullok",
+        "local_users_only"
     ]
 
     # create a blank dictionary
@@ -62,6 +64,9 @@ def process_args(args):
     if args.krb5:
         output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip()
 
+    if args.sssd:
+        output["local_users_only"] = "local_users_only"
+
     if args.yescrypt:
         output["unix_extended_encryption"] = "yescrypt shadow"
     elif args.sha512:

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 9b078f3..4065e89 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -7,34 +7,55 @@ auth		sufficient	pam_ssh.so
 auth		[success={{ 4 if homed else 3 }} default=ignore]      pam_krb5.so {{ krb5_params }}
 {% endif %}
 
+{% if sssd %}
+auth		[default=1 ignore=ignore success=ok]	pam_usertype.so isregular
+auth		[default=3 ignore=ignore success=ok]	pam_localuser.so
+{% endif %}
+
 auth		requisite	pam_faillock.so preauth
+
 {% if homed %}
 auth            [success=2 default=ignore]      pam_systemd_home.so
 {% endif %}
+
+{% if sssd %}
+auth            sufficient    pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }}
+{% else %}
 auth            [success=1 new_authtok_reqd=1 ignore=ignore default=bad]      pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+{% endif %}
 auth		[default=die]	pam_faillock.so authfail
-
+{% if sssd %}
+auth		sufficient	pam_sss.so forward_pass {{ debug|default('', true) }}
+{% endif %}
 {% if caps %}
 auth		optional	pam_cap.so
 {% endif %}
-
+{% if sssd %}
+auth		sufficient	pam_deny.so
+{% endif %}
 {% if krb5 %}
 account		[success=2 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}
 
 {% if homed %}
-account         [success=1 default=ignore]      pam_systemd_home.so
+account         [success={{ 2 if sssd else 1 }} default=ignore]      pam_systemd_home.so
 {% endif %}
 
 account		required	pam_unix.so {{ debug|default('', true) }}
 account         required        pam_faillock.so
+{% if sssd %}
+account		sufficient	pam_localuser.so
+account		sufficient	pam_usertype.so issystem
+account		[default=bad success=ok user_unknown=ignore] pam_sss.so {{ debug|default('', true) }}
+account		required	pam_permit.so
+{% endif %}
 
 {% if passwdqc %}
 password	required	pam_passwdqc.so config=/etc/security/passwdqc.conf
 {% endif %}
 
 {% if pwquality %}
-password        required        pam_pwquality.so
+password        required        pam_pwquality.so {{ local_users_only|default('', true ) }}
 {% endif %}
 
 {% if pwhistory %}
@@ -50,9 +71,14 @@ password        [success=1 default=ignore]      pam_systemd_home.so
 {% endif %}
 
 {% if passwdqc or pwquality %}
-password	required	pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+password	{{ 'sufficient' if sssd else 'required' }}	pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
 {% else %}
-password        required        pam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+password        {{ 'sufficient' if sssd else 'required' }}        pam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+{% endif %}
+
+{% if sssd %}
+password	sufficient	pam_sss.so use_authtok
+password	required	pam_deny.so
 {% endif %}
 
 {% if pam_ssh %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 536db49..4c5585b 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -13,3 +13,7 @@ session         [success=1 default=ignore]      pam_systemd_home.so
 {% endif %}
 
 session		required	pam_unix.so {{ debug|default('', true) }}
+
+{% if sssd %}
+session		optional	pam_sss.so {{ debug|default('', true) }}
+{% endif %}

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Sam James]

commit:     74ffce2c86fa27dcc7597ac3c0697da7d8d0642e
Author:     Anna (navi) Figueiredo Gomes <navi <AT> vlhl <DOT> dev>
AuthorDate: Thu Feb 27 13:01:24 2025 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Feb 28 02:56:31 2025 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=74ffce2c

system-login.tpl: add pam_openrc.so

Signed-off-by: Anna (navi) Figueiredo Gomes <navi <AT> vlhl.dev>
Closes: https://github.com/gentoo/pambase/pull/24
Signed-off-by: Sam James <sam <AT> gentoo.org>

 pambase.py                 | 1 +
 templates/system-login.tpl | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/pambase.py b/pambase.py
index b54f270..40625a0 100755
--- a/pambase.py
+++ b/pambase.py
@@ -12,6 +12,7 @@ def main():
     parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
     parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module')
     parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')
+    parser.add_argument('--openrc', action="store_true", help='enable pam_openrc.so module')
     parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
     parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
     parser.add_argument('--homed', action="store_true", help='enable pam_systemd_home.so module')

diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index e2bc1a7..5549673 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -40,3 +40,7 @@ session		optional	pam_mail.so
 {% if elogind %}
 -session	optional	pam_elogind.so
 {% endif %}
+
+{% if openrc %}
+-session	optional	pam_openrc.so
+{% endif %}