public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/pambase:master commit in: /, templates/
@ 2020-08-04 11:29 Mikle Kolyada
  0 siblings, 0 replies; 5+ messages in thread
From: Mikle Kolyada @ 2020-08-04 11:29 UTC (permalink / raw
  To: gentoo-commits

commit:     405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c
Author:     Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
AuthorDate: Tue Aug  4 11:20:43 2020 +0000
Commit:     Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
CommitDate: Tue Aug  4 11:20:43 2020 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=405452a4

New pambase era

pambase was simplified and rewritten in python

Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org>

 .gitignore                                         | 12 +--
 LICENSE                                            | 23 ++++++
 Makefile                                           | 96 ----------------------
 README                                             |  8 --
 basic-conf                                         | 52 ------------
 linux-pam-conf                                     | 26 ------
 login.in                                           | 10 ---
 other.in                                           |  4 -
 pambase.py                                         | 95 +++++++++++++++++++++
 su.in                                              | 11 ---
 system-auth.in                                     | 57 -------------
 system-login.in                                    | 58 -------------
 system-session.inc                                 | 25 ------
 templates/login.tpl                                |  9 ++
 templates/other.tpl                                |  4 +
 passwd.in => templates/passwd.tpl                  |  4 +-
 templates/su.tpl                                   |  8 ++
 templates/system-auth.tpl                          | 54 ++++++++++++
 .../system-local-login.tpl                         |  0
 templates/system-login.tpl                         | 39 +++++++++
 .../system-remote-login.tpl                        |  0
 system-services.in => templates/system-service.tpl |  6 +-
 templates/system-session.tpl                       | 16 ++++
 23 files changed, 252 insertions(+), 365 deletions(-)

diff --git a/.gitignore b/.gitignore
index 2c63905..844c82f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,2 @@
-login
-passwd
-su
-system-auth
-system-login
-system-local-login
-system-remote-login
-system-services
-other
-pambase-*.tar.bz2
+stack/
+.idea/

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..6e891ee
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,23 @@
+MIT License
+
+Copyright (c) 2020 Mikhail Koliada
+Copyright (c) 2020 Sam James
+Copyright (c) 2020 Gentoo Authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

diff --git a/Makefile b/Makefile
deleted file mode 100644
index 941edfb..0000000
--- a/Makefile
+++ /dev/null
@@ -1,96 +0,0 @@
-# Reset this to 'cpp' so it gets traditional syntax; cc -E will not work
-# properly.
-CPP=cpp
-
-# The pam.d file to create
-PAMD=login passwd su system-auth system-login system-local-login system-remote-login system-services other
-
-# command for git (the DVCS); set this to "true" to ignore GIT support
-# (i.e.: in the ebuild)
-GIT=git
-
-PAMFLAGS = -include linux-pam-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION)
-
-ifeq "$(PASSWDQC)" "yes"
-PAMFLAGS += -DHAVE_PASSWDQC=1
-endif
-
-ifeq "$(CONSOLEKIT)" "yes"
-PAMFLAGS += -DHAVE_CONSOLEKIT=1
-endif
-
-ifeq "$(SYSTEMD)" "yes"
-PAMFLAGS += -DHAVE_SYSTEMD=1
-endif
-
-ifeq "$(ELOGIND)" "yes"
-PAMFLAGS += -DHAVE_ELOGIND=1
-endif
-
-ifeq "$(GNOME_KEYRING)" "yes"
-PAMFLAGS += -DHAVE_GNOME_KEYRING=1
-endif
-
-ifeq "$(SECURETTY)" "yes"
-PAMFLAGS += -DHAVE_SECURETTY=1
-endif
-
-ifeq "$(SELINUX)" "yes"
-PAMFLAGS += -DHAVE_SELINUX=1
-endif
-
-ifeq "$(MKTEMP)" "yes"
-PAMFLAGS += -DHAVE_MKTEMP=1
-endif
-
-ifeq "$(PAM_SSH)" "yes"
-PAMFLAGS += -DHAVE_PAM_SSH=1
-endif
-
-ifeq "$(KRB5)" "yes"
-PAMFLAGS += -DHAVE_KRB5=1
-endif
-
-ifeq "$(NULLOK)" "yes"
-PAMFLAGS += -DWANT_NULLOK=1
-endif
-
-ifeq "$(SHA512)" "yes"
-PAMFLAGS += -DWANT_SHA512=1
-endif
-
-ifeq "$(DEBUG)" "yes"
-PAMFLAGS += -DDEBUG=debug
-endif
-
-ifeq "$(MINIMAL)" "yes"
-PAMFLAGS += -DMINIMAL
-endif
-
-ifeq "$(LIBCAP)" "yes"
-PAMFLAGS += -DHAVE_LIBCAP=1
-endif
-
-all: $(PAMD)
-
-install: $(PAMD)
-	install -d "$(DESTDIR)/etc/pam.d"
-	install -m0644 $(PAMD) "$(DESTDIR)/etc/pam.d"
-
-PACKAGE=pambase
-ifeq "$(VERSION)" ""
-VERSION = $(shell date +"%Y%m%d")
-endif
-
-dist: $(PACKAGE)-$(VERSION).tar.xz
-
-$(PACKAGE)-$(VERSION).tar.xz: $(shell $(GIT) ls-files)
-	$(GIT) tag $(PACKAGE)-$(VERSION)
-	$(GIT) archive --format=tar --prefix=$(PACKAGE)-$(VERSION)/ HEAD | xz > $@
-
-$(PAMD): %: %.in
-	$(CPP) -traditional-cpp -P $(PAMFLAGS) $< -o $@
-	sed -i -e '/^$$/d' -e '/^\/\//d' $@
-
-clean:
-	rm -f $(PAMD) *~

diff --git a/README b/README
deleted file mode 100644
index 20f2e5e..0000000
--- a/README
+++ /dev/null
@@ -1,8 +0,0 @@
-This repository contains the PAM configuration base for Gentoo Linux
-and Gentoo FreeBSD, this mostly means the system-auth and system-login
-configuration file that provides the basic support for generical
-authentication for services, and console login (on tty or on various
-desktop managers).
-
-The Makefile manages the choice of optional features that will be
-enabled in the final file.

diff --git a/basic-conf b/basic-conf
deleted file mode 100644
index 7b1bf00..0000000
--- a/basic-conf
+++ /dev/null
@@ -1,52 +0,0 @@
-// Only use_authtok (authentication token) when using passwdqc or some other module
-// that checks for passwords, or pam_krb5
-#define AUTHTOK use_authtok
-
-#if HAVE_PASSWDQC
-# define PASSWORD_STRENGTH 1
-#endif
-
-#if HAVE_KRB5 && PASSWORD_STRENGTH
-# define KRB5_AUTHTOK AUTHTOK
-#endif
-
-#if HAVE_KRB5 || PASSWORD_STRENGTH
-# define UNIX_AUTHTOK AUTHTOK
-#else
-# define UNIX_AUTHTOK
-#endif
-
-// Define DEBUG to an empty string unless it was required by the user
-#ifndef DEBUG
-#define DEBUG
-#endif
-
-#ifndef UNIX_EXTENDED_ENCRYPTION
-#define UNIX_EXTENDED_ENCRYPTION
-#endif
-
-#ifndef LIKEAUTH
-#define LIKEAUTH
-#endif
-
-#if WANT_NULLOK
-#define NULLOK nullok
-#else
-#define NULLOK
-#endif
-
-#define KRB5_PARAMS DEBUG ignore_root try_first_pass
-
-/* By using the extended Linux-PAM syntax for this, it is possible to
-   fine-tune the Kerberos handling so that it works out of hte box on
-   most desktop systems.
-
-   What this control operation does is ignore failures and errors from
-   Kerberos (falling back on local pam_unix auth), but if it's good,
-   it'll skip over the following module (pam_unix) with an accepted
-   status.
-
-   IMPORTANT! Make sure that the only thing that comes right after
-   pam_krb5 with KRB5_CONTROL is pam_unix!
- */
-#define KRB5_CONTROL [success=1 default=ignore]

diff --git a/linux-pam-conf b/linux-pam-conf
deleted file mode 100644
index 962b2eb..0000000
--- a/linux-pam-conf
+++ /dev/null
@@ -1,26 +0,0 @@
-#define HAVE_LIMITS			1
-#define HAVE_ENV			1
-#define HAVE_ACCESS			1
-#define HAVE_SHELLS			1
-#define HAVE_LOGINUID			1
-
-#define SUPPORT_UNIX_SESSION		1
-#define SUPPORT_NOLOGIN_ACCOUNT		1
-#define SUPPORT_NOLOGIN_AUTH		1
-
-#if !MINIMAL
-# define HAVE_MOTD			1
-# define HAVE_MAIL			1
-# define HAVE_LASTLOG                   1
-# define HAVE_FAILLOCK			1
-
-#endif
-
-#if WANT_SHA512
-# define UNIX_EXTENDED_ENCRYPTION	sha512 shadow
-#else
-# define UNIX_EXTENDED_ENCRYPTION	md5 shadow
-#endif
-
-#define LIKEAUTH likeauth
-#define DEBUG_NOLOGIN

diff --git a/login.in b/login.in
deleted file mode 100644
index 5067bc7..0000000
--- a/login.in
+++ /dev/null
@@ -1,10 +0,0 @@
-#if HAVE_SECURETTY
-auth       required	pam_securetty.so
-#endif
-auth       include	system-local-login
-
-account    include	system-local-login
-password   include	system-local-login
-
-session    optional pam_lastlog.so DEBUG
-session    include	system-local-login

diff --git a/other.in b/other.in
deleted file mode 100644
index d8cb1fe..0000000
--- a/other.in
+++ /dev/null
@@ -1,4 +0,0 @@
-auth       required	pam_deny.so
-account    required	pam_deny.so
-password   required	pam_deny.so
-session    required	pam_deny.so

diff --git a/pambase.py b/pambase.py
new file mode 100755
index 0000000..1ebafbe
--- /dev/null
+++ b/pambase.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+
+import argparse
+from jinja2 import Template, Environment, FileSystemLoader
+import pathlib
+
+
+def main():
+	parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
+	parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
+	parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
+	parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
+	parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
+	parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')
+	parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
+	parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
+	parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module')
+	parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module')
+	parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module')
+	parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack')
+	parser.add_argument('--debug', action="store_true", help='enable debug for selected modules')
+	parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module')
+
+	parsed_args = parser.parse_args()
+	processed = process_args(parsed_args)
+
+	parse_templates(processed)
+
+
+def process_args(args):
+	# make sure that output directory exists
+	pathlib.Path("stack").mkdir(parents=True, exist_ok=True)
+
+	blank_variables = [
+		"krb5_authtok",
+		"unix_authtok",
+		"unix_extended_encryption",
+		"likeauth",
+		"nullok"
+	]
+
+	# create a blank dictionary
+	# then add in our parsed args
+	output = dict.fromkeys(blank_variables, "")
+	output.update(vars(args))
+
+	# unconditional variables
+	output["likeauth"] = "likeauth"
+	output["unix_authtok"] = "use_authtok"
+
+	if args.debug:
+		output["debug"] = "debug"
+
+	if args.nullok:
+		output["nullok"] = "nullok"
+
+	if args.krb5:
+		output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip()
+
+	if args.sha512:
+		output["unix_extended_encryption"] = "sha512 shadow"
+	else:
+		output["unix_extended_encryption"] = "md5 shadow"
+
+	return output
+
+
+def parse_templates(processed_args):
+	load = FileSystemLoader('')
+	env = Environment(loader=load)
+
+	templates = [
+		"login",
+		"other",
+		"passwd",
+		"system-local-login",
+		"system-remote-login",
+		"su",
+		"system-auth",
+		"system-login",
+		"system-service"
+	]
+
+	for template_name in templates:
+		template = env.get_template('templates/{0}.tpl'.format(template_name))
+
+		with open('stack/{0}'.format(template_name), "w+") as output:
+			rendered_template = template.render(processed_args)
+
+			if rendered_template:
+				output.write(rendered_template + "\n")
+
+
+if __name__ == "__main__":
+	main()

diff --git a/su.in b/su.in
deleted file mode 100644
index 889ecfe..0000000
--- a/su.in
+++ /dev/null
@@ -1,11 +0,0 @@
-auth       sufficient	pam_rootok.so
-auth       required     pam_wheel.so use_uid
-auth       include		system-auth
-
-account    include		system-auth
-
-password   include		system-auth
-
-session    include		system-auth
-session    required     pam_env.so
-session    optional		pam_xauth.so

diff --git a/system-auth.in b/system-auth.in
deleted file mode 100644
index 9ae09e4..0000000
--- a/system-auth.in
+++ /dev/null
@@ -1,57 +0,0 @@
-#if HAVE_ENV
-auth		required	pam_env.so DEBUG
-#endif
-
-#if HAVE_PAM_SSH
-auth		sufficient	pam_ssh.so
-#endif
-#if HAVE_KRB5
-auth		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
-#endif
-auth		required	pam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
-auth		optional	pam_permit.so
-
-#if HAVE_FAILLOCK
-auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
-auth            sufficient      pam_unix.so nullok try_first_pass
-auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600
-#endif
-
-#if HAVE_KRB5
-account		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
-#endif
-account		required	pam_unix.so DEBUG
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
-account		optional	pam_permit.so
-
-#if HAVE_FAILLOCK
-account         required        pam_faillock.so
-#endif
-
-#if HAVE_PASSWDQC
-password	required	pam_passwdqc.so min=8,8,8,8,8 retry=3
-#endif
-#if HAVE_KRB5
-password	KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
-#endif
-password	required	pam_unix.so try_first_pass UNIX_AUTHTOK NULLOK UNIX_EXTENDED_ENCRYPTION DEBUG
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
-password	optional	pam_permit.so
-
-#if HAVE_PAM_SSH
-session		optional	pam_ssh.so
-#endif
-
-#if HAVE_SYSTEMD
--session        optional        pam_systemd.so
-#endif
-
-#if HAVE_ELOGIND
--session        optional        pam_elogind.so
-#endif
-
-#if HAVE_LIBCAP
-auth		optional	pam_cap.so
-#endif
-#include "system-session.inc"

diff --git a/system-login.in b/system-login.in
deleted file mode 100644
index ee03613..0000000
--- a/system-login.in
+++ /dev/null
@@ -1,58 +0,0 @@
-
-#if HAVE_SHELLS
-auth		required	pam_shells.so DEBUG
-#endif
-#if SUPPORT_NOLOGIN_AUTH
-auth		required	pam_nologin.so DEBUG_NOLOGIN
-#endif
-auth		include		system-auth
-
-#if HAVE_FAILLOCK
-auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
-auth            sufficient      pam_unix.so nullok try_first_pass
-auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600
-#endif
-
-#if HAVE_ACCESS
-account		required	pam_access.so DEBUG
-#endif
-#if HAVE_LOGIN_ACCESS
-account		required	pam_login_access.so
-#endif
-#if SUPPORT_NOLOGIN_ACCOUNT
-account		required	pam_nologin.so DEBUG_NOLOGIN
-#endif
-account		include		system-auth
-
-#if HAVE_FAILLOCK
-account         required        pam_faillock.so
-#endif
-
-password	include		system-auth
-
-#if HAVE_LOGINUID
-session         optional        pam_loginuid.so
-#endif
-#if HAVE_SELINUX
-session		required	pam_selinux.so close
-#endif
-#if HAVE_ENV
-session		required	pam_env.so envfile=/etc/profile.env DEBUG
-#endif
-#if HAVE_LASTLOG
-session		optional	pam_lastlog.so silent DEBUG
-#endif
-session		include		system-auth
-#if HAVE_CONSOLEKIT
-session		optional	pam_ck_connector.so nox11
-#endif
-#if HAVE_SELINUX
- # Note: modules that run in the user's context must come after this line.
-session		required	pam_selinux.so multiple open
-#endif
-#if HAVE_MOTD
-session		optional	pam_motd.so motd=/etc/motd
-#endif
-#if HAVE_MAIL
-session		optional	pam_mail.so
-#endif

diff --git a/system-session.inc b/system-session.inc
deleted file mode 100644
index 2ba6964..0000000
--- a/system-session.inc
+++ /dev/null
@@ -1,25 +0,0 @@
-#if HAVE_LIMITS
-session		required	pam_limits.so DEBUG
-#endif
-#if HAVE_ENV
-session		required	pam_env.so DEBUG
-#endif
-#if HAVE_MKTEMP
-session		optional	pam_mktemp.so
-#endif
-
-/* Only Linux-PAM supports session chain for pam_unix; but if it were
-   to not support it for whatever reason, still execute pam_krb5, with
-   sufficient level instead. */
-#if SUPPORT_UNIX_SESSION
-# if HAVE_KRB5
-session		KRB5_CONTROL	pam_krb5.so KRB5_PARAMS
-# endif
-session		required	pam_unix.so DEBUG
-#else
-# if HAVE_KRB5
-session		sufficient	pam_krb5.so KRB5_PARAMS
-# endif
-#endif
-
-session		optional	pam_permit.so

diff --git a/templates/login.tpl b/templates/login.tpl
new file mode 100644
index 0000000..7476cb7
--- /dev/null
+++ b/templates/login.tpl
@@ -0,0 +1,9 @@
+{% if securetty -%}
+auth		required	pam_securetty.so
+{% endif -%}
+
+auth		include		system-local-login
+account		include		system-local-login
+password	include		system-local-login
+session		optional 	pam_lastlog.so {{ debug|default('', true) }}
+session		include		system-local-login

diff --git a/templates/other.tpl b/templates/other.tpl
new file mode 100644
index 0000000..f3b7198
--- /dev/null
+++ b/templates/other.tpl
@@ -0,0 +1,4 @@
+auth		required	pam_deny.so
+account		required	pam_deny.so
+password   	required	pam_deny.so
+session    	required	pam_deny.so

diff --git a/passwd.in b/templates/passwd.tpl
similarity index 66%
rename from passwd.in
rename to templates/passwd.tpl
index 248bb7c..5f4f739 100644
--- a/passwd.in
+++ b/templates/passwd.tpl
@@ -1,7 +1,5 @@
 auth		sufficient	pam_rootok.so
 auth		include		system-auth
-
 account		include		system-auth
-
 password	include		system-auth
--password	optional	pam_gnome_keyring.so UNIX_AUTHTOK
+-password	optional	pam_gnome_keyring.so {{ unix_authtok }}

diff --git a/templates/su.tpl b/templates/su.tpl
new file mode 100644
index 0000000..a36b633
--- /dev/null
+++ b/templates/su.tpl
@@ -0,0 +1,8 @@
+auth		sufficient	pam_rootok.so
+auth		required	pam_wheel.so use_uid
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth
+session		include		system-auth
+session		required	pam_env.so
+session		optional	pam_xauth.so

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
new file mode 100644
index 0000000..13f5c0d
--- /dev/null
+++ b/templates/system-auth.tpl
@@ -0,0 +1,54 @@
+auth		required	pam_env.so {{ debug|default('', true) }}
+{% if pam_ssh -%}
+auth		sufficient	pam_ssh.so
+{% endif -%}
+
+{% if krb5 -%}
+auth        [success=1 default=ignore]      pam_krb5.so {{ krb5_params }}
+{% endif -%}
+
+auth		required	pam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }}
+auth		optional	pam_permit.so
+{% if not minimal -%}
+auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
+auth            sufficient      pam_unix.so {{ nullok|default('', true) }} try_first_pass
+auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600
+{% endif -%}
+
+{% if krb5 -%}
+account		[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
+{% endif -%}
+account		required	pam_unix.so {{ debug|default('', true) }}
+account		optional	pam_permit.so
+{% if not minimal -%}
+account         required        pam_faillock.so
+{% endif -%}
+
+{% if passwdqc -%}
+password	required	pam_passwdqc.so min=8,8,8,8,8 retry=3
+{% endif -%}
+
+{% if krb5 -%}
+password	[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
+{% endif -%}
+
+password	required	pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+password	optional	pam_permit.so
+
+{%- if pam_ssh -%}
+session		optional	pam_ssh.so
+{% endif -%}
+
+{% if systemd -%}
+-session        optional        pam_systemd.so
+{% endif -%}
+
+{% if elogind -%}
+-session        optional        pam_elogind.so
+{% endif -%}
+
+{% if libcap -%}
+-session        optional        pam_libcap.so
+{% endif -%}
+
+{% include "templates/system-session.tpl" %}

diff --git a/system-local-login.in b/templates/system-local-login.tpl
similarity index 100%
rename from system-local-login.in
rename to templates/system-local-login.tpl

diff --git a/templates/system-login.tpl b/templates/system-login.tpl
new file mode 100644
index 0000000..2f404bc
--- /dev/null
+++ b/templates/system-login.tpl
@@ -0,0 +1,39 @@
+auth		required	pam_shells.so {{ debug|default('', true) }}
+auth		required	pam_nologin.so
+auth		include		system-auth
+{% if not minimal -%}
+auth            required        pam_faillock.so preauth silent audit deny=3 unlock_time=600
+auth            sufficient      pam_unix.so nullok try_first_pass
+auth            [default=die]   pam_faillock.so authfail audit deny=3 unlock_time=600
+{% endif -%}
+
+account		required	pam_access.so {{ debug|default('', true) }}
+account		required	pam_nologin.so
+account		include		system-auth
+{% if not minimal -%}
+account         required        pam_faillock.so
+{% endif -%}
+
+password	include		system-auth
+session         optional        pam_loginuid.so
+{% if selinux -%}
+session		required	pam_selinux.so close
+{% endif -%}
+
+session		required	pam_env.so envfile=/etc/profile.env {{ debug|default('', true) }}
+{% if not miniaml -%}
+session		optional	pam_lastlog.so silent {{ debug|default('', true) }}
+{% endif -%}
+session		include		system-auth
+{% if selinux -%}
+ # Note: modules that run in the user's context must come after this line.
+session		required	pam_selinux.so multiple open
+{% endif -%}
+
+{% if not minimal -%}
+session		optional	pam_motd.so motd=/etc/motd
+{% endif -%}
+
+{% if not minimal -%}
+session		optional	pam_mail.so
+{% endif -%}

diff --git a/system-remote-login.in b/templates/system-remote-login.tpl
similarity index 100%
rename from system-remote-login.in
rename to templates/system-remote-login.tpl

diff --git a/system-services.in b/templates/system-service.tpl
similarity index 65%
rename from system-services.in
rename to templates/system-service.tpl
index 989267f..cbfab6f 100644
--- a/system-services.in
+++ b/templates/system-service.tpl
@@ -1,8 +1,4 @@
 auth		sufficient	pam_permit.so
-
 account		include		system-auth
-
-#if HAVE_LOGINUID
 session         optional        pam_loginuid.so
-#endif
-#include "system-session.inc"
+{% include "templates/system-session.tpl" %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
new file mode 100644
index 0000000..f2622a8
--- /dev/null
+++ b/templates/system-session.tpl
@@ -0,0 +1,16 @@
+session		required	pam_limits.so {{ debug|default('', true) }}
+session		required	pam_env.so {{ debug|default('', true) }}
+{% if mktemp -%}
+session		optional	pam_mktemp.so
+{% endif -%}
+
+{%if krb5 -%}
+session		[success=1 default=ignore] {{ krb5_params }}
+{% endif -%}
+
+session		required	pam_unix.so {{ debug|default('', true) }}
+{%if krb5 -%}
+session         [success=1 default=ignore] {{ krb5_params }}
+{% endif -%}
+
+session		optional	pam_permit.so


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [gentoo-commits] proj/pambase:master commit in: /, templates/
@ 2020-08-17  7:33 Mikle Kolyada
  0 siblings, 0 replies; 5+ messages in thread
From: Mikle Kolyada @ 2020-08-17  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     ed4f15348fa950b02016154790bb6d180cccf5f9
Author:     Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
AuthorDate: Mon Aug 17 07:30:39 2020 +0000
Commit:     Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
CommitDate: Mon Aug 17 07:30:39 2020 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ed4f1534

make pam_gnome_keyring optional

Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org>

 pambase.py           | 143 ++++++++++++++++++++++++++-------------------------
 templates/passwd.tpl |   5 +-
 2 files changed, 76 insertions(+), 72 deletions(-)

diff --git a/pambase.py b/pambase.py
index 07e458d..83ee97c 100755
--- a/pambase.py
+++ b/pambase.py
@@ -6,96 +6,97 @@ import pathlib
 
 
 def main():
-	parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
-	parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
-	parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
-	parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')
-	parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
-	parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
-	parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')
-	parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
-	parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
-	parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module')
-	parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module')
-	parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module')
-	parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack')
-	parser.add_argument('--debug', action="store_true", help='enable debug for selected modules')
-	parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module')
-
-	parsed_args = parser.parse_args()
-	processed = process_args(parsed_args)
-
-	parse_templates(processed)
+    parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
+    parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module')
+    parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
+    parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
+    parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')
+    parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
+    parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
+    parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')
+    parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
+    parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
+    parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module')
+    parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module')
+    parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module')
+    parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack')
+    parser.add_argument('--debug', action="store_true", help='enable debug for selected modules')
+    parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module')
+
+    parsed_args = parser.parse_args()
+    processed = process_args(parsed_args)
+
+    parse_templates(processed)
 
 
 def process_args(args):
-	# make sure that output directory exists
-	pathlib.Path("stack").mkdir(parents=True, exist_ok=True)
+    # make sure that output directory exists
+    pathlib.Path("stack").mkdir(parents=True, exist_ok=True)
 
-	blank_variables = [
-		"krb5_authtok",
-		"unix_authtok",
-		"unix_extended_encryption",
-		"likeauth",
-		"nullok"
-	]
+    blank_variables = [
+        "krb5_authtok",
+        "unix_authtok",
+        "unix_extended_encryption",
+        "likeauth",
+        "nullok"
+    ]
 
-	# create a blank dictionary
-	# then add in our parsed args
-	output = dict.fromkeys(blank_variables, "")
-	output.update(vars(args))
+    # create a blank dictionary
+    # then add in our parsed args
+    output = dict.fromkeys(blank_variables, "")
+    output.update(vars(args))
 
-	# unconditional variables
-	output["likeauth"] = "likeauth"
-	output["unix_authtok"] = "use_authtok"
+    # unconditional variables
+    output["likeauth"] = "likeauth"
+    output["unix_authtok"] = "use_authtok"
 
-	if args.debug:
-		output["debug"] = "debug"
+    if args.debug:
+        output["debug"] = "debug"
 
-	if args.nullok:
-		output["nullok"] = "nullok"
+    if args.nullok:
+        output["nullok"] = "nullok"
 
-	if args.krb5:
-		output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip()
+    if args.krb5:
+        output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip()
 
-	if args.sha512:
-		output["unix_extended_encryption"] = "sha512 shadow"
-	else:
-		output["unix_extended_encryption"] = "md5 shadow"
+    if args.sha512:
+        output["unix_extended_encryption"] = "sha512 shadow"
+    else:
+        output["unix_extended_encryption"] = "md5 shadow"
 
-	return output
+    return output
 
 
 def parse_templates(processed_args):
-	load = FileSystemLoader('')
-	env = Environment(loader=load, trim_blocks=True, lstrip_blocks=True, keep_trailing_newline=True)
+    load = FileSystemLoader('')
+    env = Environment(loader=load, trim_blocks=True, lstrip_blocks=True, keep_trailing_newline=True)
 
-	templates = [
-		"login",
-		"other",
-		"passwd",
-		"system-local-login",
-		"system-remote-login",
-		"su",
-		"system-auth",
-		"system-login",
-		"system-services"
-	]
+    templates = [
+        "login",
+        "other",
+        "passwd",
+        "system-local-login",
+        "system-remote-login",
+        "su",
+        "system-auth",
+        "system-login",
+        "system-services"
+    ]
 
-	for template_name in templates:
-		template = env.get_template('templates/{0}.tpl'.format(template_name))
+    for template_name in templates:
+        template = env.get_template('templates/{0}.tpl'.format(template_name))
 
-		with open('stack/{0}'.format(template_name), "w+") as output:
-			rendered_template = template.render(processed_args)
+        with open('stack/{0}'.format(template_name), "w+") as output:
+            rendered_template = template.render(processed_args)
 
-			# Strip all intermediate lines to not worry about appeasing Jinja
-			lines = rendered_template.split("\n")
-			lines = [line.strip() for line in lines if line]
-			rendered_template = "\n".join(lines)
+            # Strip all intermediate lines to not worry about appeasing Jinja
+            lines = rendered_template.split("\n")
+            lines = [line.strip() for line in lines if line]
+            rendered_template = "\n".join(lines)
 
-			if rendered_template:
-				output.write(rendered_template + "\n")
+            if rendered_template:
+                output.write(rendered_template + "\n")
 
 
 if __name__ == "__main__":
-	main()
+    main()

diff --git a/templates/passwd.tpl b/templates/passwd.tpl
index 5f4f739..101a5fc 100644
--- a/templates/passwd.tpl
+++ b/templates/passwd.tpl
@@ -2,4 +2,7 @@ auth		sufficient	pam_rootok.so
 auth		include		system-auth
 account		include		system-auth
 password	include		system-auth
--password	optional	pam_gnome_keyring.so {{ unix_authtok }}
+
+{% if gnome_keyring %}
+password	optional	pam_gnome_keyring.so {{ unix_authtok }}
+{% endif %}


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [gentoo-commits] proj/pambase:master commit in: /, templates/
@ 2020-09-13 10:01 Mikle Kolyada
  0 siblings, 0 replies; 5+ messages in thread
From: Mikle Kolyada @ 2020-09-13 10:01 UTC (permalink / raw
  To: gentoo-commits

commit:     46e6f29b1f9b7edd9541382fddd9b0837900e649
Author:     Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 13 09:59:15 2020 +0000
Commit:     Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
CommitDate: Sun Sep 13 10:00:50 2020 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=46e6f29b

system-auth: introduce pam_pwhistory

Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org>

 pambase.py                | 1 +
 templates/system-auth.tpl | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/pambase.py b/pambase.py
index 83ee97c..de5dddb 100755
--- a/pambase.py
+++ b/pambase.py
@@ -10,6 +10,7 @@ def main():
     parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module')
     parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
     parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
+    parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module')
     parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')
     parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
     parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 0381e66..46fc131 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -32,6 +32,10 @@ password	required	pam_passwdqc.so config=/etc/security/passwdqc.conf
 password        required        pam_pwquality.so
 {% endif %}
 
+{% if pwhistory %}
+password        required        pam_pwhistory.so use_authtok remember=5 retry=3
+{% endif %}
+
 {% if krb5 %}
 password	[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [gentoo-commits] proj/pambase:master commit in: /, templates/
@ 2020-11-02 23:41 Sam James
  0 siblings, 0 replies; 5+ messages in thread
From: Sam James @ 2020-11-02 23:41 UTC (permalink / raw
  To: gentoo-commits

commit:     94a9b5f76fc8fa1a3c6c34c5baa3fb25825e1dc2
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon Nov  2 23:40:50 2020 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Nov  2 23:40:50 2020 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=94a9b5f7

pambase.py: rename --libcap -> --caps

Signed-off-by: Sam James <sam <AT> gentoo.org>

 pambase.py                | 2 +-
 templates/system-auth.tpl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pambase.py b/pambase.py
index de5dddb..278d578 100755
--- a/pambase.py
+++ b/pambase.py
@@ -8,7 +8,7 @@ import pathlib
 def main():
     parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
     parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module')
-    parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
+    parser.add_argument('--caps', action="store_true", help='enable pam_cap.so module')
     parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
     parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module')
     parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 2f2fe76..4ff78e4 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -47,7 +47,7 @@ password	optional	pam_permit.so
 session		optional	pam_ssh.so
 {% endif %}
 
-{% if libcap %}
+{% if caps %}
 -auth		optional	pam_cap.so
 {% endif %}
 


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [gentoo-commits] proj/pambase:master commit in: /, templates/
@ 2021-01-31 21:36 Sam James
  0 siblings, 0 replies; 5+ messages in thread
From: Sam James @ 2021-01-31 21:36 UTC (permalink / raw
  To: gentoo-commits

commit:     5a545eb14a1220af1ba8031f3669471e77edbc2f
Author:     Mikle KOlyada <zlogene <AT> gentoo <DOT> org>
AuthorDate: Sat Jan 30 19:50:12 2021 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Jan 31 21:36:01 2021 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=5a545eb1

systemd-auth: add systemd-homed support

Signed-off-by: Mikle KOlyada <zlogene <AT> gentoo.org>
Closes: https://github.com/gentoo/pambase/pull/5
Signed-off-by: Sam James <sam <AT> gentoo.org>

 pambase.py                   |  1 +
 templates/system-auth.tpl    | 18 ++++++++++++++++--
 templates/system-session.tpl |  4 ++++
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/pambase.py b/pambase.py
index eb3d4fe..b306ca4 100755
--- a/pambase.py
+++ b/pambase.py
@@ -15,6 +15,7 @@ def main():
     parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')
     parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
     parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
+    parser.add_argument('--homed', action="store_true", help='enable pam_systemd_home.so module')
     parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')
     parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
     parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 53557dc..174aacf 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -11,11 +11,16 @@ auth		[success=3 default=ignore]      pam_krb5.so {{ krb5_params }}
 {% endif %}
 
 auth		requisite	pam_faillock.so preauth
-auth		[success=1 default=ignore]	pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+{% if homed %}
+auth		[success=2 default=ignore]	pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+auth            [success=1 default=ignore]      pam_systemd_home.so
+{% else %}
+auth            [success=1 default=ignore]      pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas
+{% endif %}
 auth		[default=die]	pam_faillock.so authfail
 
 {% if caps %}
--auth		optional	pam_cap.so
+auth		optional	pam_cap.so
 {% endif %}
 
 {% if homed %}
@@ -24,6 +29,11 @@ auth		[default=die]	pam_faillock.so authfail
 {% if krb5 %}
 account		[success=2 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}
+
+{% if homed %}
+account         [success=1 default=ignore]      pam_systemd_home.so
+{% endif %}
+
 account		required	pam_unix.so {{ debug|default('', true) }}
 account         required        pam_faillock.so
 
@@ -43,6 +53,10 @@ password        required        pam_pwhistory.so use_authtok remember=5 retry=3
 password	[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}
 
+{% if homed %}
+password        [success=1 default=ignore]      pam_systemd_home.so
+{% endif %}
+
 {% if passwdqc or pwquality %}
 password	required	pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
 {% else %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 3dd1d70..48653d4 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -12,4 +12,8 @@ session		optional	pam_mktemp.so
 session		[success=1 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}
 
+{% if homed %}
+session         [success=1 default=ignore]      pam_systemd_home.so
+{% endif %}
+
 session		required	pam_unix.so {{ debug|default('', true) }}


^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-01-31 21:36 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-09-13 10:01 [gentoo-commits] proj/pambase:master commit in: /, templates/ Mikle Kolyada
  -- strict thread matches above, loose matches on Subject: below --
2021-01-31 21:36 Sam James
2020-11-02 23:41 Sam James
2020-08-17  7:33 Mikle Kolyada
2020-08-04 11:29 Mikle Kolyada

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox