* [gentoo-commits] proj/pambase:master commit in: /, templates/
@ 2020-08-04 11:29 Mikle Kolyada
0 siblings, 0 replies; 5+ messages in thread
From: Mikle Kolyada @ 2020-08-04 11:29 UTC (permalink / raw
To: gentoo-commits
commit: 405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c
Author: Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
AuthorDate: Tue Aug 4 11:20:43 2020 +0000
Commit: Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
CommitDate: Tue Aug 4 11:20:43 2020 +0000
URL: https://gitweb.gentoo.org/proj/pambase.git/commit/?id=405452a4
New pambase era
pambase was simplified and rewritten in python
Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org>
.gitignore | 12 +--
LICENSE | 23 ++++++
Makefile | 96 ----------------------
README | 8 --
basic-conf | 52 ------------
linux-pam-conf | 26 ------
login.in | 10 ---
other.in | 4 -
pambase.py | 95 +++++++++++++++++++++
su.in | 11 ---
system-auth.in | 57 -------------
system-login.in | 58 -------------
system-session.inc | 25 ------
templates/login.tpl | 9 ++
templates/other.tpl | 4 +
passwd.in => templates/passwd.tpl | 4 +-
templates/su.tpl | 8 ++
templates/system-auth.tpl | 54 ++++++++++++
.../system-local-login.tpl | 0
templates/system-login.tpl | 39 +++++++++
.../system-remote-login.tpl | 0
system-services.in => templates/system-service.tpl | 6 +-
templates/system-session.tpl | 16 ++++
23 files changed, 252 insertions(+), 365 deletions(-)
diff --git a/.gitignore b/.gitignore
index 2c63905..844c82f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,2 @@
-login
-passwd
-su
-system-auth
-system-login
-system-local-login
-system-remote-login
-system-services
-other
-pambase-*.tar.bz2
+stack/
+.idea/
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..6e891ee
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,23 @@
+MIT License
+
+Copyright (c) 2020 Mikhail Koliada
+Copyright (c) 2020 Sam James
+Copyright (c) 2020 Gentoo Authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/Makefile b/Makefile
deleted file mode 100644
index 941edfb..0000000
--- a/Makefile
+++ /dev/null
@@ -1,96 +0,0 @@
-# Reset this to 'cpp' so it gets traditional syntax; cc -E will not work
-# properly.
-CPP=cpp
-
-# The pam.d file to create
-PAMD=login passwd su system-auth system-login system-local-login system-remote-login system-services other
-
-# command for git (the DVCS); set this to "true" to ignore GIT support
-# (i.e.: in the ebuild)
-GIT=git
-
-PAMFLAGS = -include linux-pam-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION)
-
-ifeq "$(PASSWDQC)" "yes"
-PAMFLAGS += -DHAVE_PASSWDQC=1
-endif
-
-ifeq "$(CONSOLEKIT)" "yes"
-PAMFLAGS += -DHAVE_CONSOLEKIT=1
-endif
-
-ifeq "$(SYSTEMD)" "yes"
-PAMFLAGS += -DHAVE_SYSTEMD=1
-endif
-
-ifeq "$(ELOGIND)" "yes"
-PAMFLAGS += -DHAVE_ELOGIND=1
-endif
-
-ifeq "$(GNOME_KEYRING)" "yes"
-PAMFLAGS += -DHAVE_GNOME_KEYRING=1
-endif
-
-ifeq "$(SECURETTY)" "yes"
-PAMFLAGS += -DHAVE_SECURETTY=1
-endif
-
-ifeq "$(SELINUX)" "yes"
-PAMFLAGS += -DHAVE_SELINUX=1
-endif
-
-ifeq "$(MKTEMP)" "yes"
-PAMFLAGS += -DHAVE_MKTEMP=1
-endif
-
-ifeq "$(PAM_SSH)" "yes"
-PAMFLAGS += -DHAVE_PAM_SSH=1
-endif
-
-ifeq "$(KRB5)" "yes"
-PAMFLAGS += -DHAVE_KRB5=1
-endif
-
-ifeq "$(NULLOK)" "yes"
-PAMFLAGS += -DWANT_NULLOK=1
-endif
-
-ifeq "$(SHA512)" "yes"
-PAMFLAGS += -DWANT_SHA512=1
-endif
-
-ifeq "$(DEBUG)" "yes"
-PAMFLAGS += -DDEBUG=debug
-endif
-
-ifeq "$(MINIMAL)" "yes"
-PAMFLAGS += -DMINIMAL
-endif
-
-ifeq "$(LIBCAP)" "yes"
-PAMFLAGS += -DHAVE_LIBCAP=1
-endif
-
-all: $(PAMD)
-
-install: $(PAMD)
- install -d "$(DESTDIR)/etc/pam.d"
- install -m0644 $(PAMD) "$(DESTDIR)/etc/pam.d"
-
-PACKAGE=pambase
-ifeq "$(VERSION)" ""
-VERSION = $(shell date +"%Y%m%d")
-endif
-
-dist: $(PACKAGE)-$(VERSION).tar.xz
-
-$(PACKAGE)-$(VERSION).tar.xz: $(shell $(GIT) ls-files)
- $(GIT) tag $(PACKAGE)-$(VERSION)
- $(GIT) archive --format=tar --prefix=$(PACKAGE)-$(VERSION)/ HEAD | xz > $@
-
-$(PAMD): %: %.in
- $(CPP) -traditional-cpp -P $(PAMFLAGS) $< -o $@
- sed -i -e '/^$$/d' -e '/^\/\//d' $@
-
-clean:
- rm -f $(PAMD) *~
diff --git a/README b/README
deleted file mode 100644
index 20f2e5e..0000000
--- a/README
+++ /dev/null
@@ -1,8 +0,0 @@
-This repository contains the PAM configuration base for Gentoo Linux
-and Gentoo FreeBSD, this mostly means the system-auth and system-login
-configuration file that provides the basic support for generical
-authentication for services, and console login (on tty or on various
-desktop managers).
-
-The Makefile manages the choice of optional features that will be
-enabled in the final file.
diff --git a/basic-conf b/basic-conf
deleted file mode 100644
index 7b1bf00..0000000
--- a/basic-conf
+++ /dev/null
@@ -1,52 +0,0 @@
-// Only use_authtok (authentication token) when using passwdqc or some other module
-// that checks for passwords, or pam_krb5
-#define AUTHTOK use_authtok
-
-#if HAVE_PASSWDQC
-# define PASSWORD_STRENGTH 1
-#endif
-
-#if HAVE_KRB5 && PASSWORD_STRENGTH
-# define KRB5_AUTHTOK AUTHTOK
-#endif
-
-#if HAVE_KRB5 || PASSWORD_STRENGTH
-# define UNIX_AUTHTOK AUTHTOK
-#else
-# define UNIX_AUTHTOK
-#endif
-
-// Define DEBUG to an empty string unless it was required by the user
-#ifndef DEBUG
-#define DEBUG
-#endif
-
-#ifndef UNIX_EXTENDED_ENCRYPTION
-#define UNIX_EXTENDED_ENCRYPTION
-#endif
-
-#ifndef LIKEAUTH
-#define LIKEAUTH
-#endif
-
-#if WANT_NULLOK
-#define NULLOK nullok
-#else
-#define NULLOK
-#endif
-
-#define KRB5_PARAMS DEBUG ignore_root try_first_pass
-
-/* By using the extended Linux-PAM syntax for this, it is possible to
- fine-tune the Kerberos handling so that it works out of hte box on
- most desktop systems.
-
- What this control operation does is ignore failures and errors from
- Kerberos (falling back on local pam_unix auth), but if it's good,
- it'll skip over the following module (pam_unix) with an accepted
- status.
-
- IMPORTANT! Make sure that the only thing that comes right after
- pam_krb5 with KRB5_CONTROL is pam_unix!
- */
-#define KRB5_CONTROL [success=1 default=ignore]
diff --git a/linux-pam-conf b/linux-pam-conf
deleted file mode 100644
index 962b2eb..0000000
--- a/linux-pam-conf
+++ /dev/null
@@ -1,26 +0,0 @@
-#define HAVE_LIMITS 1
-#define HAVE_ENV 1
-#define HAVE_ACCESS 1
-#define HAVE_SHELLS 1
-#define HAVE_LOGINUID 1
-
-#define SUPPORT_UNIX_SESSION 1
-#define SUPPORT_NOLOGIN_ACCOUNT 1
-#define SUPPORT_NOLOGIN_AUTH 1
-
-#if !MINIMAL
-# define HAVE_MOTD 1
-# define HAVE_MAIL 1
-# define HAVE_LASTLOG 1
-# define HAVE_FAILLOCK 1
-
-#endif
-
-#if WANT_SHA512
-# define UNIX_EXTENDED_ENCRYPTION sha512 shadow
-#else
-# define UNIX_EXTENDED_ENCRYPTION md5 shadow
-#endif
-
-#define LIKEAUTH likeauth
-#define DEBUG_NOLOGIN
diff --git a/login.in b/login.in
deleted file mode 100644
index 5067bc7..0000000
--- a/login.in
+++ /dev/null
@@ -1,10 +0,0 @@
-#if HAVE_SECURETTY
-auth required pam_securetty.so
-#endif
-auth include system-local-login
-
-account include system-local-login
-password include system-local-login
-
-session optional pam_lastlog.so DEBUG
-session include system-local-login
diff --git a/other.in b/other.in
deleted file mode 100644
index d8cb1fe..0000000
--- a/other.in
+++ /dev/null
@@ -1,4 +0,0 @@
-auth required pam_deny.so
-account required pam_deny.so
-password required pam_deny.so
-session required pam_deny.so
diff --git a/pambase.py b/pambase.py
new file mode 100755
index 0000000..1ebafbe
--- /dev/null
+++ b/pambase.py
@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+
+import argparse
+from jinja2 import Template, Environment, FileSystemLoader
+import pathlib
+
+
+def main():
+ parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
+ parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
+ parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
+ parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
+ parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
+ parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')
+ parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
+ parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
+ parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module')
+ parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module')
+ parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module')
+ parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack')
+ parser.add_argument('--debug', action="store_true", help='enable debug for selected modules')
+ parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module')
+
+ parsed_args = parser.parse_args()
+ processed = process_args(parsed_args)
+
+ parse_templates(processed)
+
+
+def process_args(args):
+ # make sure that output directory exists
+ pathlib.Path("stack").mkdir(parents=True, exist_ok=True)
+
+ blank_variables = [
+ "krb5_authtok",
+ "unix_authtok",
+ "unix_extended_encryption",
+ "likeauth",
+ "nullok"
+ ]
+
+ # create a blank dictionary
+ # then add in our parsed args
+ output = dict.fromkeys(blank_variables, "")
+ output.update(vars(args))
+
+ # unconditional variables
+ output["likeauth"] = "likeauth"
+ output["unix_authtok"] = "use_authtok"
+
+ if args.debug:
+ output["debug"] = "debug"
+
+ if args.nullok:
+ output["nullok"] = "nullok"
+
+ if args.krb5:
+ output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip()
+
+ if args.sha512:
+ output["unix_extended_encryption"] = "sha512 shadow"
+ else:
+ output["unix_extended_encryption"] = "md5 shadow"
+
+ return output
+
+
+def parse_templates(processed_args):
+ load = FileSystemLoader('')
+ env = Environment(loader=load)
+
+ templates = [
+ "login",
+ "other",
+ "passwd",
+ "system-local-login",
+ "system-remote-login",
+ "su",
+ "system-auth",
+ "system-login",
+ "system-service"
+ ]
+
+ for template_name in templates:
+ template = env.get_template('templates/{0}.tpl'.format(template_name))
+
+ with open('stack/{0}'.format(template_name), "w+") as output:
+ rendered_template = template.render(processed_args)
+
+ if rendered_template:
+ output.write(rendered_template + "\n")
+
+
+if __name__ == "__main__":
+ main()
diff --git a/su.in b/su.in
deleted file mode 100644
index 889ecfe..0000000
--- a/su.in
+++ /dev/null
@@ -1,11 +0,0 @@
-auth sufficient pam_rootok.so
-auth required pam_wheel.so use_uid
-auth include system-auth
-
-account include system-auth
-
-password include system-auth
-
-session include system-auth
-session required pam_env.so
-session optional pam_xauth.so
diff --git a/system-auth.in b/system-auth.in
deleted file mode 100644
index 9ae09e4..0000000
--- a/system-auth.in
+++ /dev/null
@@ -1,57 +0,0 @@
-#if HAVE_ENV
-auth required pam_env.so DEBUG
-#endif
-
-#if HAVE_PAM_SSH
-auth sufficient pam_ssh.so
-#endif
-#if HAVE_KRB5
-auth KRB5_CONTROL pam_krb5.so KRB5_PARAMS
-#endif
-auth required pam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
-auth optional pam_permit.so
-
-#if HAVE_FAILLOCK
-auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
-auth sufficient pam_unix.so nullok try_first_pass
-auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
-#endif
-
-#if HAVE_KRB5
-account KRB5_CONTROL pam_krb5.so KRB5_PARAMS
-#endif
-account required pam_unix.so DEBUG
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
-account optional pam_permit.so
-
-#if HAVE_FAILLOCK
-account required pam_faillock.so
-#endif
-
-#if HAVE_PASSWDQC
-password required pam_passwdqc.so min=8,8,8,8,8 retry=3
-#endif
-#if HAVE_KRB5
-password KRB5_CONTROL pam_krb5.so KRB5_PARAMS
-#endif
-password required pam_unix.so try_first_pass UNIX_AUTHTOK NULLOK UNIX_EXTENDED_ENCRYPTION DEBUG
-/* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */
-password optional pam_permit.so
-
-#if HAVE_PAM_SSH
-session optional pam_ssh.so
-#endif
-
-#if HAVE_SYSTEMD
--session optional pam_systemd.so
-#endif
-
-#if HAVE_ELOGIND
--session optional pam_elogind.so
-#endif
-
-#if HAVE_LIBCAP
-auth optional pam_cap.so
-#endif
-#include "system-session.inc"
diff --git a/system-login.in b/system-login.in
deleted file mode 100644
index ee03613..0000000
--- a/system-login.in
+++ /dev/null
@@ -1,58 +0,0 @@
-
-#if HAVE_SHELLS
-auth required pam_shells.so DEBUG
-#endif
-#if SUPPORT_NOLOGIN_AUTH
-auth required pam_nologin.so DEBUG_NOLOGIN
-#endif
-auth include system-auth
-
-#if HAVE_FAILLOCK
-auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
-auth sufficient pam_unix.so nullok try_first_pass
-auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
-#endif
-
-#if HAVE_ACCESS
-account required pam_access.so DEBUG
-#endif
-#if HAVE_LOGIN_ACCESS
-account required pam_login_access.so
-#endif
-#if SUPPORT_NOLOGIN_ACCOUNT
-account required pam_nologin.so DEBUG_NOLOGIN
-#endif
-account include system-auth
-
-#if HAVE_FAILLOCK
-account required pam_faillock.so
-#endif
-
-password include system-auth
-
-#if HAVE_LOGINUID
-session optional pam_loginuid.so
-#endif
-#if HAVE_SELINUX
-session required pam_selinux.so close
-#endif
-#if HAVE_ENV
-session required pam_env.so envfile=/etc/profile.env DEBUG
-#endif
-#if HAVE_LASTLOG
-session optional pam_lastlog.so silent DEBUG
-#endif
-session include system-auth
-#if HAVE_CONSOLEKIT
-session optional pam_ck_connector.so nox11
-#endif
-#if HAVE_SELINUX
- # Note: modules that run in the user's context must come after this line.
-session required pam_selinux.so multiple open
-#endif
-#if HAVE_MOTD
-session optional pam_motd.so motd=/etc/motd
-#endif
-#if HAVE_MAIL
-session optional pam_mail.so
-#endif
diff --git a/system-session.inc b/system-session.inc
deleted file mode 100644
index 2ba6964..0000000
--- a/system-session.inc
+++ /dev/null
@@ -1,25 +0,0 @@
-#if HAVE_LIMITS
-session required pam_limits.so DEBUG
-#endif
-#if HAVE_ENV
-session required pam_env.so DEBUG
-#endif
-#if HAVE_MKTEMP
-session optional pam_mktemp.so
-#endif
-
-/* Only Linux-PAM supports session chain for pam_unix; but if it were
- to not support it for whatever reason, still execute pam_krb5, with
- sufficient level instead. */
-#if SUPPORT_UNIX_SESSION
-# if HAVE_KRB5
-session KRB5_CONTROL pam_krb5.so KRB5_PARAMS
-# endif
-session required pam_unix.so DEBUG
-#else
-# if HAVE_KRB5
-session sufficient pam_krb5.so KRB5_PARAMS
-# endif
-#endif
-
-session optional pam_permit.so
diff --git a/templates/login.tpl b/templates/login.tpl
new file mode 100644
index 0000000..7476cb7
--- /dev/null
+++ b/templates/login.tpl
@@ -0,0 +1,9 @@
+{% if securetty -%}
+auth required pam_securetty.so
+{% endif -%}
+
+auth include system-local-login
+account include system-local-login
+password include system-local-login
+session optional pam_lastlog.so {{ debug|default('', true) }}
+session include system-local-login
diff --git a/templates/other.tpl b/templates/other.tpl
new file mode 100644
index 0000000..f3b7198
--- /dev/null
+++ b/templates/other.tpl
@@ -0,0 +1,4 @@
+auth required pam_deny.so
+account required pam_deny.so
+password required pam_deny.so
+session required pam_deny.so
diff --git a/passwd.in b/templates/passwd.tpl
similarity index 66%
rename from passwd.in
rename to templates/passwd.tpl
index 248bb7c..5f4f739 100644
--- a/passwd.in
+++ b/templates/passwd.tpl
@@ -1,7 +1,5 @@
auth sufficient pam_rootok.so
auth include system-auth
-
account include system-auth
-
password include system-auth
--password optional pam_gnome_keyring.so UNIX_AUTHTOK
+-password optional pam_gnome_keyring.so {{ unix_authtok }}
diff --git a/templates/su.tpl b/templates/su.tpl
new file mode 100644
index 0000000..a36b633
--- /dev/null
+++ b/templates/su.tpl
@@ -0,0 +1,8 @@
+auth sufficient pam_rootok.so
+auth required pam_wheel.so use_uid
+auth include system-auth
+account include system-auth
+password include system-auth
+session include system-auth
+session required pam_env.so
+session optional pam_xauth.so
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
new file mode 100644
index 0000000..13f5c0d
--- /dev/null
+++ b/templates/system-auth.tpl
@@ -0,0 +1,54 @@
+auth required pam_env.so {{ debug|default('', true) }}
+{% if pam_ssh -%}
+auth sufficient pam_ssh.so
+{% endif -%}
+
+{% if krb5 -%}
+auth [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
+{% endif -%}
+
+auth required pam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }}
+auth optional pam_permit.so
+{% if not minimal -%}
+auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
+auth sufficient pam_unix.so {{ nullok|default('', true) }} try_first_pass
+auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
+{% endif -%}
+
+{% if krb5 -%}
+account [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
+{% endif -%}
+account required pam_unix.so {{ debug|default('', true) }}
+account optional pam_permit.so
+{% if not minimal -%}
+account required pam_faillock.so
+{% endif -%}
+
+{% if passwdqc -%}
+password required pam_passwdqc.so min=8,8,8,8,8 retry=3
+{% endif -%}
+
+{% if krb5 -%}
+password [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
+{% endif -%}
+
+password required pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+password optional pam_permit.so
+
+{%- if pam_ssh -%}
+session optional pam_ssh.so
+{% endif -%}
+
+{% if systemd -%}
+-session optional pam_systemd.so
+{% endif -%}
+
+{% if elogind -%}
+-session optional pam_elogind.so
+{% endif -%}
+
+{% if libcap -%}
+-session optional pam_libcap.so
+{% endif -%}
+
+{% include "templates/system-session.tpl" %}
diff --git a/system-local-login.in b/templates/system-local-login.tpl
similarity index 100%
rename from system-local-login.in
rename to templates/system-local-login.tpl
diff --git a/templates/system-login.tpl b/templates/system-login.tpl
new file mode 100644
index 0000000..2f404bc
--- /dev/null
+++ b/templates/system-login.tpl
@@ -0,0 +1,39 @@
+auth required pam_shells.so {{ debug|default('', true) }}
+auth required pam_nologin.so
+auth include system-auth
+{% if not minimal -%}
+auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600
+auth sufficient pam_unix.so nullok try_first_pass
+auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
+{% endif -%}
+
+account required pam_access.so {{ debug|default('', true) }}
+account required pam_nologin.so
+account include system-auth
+{% if not minimal -%}
+account required pam_faillock.so
+{% endif -%}
+
+password include system-auth
+session optional pam_loginuid.so
+{% if selinux -%}
+session required pam_selinux.so close
+{% endif -%}
+
+session required pam_env.so envfile=/etc/profile.env {{ debug|default('', true) }}
+{% if not miniaml -%}
+session optional pam_lastlog.so silent {{ debug|default('', true) }}
+{% endif -%}
+session include system-auth
+{% if selinux -%}
+ # Note: modules that run in the user's context must come after this line.
+session required pam_selinux.so multiple open
+{% endif -%}
+
+{% if not minimal -%}
+session optional pam_motd.so motd=/etc/motd
+{% endif -%}
+
+{% if not minimal -%}
+session optional pam_mail.so
+{% endif -%}
diff --git a/system-remote-login.in b/templates/system-remote-login.tpl
similarity index 100%
rename from system-remote-login.in
rename to templates/system-remote-login.tpl
diff --git a/system-services.in b/templates/system-service.tpl
similarity index 65%
rename from system-services.in
rename to templates/system-service.tpl
index 989267f..cbfab6f 100644
--- a/system-services.in
+++ b/templates/system-service.tpl
@@ -1,8 +1,4 @@
auth sufficient pam_permit.so
-
account include system-auth
-
-#if HAVE_LOGINUID
session optional pam_loginuid.so
-#endif
-#include "system-session.inc"
+{% include "templates/system-session.tpl" %}
diff --git a/templates/system-session.tpl b/templates/system-session.tpl
new file mode 100644
index 0000000..f2622a8
--- /dev/null
+++ b/templates/system-session.tpl
@@ -0,0 +1,16 @@
+session required pam_limits.so {{ debug|default('', true) }}
+session required pam_env.so {{ debug|default('', true) }}
+{% if mktemp -%}
+session optional pam_mktemp.so
+{% endif -%}
+
+{%if krb5 -%}
+session [success=1 default=ignore] {{ krb5_params }}
+{% endif -%}
+
+session required pam_unix.so {{ debug|default('', true) }}
+{%if krb5 -%}
+session [success=1 default=ignore] {{ krb5_params }}
+{% endif -%}
+
+session optional pam_permit.so
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/pambase:master commit in: /, templates/
@ 2020-08-17 7:33 Mikle Kolyada
0 siblings, 0 replies; 5+ messages in thread
From: Mikle Kolyada @ 2020-08-17 7:33 UTC (permalink / raw
To: gentoo-commits
commit: ed4f15348fa950b02016154790bb6d180cccf5f9
Author: Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
AuthorDate: Mon Aug 17 07:30:39 2020 +0000
Commit: Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
CommitDate: Mon Aug 17 07:30:39 2020 +0000
URL: https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ed4f1534
make pam_gnome_keyring optional
Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org>
pambase.py | 143 ++++++++++++++++++++++++++-------------------------
templates/passwd.tpl | 5 +-
2 files changed, 76 insertions(+), 72 deletions(-)
diff --git a/pambase.py b/pambase.py
index 07e458d..83ee97c 100755
--- a/pambase.py
+++ b/pambase.py
@@ -6,96 +6,97 @@ import pathlib
def main():
- parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
- parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
- parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
- parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')
- parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
- parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
- parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')
- parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
- parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
- parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module')
- parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module')
- parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module')
- parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack')
- parser.add_argument('--debug', action="store_true", help='enable debug for selected modules')
- parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module')
-
- parsed_args = parser.parse_args()
- processed = process_args(parsed_args)
-
- parse_templates(processed)
+ parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
+ parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module')
+ parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
+ parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
+ parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')
+ parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
+ parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
+ parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')
+ parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
+ parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
+ parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module')
+ parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module')
+ parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module')
+ parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack')
+ parser.add_argument('--debug', action="store_true", help='enable debug for selected modules')
+ parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module')
+
+ parsed_args = parser.parse_args()
+ processed = process_args(parsed_args)
+
+ parse_templates(processed)
def process_args(args):
- # make sure that output directory exists
- pathlib.Path("stack").mkdir(parents=True, exist_ok=True)
+ # make sure that output directory exists
+ pathlib.Path("stack").mkdir(parents=True, exist_ok=True)
- blank_variables = [
- "krb5_authtok",
- "unix_authtok",
- "unix_extended_encryption",
- "likeauth",
- "nullok"
- ]
+ blank_variables = [
+ "krb5_authtok",
+ "unix_authtok",
+ "unix_extended_encryption",
+ "likeauth",
+ "nullok"
+ ]
- # create a blank dictionary
- # then add in our parsed args
- output = dict.fromkeys(blank_variables, "")
- output.update(vars(args))
+ # create a blank dictionary
+ # then add in our parsed args
+ output = dict.fromkeys(blank_variables, "")
+ output.update(vars(args))
- # unconditional variables
- output["likeauth"] = "likeauth"
- output["unix_authtok"] = "use_authtok"
+ # unconditional variables
+ output["likeauth"] = "likeauth"
+ output["unix_authtok"] = "use_authtok"
- if args.debug:
- output["debug"] = "debug"
+ if args.debug:
+ output["debug"] = "debug"
- if args.nullok:
- output["nullok"] = "nullok"
+ if args.nullok:
+ output["nullok"] = "nullok"
- if args.krb5:
- output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip()
+ if args.krb5:
+ output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip()
- if args.sha512:
- output["unix_extended_encryption"] = "sha512 shadow"
- else:
- output["unix_extended_encryption"] = "md5 shadow"
+ if args.sha512:
+ output["unix_extended_encryption"] = "sha512 shadow"
+ else:
+ output["unix_extended_encryption"] = "md5 shadow"
- return output
+ return output
def parse_templates(processed_args):
- load = FileSystemLoader('')
- env = Environment(loader=load, trim_blocks=True, lstrip_blocks=True, keep_trailing_newline=True)
+ load = FileSystemLoader('')
+ env = Environment(loader=load, trim_blocks=True, lstrip_blocks=True, keep_trailing_newline=True)
- templates = [
- "login",
- "other",
- "passwd",
- "system-local-login",
- "system-remote-login",
- "su",
- "system-auth",
- "system-login",
- "system-services"
- ]
+ templates = [
+ "login",
+ "other",
+ "passwd",
+ "system-local-login",
+ "system-remote-login",
+ "su",
+ "system-auth",
+ "system-login",
+ "system-services"
+ ]
- for template_name in templates:
- template = env.get_template('templates/{0}.tpl'.format(template_name))
+ for template_name in templates:
+ template = env.get_template('templates/{0}.tpl'.format(template_name))
- with open('stack/{0}'.format(template_name), "w+") as output:
- rendered_template = template.render(processed_args)
+ with open('stack/{0}'.format(template_name), "w+") as output:
+ rendered_template = template.render(processed_args)
- # Strip all intermediate lines to not worry about appeasing Jinja
- lines = rendered_template.split("\n")
- lines = [line.strip() for line in lines if line]
- rendered_template = "\n".join(lines)
+ # Strip all intermediate lines to not worry about appeasing Jinja
+ lines = rendered_template.split("\n")
+ lines = [line.strip() for line in lines if line]
+ rendered_template = "\n".join(lines)
- if rendered_template:
- output.write(rendered_template + "\n")
+ if rendered_template:
+ output.write(rendered_template + "\n")
if __name__ == "__main__":
- main()
+ main()
diff --git a/templates/passwd.tpl b/templates/passwd.tpl
index 5f4f739..101a5fc 100644
--- a/templates/passwd.tpl
+++ b/templates/passwd.tpl
@@ -2,4 +2,7 @@ auth sufficient pam_rootok.so
auth include system-auth
account include system-auth
password include system-auth
--password optional pam_gnome_keyring.so {{ unix_authtok }}
+
+{% if gnome_keyring %}
+password optional pam_gnome_keyring.so {{ unix_authtok }}
+{% endif %}
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/pambase:master commit in: /, templates/
@ 2020-09-13 10:01 Mikle Kolyada
0 siblings, 0 replies; 5+ messages in thread
From: Mikle Kolyada @ 2020-09-13 10:01 UTC (permalink / raw
To: gentoo-commits
commit: 46e6f29b1f9b7edd9541382fddd9b0837900e649
Author: Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 13 09:59:15 2020 +0000
Commit: Mikle Kolyada <zlogene <AT> gentoo <DOT> org>
CommitDate: Sun Sep 13 10:00:50 2020 +0000
URL: https://gitweb.gentoo.org/proj/pambase.git/commit/?id=46e6f29b
system-auth: introduce pam_pwhistory
Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org>
pambase.py | 1 +
templates/system-auth.tpl | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/pambase.py b/pambase.py
index 83ee97c..de5dddb 100755
--- a/pambase.py
+++ b/pambase.py
@@ -10,6 +10,7 @@ def main():
parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module')
parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
+ parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module')
parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')
parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 0381e66..46fc131 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -32,6 +32,10 @@ password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password required pam_pwquality.so
{% endif %}
+{% if pwhistory %}
+password required pam_pwhistory.so use_authtok remember=5 retry=3
+{% endif %}
+
{% if krb5 %}
password [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/pambase:master commit in: /, templates/
@ 2020-11-02 23:41 Sam James
0 siblings, 0 replies; 5+ messages in thread
From: Sam James @ 2020-11-02 23:41 UTC (permalink / raw
To: gentoo-commits
commit: 94a9b5f76fc8fa1a3c6c34c5baa3fb25825e1dc2
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon Nov 2 23:40:50 2020 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Nov 2 23:40:50 2020 +0000
URL: https://gitweb.gentoo.org/proj/pambase.git/commit/?id=94a9b5f7
pambase.py: rename --libcap -> --caps
Signed-off-by: Sam James <sam <AT> gentoo.org>
pambase.py | 2 +-
templates/system-auth.tpl | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/pambase.py b/pambase.py
index de5dddb..278d578 100755
--- a/pambase.py
+++ b/pambase.py
@@ -8,7 +8,7 @@ import pathlib
def main():
parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files')
parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module')
- parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module')
+ parser.add_argument('--caps', action="store_true", help='enable pam_cap.so module')
parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module')
parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module')
parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 2f2fe76..4ff78e4 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -47,7 +47,7 @@ password optional pam_permit.so
session optional pam_ssh.so
{% endif %}
-{% if libcap %}
+{% if caps %}
-auth optional pam_cap.so
{% endif %}
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/pambase:master commit in: /, templates/
@ 2021-01-31 21:36 Sam James
0 siblings, 0 replies; 5+ messages in thread
From: Sam James @ 2021-01-31 21:36 UTC (permalink / raw
To: gentoo-commits
commit: 5a545eb14a1220af1ba8031f3669471e77edbc2f
Author: Mikle KOlyada <zlogene <AT> gentoo <DOT> org>
AuthorDate: Sat Jan 30 19:50:12 2021 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Jan 31 21:36:01 2021 +0000
URL: https://gitweb.gentoo.org/proj/pambase.git/commit/?id=5a545eb1
systemd-auth: add systemd-homed support
Signed-off-by: Mikle KOlyada <zlogene <AT> gentoo.org>
Closes: https://github.com/gentoo/pambase/pull/5
Signed-off-by: Sam James <sam <AT> gentoo.org>
pambase.py | 1 +
templates/system-auth.tpl | 18 ++++++++++++++++--
templates/system-session.tpl | 4 ++++
3 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/pambase.py b/pambase.py
index eb3d4fe..b306ca4 100755
--- a/pambase.py
+++ b/pambase.py
@@ -15,6 +15,7 @@ def main():
parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module')
parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module')
parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module')
+ parser.add_argument('--homed', action="store_true", help='enable pam_systemd_home.so module')
parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module')
parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 53557dc..174aacf 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -11,11 +11,16 @@ auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
auth requisite pam_faillock.so preauth
-auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+{% if homed %}
+auth [success=2 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+auth [success=1 default=ignore] pam_systemd_home.so
+{% else %}
+auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas
+{% endif %}
auth [default=die] pam_faillock.so authfail
{% if caps %}
--auth optional pam_cap.so
+auth optional pam_cap.so
{% endif %}
{% if homed %}
@@ -24,6 +29,11 @@ auth [default=die] pam_faillock.so authfail
{% if krb5 %}
account [success=2 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
+
+{% if homed %}
+account [success=1 default=ignore] pam_systemd_home.so
+{% endif %}
+
account required pam_unix.so {{ debug|default('', true) }}
account required pam_faillock.so
@@ -43,6 +53,10 @@ password required pam_pwhistory.so use_authtok remember=5 retry=3
password [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
+{% if homed %}
+password [success=1 default=ignore] pam_systemd_home.so
+{% endif %}
+
{% if passwdqc or pwquality %}
password required pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
{% else %}
diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 3dd1d70..48653d4 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -12,4 +12,8 @@ session optional pam_mktemp.so
session [success=1 default=ignore] pam_krb5.so {{ krb5_params }}
{% endif %}
+{% if homed %}
+session [success=1 default=ignore] pam_systemd_home.so
+{% endif %}
+
session required pam_unix.so {{ debug|default('', true) }}
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-01-31 21:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-09-13 10:01 [gentoo-commits] proj/pambase:master commit in: /, templates/ Mikle Kolyada
-- strict thread matches above, loose matches on Subject: below --
2021-01-31 21:36 Sam James
2020-11-02 23:41 Sam James
2020-08-17 7:33 Mikle Kolyada
2020-08-04 11:29 Mikle Kolyada
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox