From 93077999f679ea17bf17150ba72e1cf32574bae2 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 11 Jul 2021 11:45:39 +0200 Subject: [PATCH] [sssd] Manage pamd rules Signed-off-by: Yohann D'ANELLO --- roles/sssd/tasks/main.yml | 69 +++++++++++++++++-- roles/sssd/templates/pam.d/common-password.j2 | 37 ---------- 2 files changed, 65 insertions(+), 41 deletions(-) delete mode 100644 roles/sssd/templates/pam.d/common-password.j2 diff --git a/roles/sssd/tasks/main.yml b/roles/sssd/tasks/main.yml index c314fda7..d8b887f5 100644 --- a/roles/sssd/tasks/main.yml +++ b/roles/sssd/tasks/main.yml @@ -55,7 +55,68 @@ - passwd - group -- name: Configure PAM authentication - template: - src: pam.d/common-password.j2 - dest: /etc/pam.d/common-password +- name: Override PAM rule priority for unix login to insert sssd login + pamd: + # Standard Unix auth by default if available (for root) + name: common-auth + type: auth + control: '[success=2 default=ignore]' + new_control: '[success=3 default=ignore]' + module_path: pam_unix.so + +- name: Insert PAM SSS authentication rule + pamd: + name: common-auth + type: auth + control: '[success=3 default=ignore]' + module_path: pam_unix.so + new_type: auth + new_control: '[success=2 default=ignore]' + new_module_path: pam_sss.so + state: after + +- name: Update PAM arguments for SSS authentication + pamd: + name: common-auth + type: auth + module_path: pam_sss.so + control: '[success=2 default=ignore]' + module_arguments: 'use_first_pass' + +- name: Add PAM rule for SSS sessions + pamd: + name: common-session + type: session + control: required + module_path: pam_unix.so + new_type: session + new_control: optional + new_module_path: pam_sss.so + state: after + +- name: Override PAM rule priority for unix passwords + pamd: + name: common-password + type: password + control: '[success=2 default=ignore]' + new_control: '[success=3 default=ignore]' + module_path: pam_unix.so + +- name: Insert PAM SSS password rule + pamd: + name: common-password + type: password + control: '[success=3 default=ignore]' + module_path: pam_unix.so + new_type: password + new_control: '[success=2 default=ignore]' + new_module_path: pam_sss.so + state: after + +- name: Update PAM arguments for SSS authentication + pamd: + name: common-password + type: password + module_path: pam_sss.so + control: '[success=2 default=ignore]' + module_arguments: 'use_authtok' diff --git a/roles/sssd/templates/pam.d/common-password.j2 b/roles/sssd/templates/pam.d/common-password.j2 deleted file mode 100644 index 34be825e..00000000 --- a/roles/sssd/templates/pam.d/common-password.j2 +++ /dev/null @@ -1,37 +0,0 @@ -{{ ansible_header | comment }} -# -# /etc/pam.d/common-password - password-related modules common to all services -# -# This file is included from other service-specific PAM config files, -# and should contain a list of modules that define the services to be -# used to change user passwords. The default is pam_unix. - -# Explanation of pam_unix options: -# -# The "sha512" option enables salted SHA512 passwords. Without this option, -# the default is Unix crypt. Prior releases used the option "md5". -# -# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in -# login.defs. -# -# See the pam_unix manpage for other options. - -# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. -# To take advantage of this, it is recommended that you configure any -# local modules either before or after the default block, and use -# pam-auth-update to manage selection of other modules. See -# pam-auth-update(8) for details. - -# here are the per-package modules (the "Primary" block) -password requisite pam_pwquality.so retry=3 -password [success=3 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 -password sufficient pam_sss.so use_authtok -password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass -# here's the fallback if no module succeeds -password requisite pam_deny.so -# prime the stack with a positive return value if there isn't one already; -# this avoids us returning an error just because nothing sets a success code -# since the modules above will each just jump around -password required pam_permit.so -# and here are more per-package modules (the "Additional" block) -# end of pam-auth-update config