Enable pam-ipmi modules in pam password stack
Enabled pam-ipmicheck & pam-ipmisave modules in
pam password stacked modules. This modules will
store 'ipmi' group users password in encrypted
form in /etc/ipmi_pass file along with /etc/shadow.
This special file will be used by phosphor-ipmi-net
during RAKP messages.
This will not affect users who doesn't belong to
'ipmi' group.
(From meta-phosphor rev: 945a28a80ea24c59441ce511aff95092121dfc78)
Change-Id: I1b9e2c78c1e0b8a0f8da2a28c6d89638c45f692d
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/meta-phosphor/recipes-core/pam/libpam/pam.d/common-password b/meta-phosphor/recipes-core/pam/libpam/pam.d/common-password
index ddd7ca1..ac3f368 100644
--- a/meta-phosphor/recipes-core/pam/libpam/pam.d/common-password
+++ b/meta-phosphor/recipes-core/pam/libpam/pam.d/common-password
@@ -16,9 +16,11 @@
# See the pam_unix manpage for other options.
# here are the per-package modules (the "Primary" block)
-password [success=ok default=die] pam_cracklib.so debug enforce_for_root reject_username minlen=8 difok=0
+password [success=ok default=die] pam_ipmicheck.so spec_grp_name=ipmi
+password [success=ok default=die] pam_cracklib.so debug enforce_for_root reject_username minlen=8 difok=0 use_authtok
#password [success=ok ignore=ignore default=die] pam_pwhistory.so debug enforce_for_root remember=0 use_authtok
-password [success=1 default=die] pam_unix.so sha512 use_authtok
+password [success=ok default=die] pam_unix.so sha512 use_authtok
+password [success=1 default=die] pam_ipmisave.so spec_grp_name=ipmi spec_pass_file=/etc/ipmi_pass key_file=/etc/key_file
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;