Convert pam_pwhistory config to pwhistory.conf
With libpam 1.5.3, pam_pwhistory added support to get configuration
options from pwhistory.conf similar to faillock and pwquality. This
converts the pam_pwhistory config options to pwhistory.conf to match
faillock and pwquality.
Tested:
Confirmed that the remember setting works correctly from pwhistory.conf.
Confirmed that an existing pwhistory remember setting gets converted to
pwhistory.conf, if needed.
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
Change-Id: I8ec0c8b60f02f0e5aa97b3254225e9a5488cdb54
diff --git a/meta-phosphor/recipes-extended/pam/libpam/convert-pam-configs.sh b/meta-phosphor/recipes-extended/pam/libpam/convert-pam-configs.sh
index 27ec218..e460965 100755
--- a/meta-phosphor/recipes-extended/pam/libpam/convert-pam-configs.sh
+++ b/meta-phosphor/recipes-extended/pam/libpam/convert-pam-configs.sh
@@ -21,6 +21,19 @@
echo "# This file was converted by $0" >>${PAM_CONF_DIR}/common-password
fi
+# Update pwhistory to use the conf file and handle the remember parameter
+pam_pwhistory=$(grep "^password.*pam_pwhistory.so.*remember" ${PAM_CONF_DIR}/common-password)
+if [ -n "${pam_pwhistory}" ]
+then
+ echo "Changing ${PAM_CONF_DIR}/common-password pam_pwhistory.so to use pwhistory.conf" >&2
+ remember=$(echo "${pam_pwhistory}" | sed -e "s/.*remember=\([[:alnum:]]*\).*/\1/")
+ echo " Converting parameter remember=${remember} to ${SECURITY_CONF_DIR}/pwhistory.conf remember" >&2
+ sed -i.bak -e "s/^remember=.*/remember=$remember/" ${SECURITY_CONF_DIR}/pwhistory.conf
+ pwhistory='password [success=ok ignore=ignore default=die] pam_pwhistory.so debug use_authtok'
+ sed -i.bak -e "s/^password.*pam_pwhistory.so.*/$pwhistory/" ${PAM_CONF_DIR}/common-password
+ echo "# This file was converted by $0" >>${PAM_CONF_DIR}/common-password
+fi
+
# Handle common-auth:
# Change tally2 to faillock and handle the deny & unlock_time parameters
pam_tally2=$(grep "^auth.*pam_tally2.so" ${PAM_CONF_DIR}/common-auth)
diff --git a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password
index 2fc4011..b29afbf 100644
--- a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password
+++ b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password
@@ -15,7 +15,7 @@
# here are the per-package modules (the "Primary" block)
password [success=ok default=die] pam_pwquality.so debug
password [success=ok default=die] pam_ipmicheck.so spec_grp_name=ipmi use_authtok
-password [success=ok ignore=ignore default=die] pam_pwhistory.so debug enforce_for_root remember=0 use_authtok
+password [success=ok ignore=ignore default=die] pam_pwhistory.so debug use_authtok
password [success=ok default=die] pam_unix.so sha512 use_authtok
password [success=1 default=die] pam_ipmisave.so spec_grp_name=ipmi spec_pass_file=/etc/ipmi_pass key_file=/etc/key_file
# here's the fallback if no module succeeds
diff --git a/meta-phosphor/recipes-extended/pam/libpam/pwhistory.conf b/meta-phosphor/recipes-extended/pam/libpam/pwhistory.conf
new file mode 100644
index 0000000..1515fae
--- /dev/null
+++ b/meta-phosphor/recipes-extended/pam/libpam/pwhistory.conf
@@ -0,0 +1,2 @@
+enforce_for_root
+remember=0
diff --git a/meta-phosphor/recipes-extended/pam/libpam_%.bbappend b/meta-phosphor/recipes-extended/pam/libpam_%.bbappend
index d9ffdac..0007c6f 100644
--- a/meta-phosphor/recipes-extended/pam/libpam_%.bbappend
+++ b/meta-phosphor/recipes-extended/pam/libpam_%.bbappend
@@ -5,6 +5,7 @@
file://pam.d/common-auth \
file://pam.d/common-session \
file://faillock.conf \
+ file://pwhistory.conf \
file://convert-pam-configs.service \
file://convert-pam-configs.sh \
"
@@ -25,6 +26,7 @@
install -d ${D}/etc/security
install -m 0644 ${WORKDIR}/faillock.conf ${D}/etc/security
+ install -m 0644 ${WORKDIR}/pwhistory.conf ${D}/etc/security
install -d ${D}${bindir}
install -m 0755 ${WORKDIR}/convert-pam-configs.sh ${D}${bindir}