| Joseph Reynolds | fa32483 | 2021-03-16 21:30:40 +0000 | [diff] [blame] | 1 | #!/bin/sh |
| 2 | # Convert OpenBMC linux-PAM config files |
| 3 | |
| 4 | # Location of config files this script modifies: |
| 5 | # PAM_CONF_DIR - path to the PAM config files |
| 6 | # SECURITY_CONF_DIR - path to the security config files |
| 7 | PAM_CONF_DIR=/etc/pam.d |
| 8 | SECURITY_CONF_DIR=/etc/security |
| 9 | |
| 10 | # Handle common-password: |
| 11 | # Change cracklib to pwquality and handle the minlen parameter |
| 12 | pam_cracklib=$(grep "^password.*pam_cracklib.so" ${PAM_CONF_DIR}/common-password) |
| 13 | if [ -n "${pam_cracklib}" ] |
| 14 | then |
| 15 | echo "Changing ${PAM_CONF_DIR}/common-password to use pam_pwquality.so (was pam_cracklib.so)" >&2 |
| 16 | minlen=$(echo "${pam_cracklib}" | sed -e "s/.*minlen=\([[:alnum:]]*\).*/\1/") |
| 17 | echo " Converting parameter minlen=${minlen} to ${SECURITY_CONF_DIR}/pwquality.conf minlen" >&2 |
| 18 | sed -i.bak -e "s/^minlen=.*/minlen=$minlen/" ${SECURITY_CONF_DIR}/pwquality.conf |
| 19 | pwquality='password [success=ok default=die] pam_pwquality.so debug' |
| 20 | sed -i.bak -e "s/^password.*pam_cracklib.so.*/$pwquality/" ${PAM_CONF_DIR}/common-password |
| 21 | echo "# This file was converted by $0" >>${PAM_CONF_DIR}/common-password |
| 22 | fi |
| 23 | |
| Jason M. Bills | a558529 | 2023-08-15 16:10:53 -0700 | [diff] [blame] | 24 | # Update pwhistory to use the conf file and handle the remember parameter |
| 25 | pam_pwhistory=$(grep "^password.*pam_pwhistory.so.*remember" ${PAM_CONF_DIR}/common-password) |
| 26 | if [ -n "${pam_pwhistory}" ] |
| 27 | then |
| 28 | echo "Changing ${PAM_CONF_DIR}/common-password pam_pwhistory.so to use pwhistory.conf" >&2 |
| 29 | remember=$(echo "${pam_pwhistory}" | sed -e "s/.*remember=\([[:alnum:]]*\).*/\1/") |
| 30 | echo " Converting parameter remember=${remember} to ${SECURITY_CONF_DIR}/pwhistory.conf remember" >&2 |
| 31 | sed -i.bak -e "s/^remember=.*/remember=$remember/" ${SECURITY_CONF_DIR}/pwhistory.conf |
| 32 | pwhistory='password [success=ok ignore=ignore default=die] pam_pwhistory.so debug use_authtok' |
| 33 | sed -i.bak -e "s/^password.*pam_pwhistory.so.*/$pwhistory/" ${PAM_CONF_DIR}/common-password |
| 34 | echo "# This file was converted by $0" >>${PAM_CONF_DIR}/common-password |
| 35 | fi |
| 36 | |
| Joseph Reynolds | fa32483 | 2021-03-16 21:30:40 +0000 | [diff] [blame] | 37 | # Handle common-auth: |
| 38 | # Change tally2 to faillock and handle the deny & unlock_time parameters |
| 39 | pam_tally2=$(grep "^auth.*pam_tally2.so" ${PAM_CONF_DIR}/common-auth) |
| 40 | if [ -n "${pam_tally2}" ] |
| 41 | then |
| 42 | echo "Changing ${PAM_CONF_DIR}/common-auth to use pam_faillock.so (was pam_tally2.so)" >&2 |
| 43 | deny=$(echo "${pam_tally2}" | sed -e "s/.*deny=\([[:alnum:]]*\).*/\1/") |
| 44 | unlock_time=$(echo "${pam_tally2}" | sed -e "s/.*unlock_time=\([[:alnum:]]*\).*/\1/") |
| 45 | # Change faillock.conf parameters |
| 46 | echo " Converting parameter deny=${deny} to ${SECURITY_CONF_DIR}/faillock.conf deny" >&2 |
| 47 | echo " Converting parameter unlock_time=${unlock_time} to ${SECURITY_CONF_DIR}/faillock.conf unlock_time" >&2 |
| 48 | sed -i.bak \ |
| 49 | -e "s/^deny=.*/deny=$deny/" \ |
| 50 | -e "s/^unlock_time=.*/unlock_time=$unlock_time/" \ |
| 51 | ${SECURITY_CONF_DIR}/faillock.conf |
| 52 | # Change pam_tally2 to pam_faillock (changes the overall auth stack) |
| 53 | authfail='auth [default=die] pam_faillock.so authfail' |
| 54 | authsucc='auth sufficient pam_faillock.so authsucc' |
| 55 | sed -i.bak \ |
| 56 | -e "/^auth.*pam_tally2.so.*$/d" \ |
| 57 | -e "/^auth.*pam_deny.so/i $authfail\n$authsucc" \ |
| 58 | ${PAM_CONF_DIR}/common-auth |
| 59 | echo "# This file was converted by $0" >>${PAM_CONF_DIR}/common-auth |
| 60 | fi |
| 61 | |