Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 2b59705148feb8ca6aafd9cf050229b069284515^! / . / meta-phosphor / recipes-extended / pam / libpam_%.bbappend
commit2b59705148feb8ca6aafd9cf050229b069284515[log] [tgz]
authorRichard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>Sat Nov 02 21:24:29 2019 +0530
committerBrad Bishop <bradleyb@fuzziesquirrel.com>Tue Nov 05 09:25:55 2019 -0500
tree14f78c83fbc7f5d93c41bd3c328d648fd74cc38f
parent05eaa7cbaf4a01317cb936e7cb5cb7ce731322f7 [diff] [blame]
pam: Disable sensitive log & nullok

pam_unix logs user name when sessions are established, quiet
the same in configuraiton. This is done to avoid logging user name
as logs will be exported as part of debug log dump etc, thereby
compramising sensitive information.
Also disallow nullok login from security point of it.

Tested:
1. Verified that session establishment are not recorded with user
name.
2. Verfieid webui, redfish, ipmi, ssh login works as expected.

(From meta-phosphor rev: 15a293b458ef2f013356f9746c0ac7a20e59c1c1)

Change-Id: Ic0fcdbfd9a5968fa55a27b7d2de379f8ba131cac
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

diff --git a/meta-phosphor/recipes-extended/pam/libpam_%.bbappend b/meta-phosphor/recipes-extended/pam/libpam_%.bbappend
index f97664f..770ffea 100644
--- a/meta-phosphor/recipes-extended/pam/libpam_%.bbappend
+++ b/meta-phosphor/recipes-extended/pam/libpam_%.bbappend

@@ -3,6 +3,7 @@
 SRC_URI += " file://pam.d/common-password \
              file://pam.d/common-account \
              file://pam.d/common-auth \
+             file://pam.d/common-session \
             "
 
 RDEPENDS_${PN}-runtime += "${MLPREFIX}pam-plugin-cracklib-${libpam_suffix} \