Change to pam_faillock and pam pwquality
pam_tally2 is being replaced by pam_faillock. The parameters in
common-auth have moved to faillock.conf, so this commit adds a new
method to modify paramters in a given configuration file.
The output from the 'faillock' command differs from 'pam_tally2', so
this commit adds a new function to parse the output from 'faillock' to
determine if the user is currently locked.
pam_cracklib is being replaced by pam_pwquality. The parameters in
common-password have moved to pwquality.conf.
I referenced the work done by Joseph Reynolds in this commit [1] to know
what changes were required.
[1]: https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/39853
Tested:
Confirmed that the AccountLockoutDuration and AccountLockoutThreshold
parameters under /redfish/v1/AccountService both return the correct
value from common-auth.
Set deny to 10 and unlock_time to 30 seconds and confirmed that a user
account will correctly show as locked after 10 failed login attempts,
and that user will show as unlocked 30 seconds later.
Used Redfish to PATCH both AccountLockoutDuration and
AccountLockoutThreshold and confirmed that the updated values are
correctly reported in Redfish and that the correct lines in
faillock.conf are modified.
Confirmed that the MinPasswordLength parameter under
/redfish/v1/AccountService returns the correct value from
common-password.
Set minlen to 9 and confirmed that a user password could not be set with
a length of 8.
Used Redfish to PATCH MinPasswordLength and confirmed that the updated
value is correctly reported in Redfish and that the correct line in
pwquality.conf is modified.
Change-Id: I0701e4148c0b8333c6b8889d4695e61ce7f5366d
Signed-off-by: Jason M. Bills <jason.m.bills@intel.com>
diff --git a/user_mgr.hpp b/user_mgr.hpp
index 6dcc898..559ab8b 100644
--- a/user_mgr.hpp
+++ b/user_mgr.hpp
@@ -200,6 +200,14 @@
*/
uint32_t accountUnlockTimeout(uint32_t val) override;
+ /** @brief parses the faillock output for locked user status
+ *
+ * @param[in] - output from faillock for the user
+ * @return - true / false indicating user locked / un-locked
+ **/
+ bool
+ parseFaillockForLockout(const std::vector<std::string>& faillockOutput);
+
/** @brief lists user locked state for failed attempt
*
* @param[in] - user name
@@ -259,6 +267,20 @@
int getPamModuleArgValue(const std::string& moduleName,
const std::string& argName, std::string& argValue);
+ /** @brief get pam argument value
+ * method to get argument value from pam configuration
+ *
+ * @param[in] confFile - path of the module config file from where arg has
+ * to be read
+ * @param[in] argName - argument name
+ * @param[out] argValue - argument value
+ *
+ * @return 0 - success state of the function
+ */
+ int getPamModuleConfValue(const std::string& confFile,
+ const std::string& argName,
+ std::string& argValue);
+
/** @brief set pam argument value
* method to set argument value in pam configuration
*
@@ -273,6 +295,20 @@
const std::string& argName,
const std::string& argValue);
+ /** @brief set pam argument value
+ * method to set argument value in pam configuration
+ *
+ * @param[in] confFile - path of the module config file in which argument
+ * value has to be set
+ * @param[in] argName - argument name
+ * @param[out] argValue - argument value
+ *
+ * @return 0 - success state of the function
+ */
+ int setPamModuleConfValue(const std::string& confFile,
+ const std::string& argName,
+ const std::string& argValue);
+
/** @brief check for user presence
* method to check for user existence
*
@@ -452,7 +488,8 @@
friend class TestUserMgr;
std::string pamPasswdConfigFile;
- std::string pamAuthConfigFile;
+ std::string faillockConfigFile;
+ std::string pwQualityConfigFile;
};
} // namespace user