aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* system-auth.tpl: fix sssd's pam_denyHEADpambase-20240128masterSam James2024-01-281-1/+1
| | | | | Closes: https://bugs.gentoo.org/922918 Signed-off-by: Sam James <sam@gentoo.org>
* Add sssd supportpambase-20240119Christopher Byrne2024-01-193-7/+42
| | | | | | | | Bug: https://bugs.gentoo.org/726050 Closes: https://github.com/gentoo/pambase/issues/1 Signed-off-by: Christopher Byrne <salah.coronya@gmail.com> Closes: https://github.com/gentoo/pambase/pull/17 Signed-off-by: Sam James <sam@gentoo.org>
* Honor pam_unix.so return valueDaniel Harding2023-12-174-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit eb138196aa2d3cb860d5eb5ab1d05985df34ad2c changed the return value of pam_authenticate() for the case when the user enters an incorrect password. Prior to that change pam_authenticate() would return PAM_AUTH_ERR for an incorrect password, while after it would return PAM_PERM_DENIED. The root cause is that after that change, nothing in the stack before the final pam_faillock.so auth entry is setting `impression` in _pam_dispatch_aux(). If the user has not reached the maximum number of tries, pam_faillock.so returns PAM_IGNORE [1] and thus _pam_dispatch_aux() sets `status` to PAM_MUST_FAIL_CODE [2], which is defined to be PAM_PERM_DENIED [3]. This ends up being the return value for pam_authenticate(). This commit addresses the problem by changing the `default` control action for the pam_unix.so auth entry from `ignore` to `bad` (the same as when its control value was `required`). Thus when processing the pam_unix.so entry, _pam_dispatch_aux() will set `impression` to _PAM_NEGATIVE and `status` to the return value of pam_unix.so, PAM_AUTH_ERR [4]. _pam_dispatch_aux() will then continue to the final pam_faillock.so auth entry. Because `impression` is now _PAM_NEGATIVE, _pam_dispatch_aux() will not change the value of `status` and the return value of pam_authenticate() is PAM_AUTH_ERR as desired. Also ensure that `new_authtok_reqd` is handled correctly when returned from from pam_unix.so. [1] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/modules/pam_faillock/pam_faillock.c#L712 [2] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L244 [3] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L17 [4] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L246 Signed-off-by: Daniel Harding <dharding@living180.net> Closes: https://github.com/gentoo/pambase/pull/10 Signed-off-by: Sam James <sam@gentoo.org>
* Add README.mdAliaksei Urbanski2023-11-131-0/+18
| | | | | Closes: https://github.com/gentoo/pambase/pull/18 Signed-off-by: Sam James <sam@gentoo.org>
* Add a GitHub Actions workflow for testsAliaksei Urbanski2023-11-133-0/+46
| | | | | | | | | | | | | | These changes enable tests on the GitHub side. The implementation relies on Official Gentoo Docker images, since I believe it's a better way to test Gentoo-specific packages. Useful links: * https://www.gentoo.org/news/2020/07/04/official-docker.html * https://github.com/gentoo/gentoo-docker-images * https://github.com/docker/build-push-action * https://docs.docker.com/build/ci/github-actions/cache/ Signed-off-by: Sam James <sam@gentoo.org>
* Add basic rendering tests with toxAliaksei Urbanski2023-11-1329-0/+195
| | | | | Signed-off-by: Aliaksei Urbanski <aliaksei.urbanski@gmail.com> Signed-off-by: Sam James <sam@gentoo.org>
* system-login.tpl: Fix whitespaceMichael Jones2022-08-131-4/+4
| | | | | Closes: https://github.com/gentoo/pambase/pull/16 Signed-off-by: Sam James <sam@gentoo.org>
* other.tpl: Fix whitespaceMichael Jones2022-08-131-2/+2
| | | | | Closes: https://github.com/gentoo/pambase/pull/14 Signed-off-by: Sam James <sam@gentoo.org>
* login.tpl: Fix unnecessary space characterMichael Jones2022-08-131-1/+1
| | | | | Closes: https://github.com/gentoo/pambase/pull/13 Signed-off-by: Sam James <sam@gentoo.org>
* homed: add before pam_unixpambase-20220214Alexandra Parker2022-02-141-5/+3
| | | | | | | | | | | - --homed inserts pam_systemd_home before pam_unix - --homed --krb5 does that and adjusts krb5's jump to 4 modules Signed-off-by: Alexandra Parker <alex.iris.parker@gmail.com> Closes: https://bugs.gentoo.org/808993 Closes: https://github.com/gentoo/pambase/pull/9 Signed-off-by: Sam James <sam@gentoo.org>
* Add yescrypt supportpambase-20211218Mikle Kolyada2021-11-141-1/+4
| | | | Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* templates/system-auth.tpl: fix try_first_pass typopambase-20210201.1Sam James2021-02-021-1/+1
| | | | | Closes: https://github.com/gentoo/pambase/issues/6 Signed-off-by: Sam James <sam@gentoo.org>
* systemd-auth: add systemd-homed supportpambase-20210201Mikle KOlyada2021-01-313-2/+21
| | | | | | Signed-off-by: Mikle KOlyada <zlogene@gentoo.org> Closes: https://github.com/gentoo/pambase/pull/5 Signed-off-by: Sam James <sam@gentoo.org>
* Revert "systemd-auth: add systemd-homed support"Sam James2021-01-313-21/+2
| | | | | | | This reverts commit 5a545eb14a1220af1ba8031f3669471e77edbc2f. Auto-merged on a reverted commit. Signed-off-by: Sam James <sam@gentoo.org>
* Revert "Add systemd-homed support"Sam James2021-01-313-11/+0
| | | | | | | This reverts commit 639b45ccb986de7314372a4a841e6f04c536c49a. Unintentionally had this staged still. Signed-off-by: Sam James <sam@gentoo.org>
* systemd-auth: add systemd-homed supportMikle KOlyada2021-01-313-2/+21
| | | | | | Signed-off-by: Mikle KOlyada <zlogene@gentoo.org> Closes: https://github.com/gentoo/pambase/pull/5 Signed-off-by: Sam James <sam@gentoo.org>
* Add systemd-homed supportSam James2021-01-293-0/+11
| | | | | Bug: https://bugs.gentoo.org/767784 Signed-off-by: Sam James <sam@gentoo.org>
* system-login: add pam_time.soMikle KOlyada2020-12-201-0/+1
| | | | Signed-off-by: Mikle KOlyada <zlogene@gentoo.org>
* strip pam_permit.so from system-authMikle KOlyada2020-12-202-6/+0
| | | | Signed-off-by: Mikle KOlyada <zlogene@gentoo.org>
* templates/system-auth.tpl: shift cap to be with other authpambase-20201103Sam James2020-11-031-4/+4
| | | | Signed-off-by: Sam James <sam@gentoo.org>
* pambase.py: rename --libcap -> --capspambase-20201102Sam James2020-11-022-2/+2
| | | | Signed-off-by: Sam James <sam@gentoo.org>
* templates/system-auth.tpl: fix pam_cap realmSam James2020-11-021-1/+1
| | | | | | | | | | | | This fixes the pam_cap realm which can only be auth. This is a regression from old pre-rewrite pambase. It was however exposed by the fixing of an incorrect module name (pam_libcap -> pam_cap) not long ago. Bug: https://bugs.gentoo.org/751946 Signed-off-by: Sam James <sam@gentoo.org>
* fix number of jumps when pam_krb5 usedpambase-20201028.1Mikle Kolyada2020-10-282-2/+1
| | | | Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* Do not use use_authtok if no passwd module was stackedpambase-20201028Mikle Kolyada2020-10-281-0/+5
| | | | Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* templates/system-auth.tpl: fix libcap module namepambase-20201026Sam James2020-10-261-1/+1
| | | | | Bug: https://bugs.gentoo.org/750524 Signed-off-by: Sam James <sam@gentoo.org>
* templates/system-auth.tpl: skip pam_unix with krb5Sam James2020-10-261-4/+4
| | | | | | | | | | | Before this change, success on pam_krb5 would result in jumping one line (over pam_permit) back into pam_unix. Incidentally, we did the later stanza correctly. This was a regression from old pambase. Bug: https://bugs.gentoo.org/748405 Signed-off-by: Sam James <sam@gentoo.org>
* templates/system-login.tpl: always need faillockSam James2020-10-262-4/+0
| | | | | Fixes: eb138196aa2d3cb860d5eb5ab1d05985df34ad2c Signed-off-by: Sam James <sam@gentoo.org>
* templates/system-auth.tpl: use faillock in minimal casepambase-20201020Sam James2020-10-201-5/+2
| | | | | Bug: https://bugs.gentoo.org/748405 Signed-off-by: Sam James <sam@gentoo.org>
* templates/system-auth.tpl: drop superfluous conf param on faillockpambase-20201013Sam James2020-10-121-1/+1
| | | | | | | pam_faillock defaults to /etc/security/faillock.conf anyway. Closes: https://bugs.gentoo.org/747967 Signed-off-by: Sam James <sam@gentoo.org>
* templates/system-login.tpl: remove duplicate block already in system-authSam James2020-10-122-6/+5
| | | | | | Do it right this time! Signed-off-by: Sam James <sam@gentoo.org>
* templates/system-login.tpl: remove duplicate block from system-auth (again)Sam James2020-10-122-5/+6
|\ | | | | | | Signed-off-by: Sam James <sam@gentoo.org>
| * switch pam_faillock.so to its config filepambase-20201010Mikle Kolyada2020-10-102-4/+4
| | | | | | | | Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* | templates/system-login.tpl: move systemd, elogind blocks hereSam James2020-10-122-8/+8
| | | | | | | | Signed-off-by: Sam James <sam@gentoo.org>
* | templates/system-login.tpl: remove duplicate block from system-authSam James2020-10-121-5/+0
| | | | | | | | | | Bug: https://bugs.gentoo.org/747868 Signed-off-by: Sam James <sam@gentoo.org>
* | templates/system-session.tpl: include pam_krb5.so module nameSam James2020-10-121-4/+1
|/ | | | Signed-off-by: Sam James <sam@gentoo.org>
* system-auth: introduce pam_pwhistorypambase-20200917Mikle Kolyada2020-09-132-0/+5
| | | | Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* system-auth: switch password modules to configsMikle Kolyada2020-09-091-2/+2
| | | | | | | | | | * pam_passwdqc.so can by managed by the /etc/security/passwdqc.conf * pam_pwquality.so can be managed by the /etc/security/pwquality.conf Both allow users to create their own password polices without touching files in the /etc/pam.d directory Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* make pam_gnome_keyring optionalpambase-20200817Mikle Kolyada2020-08-172-72/+76
| | | | Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* Add pam_pwquality.so supportpambase-20200815Mikle Kolyada2020-08-152-0/+5
| | | | Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* pambase.py: rename system-service -> system-servicespambase-20200806Sam James2020-08-062-1/+1
| | | | | | | | Some of e.g. OpenRC's installed pam files assume 'system-services': ./supervise-daemon:2:session include system-services ./start-stop-daemon:2:session include system-services Signed-off-by: Sam James <sam@gentoo.org>
* pambase.py: strip trailing whitespace in stackpambase-20200805Sam James2020-08-051-1/+1
| | | | Signed-off-by: Sam James <sam@gentoo.org>
* templates/*: remove unnecessary stripsSam James2020-08-054-44/+44
| | | | | | Now obsolete as of 732fb3bbfd7d007fdca78dd4587f1a7bd34bfa6c. Signed-off-by: Sam James <sam@gentoo.org>
* pambase.py: strip all blank linesSam James2020-08-051-1/+6
| | | | | | | It's simpler to do this in pambase.py than with Jinja 2, at least for now. Signed-off-by: Sam James <sam@gentoo.org>
* fix pam_ssh formattingpambase-20200804Mikle Kolyada2020-08-041-1/+1
| | | | Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* fix a typo in logicMikle Kolyada2020-08-041-1/+1
| | | | Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* New pambase eraMikle Kolyada2020-08-0423-365/+252
| | | | | | pambase was simplified and rewritten in python Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* move faillock last in authpambase-20200618historicalMikle Kolyada2020-06-182-11/+12
| | | | Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* fix a typoMikle Kolyada2020-06-171-1/+1
| | | | Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* iprove faillock supportMikle Kolyada2020-06-162-2/+17
| | | | Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
* Revert "allow clang-cpp"Mikle Kolyada2020-06-101-1/+1
| | | | | | This reverts commit 4a97472903679c7d85ca391aeedaea3ce7797acf. Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>