Skip to content

Commit

Permalink
(#162) root_unlock_time won't be included if even_deny_root is false (#…
Browse files Browse the repository at this point in the history
…163)

Also added the nullok parameter back to the module for completeness

Fixes #162
Fixes #124
  • Loading branch information
michael-riddle authored Nov 5, 2024
1 parent 220716b commit a90181b
Show file tree
Hide file tree
Showing 10 changed files with 152 additions and 3 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
* Mon Nov 04 2024 Mike Riddle <mike@sicura.us> - 7.3.0
- "root_unlock_time" will no longer be included in faillock.conf if "even_deny_root" is set to false
- Added nullok back as a parameter for completeness, however, users are warned not to use it unless
they fully understand the implication of having users without passwords

* Tue Oct 29 2024 Mike Riddle <mike@sicura.us> - 7.2.2
- Fixed pam auth files getting mangled when using cracklib as the pwbackend

Expand Down
3 changes: 3 additions & 0 deletions manifests/auth.pp
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
# @param cracklib_minclass
# @param cracklib_minlen
# @param cracklib_retry
# @param nullok
# @param oath
# @param oath_window
# @param deny
Expand Down Expand Up @@ -79,6 +80,7 @@
Optional[Integer[0]] $cracklib_minclass = $pam::cracklib_minclass,
Optional[Integer[0]] $cracklib_minlen = $pam::cracklib_minlen,
Integer[0] $cracklib_retry = $pam::cracklib_retry,
Boolean $nullok = $pam::nullok,
Integer[0] $deny = $pam::deny,
Boolean $faillock = $pam::faillock,
Boolean $manage_faillock_conf = $pam::manage_faillock_conf,
Expand Down Expand Up @@ -201,6 +203,7 @@
cracklib_minclass => $cracklib_minclass,
cracklib_minlen => $cracklib_minlen,
cracklib_retry => $_cracklib_retry,
nullok => $nullok,
deny => $deny,
faillock => $faillock,
faillock_log_dir => $faillock_log_dir,
Expand Down
6 changes: 6 additions & 0 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,11 @@
# performed using the cracklib library. This option will be ignored
# unless the OS major version is higher than 7.
#
# @param nullok
# If true, blank passwords will be allowed for users. DO NOT set this to true
# unless you and your organization are willing to accept the risks of having
# accounts with blank passwords.
#
# @param rm_pwquality_conf_d
# Remove the /etc/security/pwquality.conf.d directory and all contents.
#
Expand Down Expand Up @@ -345,6 +350,7 @@
Optional[Array[String[1],1]] $cracklib_badwords = undef,
Optional[StdLib::Absolutepath] $cracklib_dictpath = undef,
Integer[0] $dictcheck = 1,
Boolean $nullok = false,
Boolean $rm_pwquality_conf_d = true,
Boolean $oath = simplib::lookup('simp_options::oath', { 'default_value' => false }),
Integer[0] $oath_window = 1,
Expand Down
2 changes: 1 addition & 1 deletion metadata.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "simp-pam",
"version": "7.2.2",
"version": "7.3.0",
"author": "SIMP Team",
"summary": "A SIMP puppet module for managing pam",
"license": "Apache-2.0",
Expand Down
25 changes: 25 additions & 0 deletions spec/classes/config_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,19 @@
EOM
}

let(:no_even_deny_root_faillock_conf){
<<~EOM
# This file is generated by Puppet
# Any changes made to it will be overwritten.
#
audit
silent
deny=5
fail_interval=900
unlock_time=900
EOM
}

let(:all_params_faillock_conf){
<<~EOM
# This file is generated by Puppet
Expand Down Expand Up @@ -436,6 +449,18 @@
end
end

context 'with managing faillock.conf with even_deny_root set to false' do
let(:params){{ :manage_faillock_conf => true, :even_deny_root => false }}

it {is_expected.to compile.with_all_deps}
if (os_facts[:os][:family] == 'RedHat' and os_facts[:os][:release][:major] <= '7') or
(os_facts[:os][:name] == "Amazon" and os_facts[:os][:release][:major] <= '2022')
it {is_expected.to_not contain_file('/etc/security/faillock.conf')}
else
it {is_expected.to contain_file('/etc/security/faillock.conf').with_content( no_even_deny_root_faillock_conf )}
end
end

context 'with managing faillock.conf with all non-default parameters' do
let(:params){{
:manage_faillock_conf => true,
Expand Down
20 changes: 20 additions & 0 deletions spec/defines/auth_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,26 @@ def get_expected(filename)
it_should_behave_like "a pam.d config file generator"
it { is_expected.to contain_file(filename).with_content(file_content) }
end

context 'Generate file with when nullok == true' do
let(:params){{
:nullok => true,
}}
let(:pw_backend) { 'pwquality' }
let(:title){ 'system' }
let(:filename){ "/etc/pam.d/system-auth" }
let(:el_version){
if Integer(os_facts[:os][:release][:major]) <= 7
'el7'
else
'el8'
end
}
let(:file_content) { get_expected("#{pw_backend}-system-#{el_version}-auth_nullok") }

it_should_behave_like "a pam.d config file generator"
it { is_expected.to contain_file(filename).with_content(file_content) }
end
end
end
end
Expand Down
41 changes: 41 additions & 0 deletions spec/expected/auth_spec/pwquality-system-el7-auth_nullok
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#%PAM-1.0
# This file managed by Puppet
# User changes will be lost!

# SIMP defined auth content
auth optional pam_faildelay.so
auth required pam_env.so
auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60
auth [success=1 default=ignore] pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60
auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth required pam_deny.so

account required pam_faillock.so
account required pam_unix.so broken_shadow
account [success=2 default=ignore] pam_succeed_if.so service = crond quiet
account sufficient pam_succeed_if.so uid < 1000 quiet
account requisite pam_access.so listsep=, nodefgroup
account required pam_permit.so

password requisite pam_pwquality.so retry=3 enforce_for_root reject_username
password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root
password sufficient pam_unix.so nullok sha512 rounds=10000 shadow try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session sufficient pam_succeed_if.so service = gdm-launch-environment quiet
session sufficient pam_succeed_if.so service in crond quiet use_uid
# Check if session has a tty before running pam_tty_audit
session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet
# auditd disabled: pam_tty_audit set to optional so that all logins do not fail
session optional pam_tty_audit.so disable=* enable=root
session optional pam_env.so readenv=1 envfile=/etc/locale.conf
session sufficient pam_succeed_if.so user = root quiet
session requisite pam_access.so listsep=, nodefgroup
session required pam_unix.so
session optional pam_oddjob_mkhomedir.so silent
session required pam_lastlog.so showfailed
41 changes: 41 additions & 0 deletions spec/expected/auth_spec/pwquality-system-el8-auth_nullok
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#%PAM-1.0
# This file managed by Puppet
# User changes will be lost!

# SIMP defined auth content
auth optional pam_faildelay.so
auth required pam_env.so
auth required pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60
auth [success=1 default=ignore] pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60
auth sufficient pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth required pam_deny.so

account required pam_faillock.so
account required pam_unix.so broken_shadow
account [success=2 default=ignore] pam_succeed_if.so service = crond quiet
account sufficient pam_succeed_if.so uid < 1000 quiet
account requisite pam_access.so listsep=, nodefgroup
account required pam_permit.so

password requisite pam_pwquality.so
password required pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root
password sufficient pam_unix.so nullok sha512 rounds=10000 shadow try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session sufficient pam_succeed_if.so service = gdm-launch-environment quiet
session sufficient pam_succeed_if.so service in crond quiet use_uid
# Check if session has a tty before running pam_tty_audit
session [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet
# auditd disabled: pam_tty_audit set to optional so that all logins do not fail
session optional pam_tty_audit.so disable=* enable=root
session optional pam_env.so readenv=1 envfile=/etc/locale.conf
session sufficient pam_succeed_if.so user = root quiet
session requisite pam_access.so listsep=, nodefgroup
session required pam_unix.so
session optional pam_oddjob_mkhomedir.so silent
session required pam_lastlog.so showfailed
10 changes: 9 additions & 1 deletion templates/etc/pam.d/auth.epp
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
Optional[Integer[0]] $cracklib_minclass,
Optional[Integer[0]] $cracklib_minlen,
Variant[Boolean, Integer[0]] $cracklib_retry,
Boolean $nullok,
Integer[0] $deny,
Boolean $faillock,
Boolean $manage_faillock_conf,
Expand Down Expand Up @@ -277,7 +278,14 @@ account required pam_permit.so
$_pam_pwhistory = "password required pam_pwhistory.so use_authtok remember=${remember} retry=${remember_retry} file=${remember_file}${_remember_debug}${_remember_for_root}"
-%>
<% } -%>
<% $_pam_unix = "password sufficient pam_unix.so ${hash_algorithm} rounds=${rounds} shadow try_first_pass use_authtok" -%>
<%
if $nullok {
$_nullok = 'nullok '
} else {
$_nullok = ''
}
-%>
<% $_pam_unix = "password sufficient pam_unix.so ${_nullok}${hash_algorithm} rounds=${rounds} shadow try_first_pass use_authtok" -%>
<% if $sssd { -%>
<%= $_pam_pwhistory %>
<%= $_pam_unix %>
Expand Down
2 changes: 1 addition & 1 deletion templates/etc/security/faillock.conf.epp
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ unlock_time=<%= $unlock_time %>
<% if $even_deny_root { -%>
even_deny_root
<% } -%>
<% if $root_unlock_time { -%>
<% if $root_unlock_time and $even_deny_root { -%>
root_unlock_time=<%= $root_unlock_time %>
<% } -%>
<% if $admin_group { -%>
Expand Down

0 comments on commit a90181b

Please sign in to comment.