Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NAS-133109 / 25.04 / Refactor PAM config generation #15218

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

NAS-133109 / 25.04 / Refactor PAM config generation #15218

wants to merge 2 commits into from

Conversation

anodos325
Copy link
Contributor

This commit refactors how we generate custom PAM configuration lines so as to force them to run though a parser, and adds tests for said parser. pam_tty_audit is also enabled for interactive sessions for root account if for some reason a user gets interactive root session when GPOS STIG is enabled (this should never happen).

@bugclerk bugclerk changed the title Refactor PAM config generation NAS-133109 / 25.04 / Refactor PAM config generation Dec 16, 2024
@bugclerk
Copy link
Contributor

Jira URL: https://ixsystems.atlassian.net/browse/NAS-133109

@anodos325
Refactor PAM config generation
2d9b389 
This commit refactors how we generate custom PAM configuration
lines so as to force them to run though a parser, and adds tests
for said parser. pam_tty_audit is also enabled for interactive
sessions for root account if for some reason a user gets interactive
root session when GPOS STIG is enabled (this should never happen).
@anodos325 anodos325 requested a review from bmeagherix December 17, 2024 16:28
bmeagherix
bmeagherix requested changes Dec 18, 2024
View reviewed changes
src/middlewared/middlewared/utils/pam.py
PAMLine(
pam_service=PAMService.AUTH,
pam_control=(
PAMControl(PAMResponse.SUCCESS, 2),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be

PAMControl(PAMResponse.SUCCESS, 1),

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. 1 is what's used in current common-auth for a server attached to FreeIPA.

mgrimesix
mgrimesix requested changes Dec 18, 2024
View reviewed changes
src/middlewared/middlewared/utils/pam.py
PAMLine(
pam_service=PAMService.ACCOUNT,
pam_control=(
PAMControl(PAMResponse.SUCCESS, 2),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In current code, attached to the FreeIPA I see the following in common-account:
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
Maybe this line should have 1 and not 2?

src/middlewared/middlewared/utils/pam.py
PAMLine(
pam_service=PAMService.AUTH,
pam_control=(
PAMControl(PAMResponse.SUCCESS, 2),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. 1 is what's used in current common-auth for a server attached to FreeIPA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mgrimesix mgrimesix mgrimesix requested changes

@bmeagherix bmeagherix bmeagherix requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
jira
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@anodos325 @bugclerk @bmeagherix @mgrimesix