enable pam-plugin-faillock when it's installed with custom settings

[AlexHearnNI]

Summary of Changes

• update the pam-plugin-faillock package so that the plugin gets enabled when it's installed
• modify some faillock configuration settings
• prevent pam-plugin-faillock from being installed when ni-auth is installed

Justification

This change simplifies Secured, Network-Attached Controller (SNAC) configuration, AB#2816939. faillock is required to be enabled on a SNAC. The faillock settings were chosen to comply with SNAC requirements. The conflict with ni-auth was added because from testing it appears that the faillock plugin is incompatible with the ni-auth plugin.

Testing

I tested that opkg returns a clear error message when installing pam-plugin-faillock describing the conflict if ni-auth is installed. I confirmed that libpam-runtime contains the customized /etc/security/faillock.conf. After removing ni-auth, I installed pam-plugin-faillock and confirmed that the configuration files changed as I expected.

>~# cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.

# here are the per-package modules (the "Primary" block)
auth    requisite pam_faillock.so preauth
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [default=die] pam_faillock.so authfail
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    sufficient pam_faillock.so authsucc

I confirmed that common-auth was reverted after removing pam-plugin-faillock.

• I have built the core package feed with this PR in place. (bitbake packagefeed-ni-core)

Procedure

• I certify that the contents of this pull request complies with the Developer Certificate of Origin.

@ni/rtos @amstewart

[amstewart]

NILRT, the NILRT meta layers, and OE repos more generally use commits as the unit of change. Remember to prefix your commit summary with the recipe name you're changing, eg. libpam: enable pam-plugin-faillock on install. And put your justifications and change descriptions in the commit summary.

[amstewart]

Looks good pending this one change.