From 0532a2415a27493669201d9c0fcb62cc09f1c0e2 Mon Sep 17 00:00:00 2001 From: Alex Hearn Date: Tue, 27 Aug 2024 12:10:11 -0500 Subject: [PATCH] libpam: enable pam-plugin-faillock when it's installed and customize settings - update the pam-plugin-faillock package so that the plugin gets enabled when it's installed - modify some faillock configuration settings - prevent pam-plugin-faillock from being installed when ni-auth is installed This change simplifies Secured, Network-Attached Controller (SNAC) configuration. faillock is required to be enabled on a SNAC. The faillock settings were chosen to comply with SNAC requirements. The conflict with ni-auth was added because from testing it appears that the faillock plugin is incompatible with the ni-auth plugin. Signed-off-by: Alex Hearn --- .../pam/libpam/security/faillock.conf | 62 +++++++++++++++++++ recipes-extended/pam/libpam_1.%.bbappend | 22 +++++++ 2 files changed, 84 insertions(+) create mode 100644 recipes-extended/pam/libpam/security/faillock.conf diff --git a/recipes-extended/pam/libpam/security/faillock.conf b/recipes-extended/pam/libpam/security/faillock.conf new file mode 100644 index 000000000..abec69ac7 --- /dev/null +++ b/recipes-extended/pam/libpam/security/faillock.conf @@ -0,0 +1,62 @@ +# Configuration for locking the user after multiple failed +# authentication attempts. +# +# The directory where the user files with the failure records are kept. +# The default is /var/run/faillock. +# dir = /var/run/faillock +# +# Will log the user name into the system log if the user is not found. +# Enabled if option is present. +audit +# +# Don't print informative messages. +# Enabled if option is present. +silent +# +# Don't log informative messages via syslog. +# Enabled if option is present. +# no_log_info +# +# Only track failed user authentications attempts for local users +# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. +# The `faillock` command will also no longer track user failed +# authentication attempts. Enabling this option will prevent a +# double-lockout scenario where a user is locked out locally and +# in the centralized mechanism. +# Enabled if option is present. +# local_users_only +# +# Deny access if the number of consecutive authentication failures +# for this user during the recent interval exceeds n tries. +# The default is 3. +deny = 3 +# +# The length of the interval during which the consecutive +# authentication failures must happen for the user account +# lock out is n seconds. +# The default is 900 (15 minutes). +fail_interval = 900 +# +# The access will be re-enabled after n seconds after the lock out. +# The value 0 has the same meaning as value `never` - the access +# will not be re-enabled without resetting the faillock +# entries by the `faillock` command. +# The default is 600 (10 minutes). +unlock_time = 0 +# +# Root account can become locked as well as regular accounts. +# Enabled if option is present. +# even_deny_root +# +# This option implies the `even_deny_root` option. +# Allow access after n seconds to root account after the +# account is locked. In case the option is not specified +# the value is the same as of the `unlock_time` option. +# root_unlock_time = 900 +# +# If a group name is specified with this option, members +# of the group will be handled by this module the same as +# the root account (the options `even_deny_root>` and +# `root_unlock_time` will apply to them. +# By default, the option is not set. +# admin_group = diff --git a/recipes-extended/pam/libpam_1.%.bbappend b/recipes-extended/pam/libpam_1.%.bbappend index 9accc57ef..1a582a480 100644 --- a/recipes-extended/pam/libpam_1.%.bbappend +++ b/recipes-extended/pam/libpam_1.%.bbappend @@ -1 +1,23 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${BPN}:" + +SRC_URI += "\ + file://security/faillock.conf \ +" + +do_install:append() { + install -m 644 ${WORKDIR}/security/faillock.conf ${D}${sysconfdir}/security/faillock.conf +} + +pkg_postinst:pam-plugin-faillock:append() { + # enable faillock + sed -E -i 's/^(.+)success=1(.+)$/auth requisite pam_faillock.so preauth\n\1success=2\2\nauth [default=die] pam_faillock.so authfail/' "${sysconfdir}/pam.d/common-auth" + echo "auth sufficient pam_faillock.so authsucc" >> "${sysconfdir}/pam.d/common-auth" +} + +pkg_prerm:pam-plugin-faillock:append() { + # disable faillock + sed -E -i '/pam_faillock.so/d' "${sysconfdir}/pam.d/common-auth" + sed -E -i 's/^(.+)success=2(.+)$/\1success=1\2/' "${sysconfdir}/pam.d/common-auth" +} + +RCONFLICTS:pam-plugin-faillock:append = " ni-auth"