Skip to content

enable pam-plugin-faillock when it's installed with custom settings#724

Merged
chaitu236 merged 1 commit intoni:nilrt/master/nextfrom
AlexHearnNI:faillock
Sep 4, 2024
Merged

enable pam-plugin-faillock when it's installed with custom settings#724
chaitu236 merged 1 commit intoni:nilrt/master/nextfrom
AlexHearnNI:faillock

Conversation

@AlexHearnNI
Copy link
Contributor

@AlexHearnNI AlexHearnNI commented Aug 27, 2024
edited
Loading

Summary of Changes

  • update the pam-plugin-faillock package so that the plugin gets enabled when it's installed
  • modify some faillock configuration settings
  • prevent pam-plugin-faillock from being installed when ni-auth is installed

Justification

This change simplifies Secured, Network-Attached Controller (SNAC) configuration, AB#2816939. faillock is required to be enabled on a SNAC. The faillock settings were chosen to comply with SNAC requirements. The conflict with ni-auth was added because from testing it appears that the faillock plugin is incompatible with the ni-auth plugin.

Testing

I tested that opkg returns a clear error message when installing pam-plugin-faillock describing the conflict if ni-auth is installed. I confirmed that libpam-runtime contains the customized /etc/security/faillock.conf. After removing ni-auth, I installed pam-plugin-faillock and confirmed that the configuration files changed as I expected.

>~# cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.

# here are the per-package modules (the "Primary" block)
auth    requisite pam_faillock.so preauth
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [default=die] pam_faillock.so authfail
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    sufficient pam_faillock.so authsucc

I confirmed that common-auth was reverted after removing pam-plugin-faillock.

  • I have built the core package feed with this PR in place. (bitbake packagefeed-ni-core)

Procedure

@ni/rtos @amstewart

amstewart
amstewart requested changes Aug 28, 2024
View reviewed changes
Copy link
Contributor

@amstewart amstewart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NILRT, the NILRT meta layers, and OE repos more generally use commits as the unit of change. Remember to prefix your commit summary with the recipe name you're changing, eg. libpam: enable pam-plugin-faillock on install. And put your justifications and change descriptions in the commit summary.

@AlexHearnNI AlexHearnNI force-pushed the faillock branch 3 times, most recently from 8eb9657 to a57268f Compare September 3, 2024 15:20
amstewart
amstewart requested changes Sep 3, 2024
View reviewed changes
Copy link
Contributor

@amstewart amstewart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good pending this one change.

@AlexHearnNI
libpam: enable pam-plugin-faillock when it's installed and customize …
0532a24 
…settings

- update the pam-plugin-faillock package so that the plugin gets enabled when it's installed
- modify some faillock configuration settings
- prevent pam-plugin-faillock from being installed when ni-auth is installed

This change simplifies Secured, Network-Attached Controller (SNAC) configuration. faillock is required to be enabled on a SNAC. The faillock settings were chosen to comply with SNAC requirements. The conflict with ni-auth was added because from testing it appears that the faillock plugin is incompatible with the ni-auth plugin.

Signed-off-by: Alex Hearn <alex.hearn@ni.com>
@chaitu236 chaitu236 merged commit eeb7b91 into ni:nilrt/master/next Sep 4, 2024
@AlexHearnNI AlexHearnNI deleted the faillock branch September 5, 2024 13:53
@AlexHearnNI AlexHearnNI mentioned this pull request Sep 5, 2024
Merged
1 task
@amstewart amstewart mentioned this pull request Sep 26, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chaitu236 chaitu236 chaitu236 approved these changes

@amstewart amstewart amstewart approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AlexHearnNI @chaitu236 @amstewart