[gentoo-commits] proj/pambase:master commit in: templates/, /

["Sam James" <sam@gentoo.org>]

commit:     c2060f499d483e11ba4524283c2d95a6a8beb8dc
Author:     Christopher Byrne <salah.coronya <AT> gmail <DOT> com>
AuthorDate: Sun Sep  3 16:32:19 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Jan 19 05:31:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=c2060f49

Add sssd support

Bug: https://bugs.gentoo.org/726050
Closes: https://github.com/gentoo/pambase/issues/1
Signed-off-by: Christopher Byrne <salah.coronya <AT> gmail.com>
Closes: https://github.com/gentoo/pambase/pull/17
Signed-off-by: Sam James <sam <AT> gentoo.org>

 pambase.py                   |  7 ++++++-
 templates/system-auth.tpl    | 38 ++++++++++++++++++++++++++++++++------
 templates/system-session.tpl |  4 ++++
 3 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/pambase.py b/pambase.py
index 3875e89..ceec8cb 100755
--- a/pambase.py
+++ b/pambase.py
@@ -19,6 +19,7 @@ def main():
     parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module')
     parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module')
     parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module')
+    parser.add_argument('--sssd', action="store_true", help='enable sssd.so module')
     parser.add_argument('--yescrypt', action="store_true", help='enable yescrypt option for pam_unix.so module')
     parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module')
     parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module')
@@ -41,7 +42,8 @@ def process_args(args):
         "unix_authtok",
         "unix_extended_encryption",
         "likeauth",
-        "nullok"
+        "nullok",
+        "local_users_only"
     ]
 
     # create a blank dictionary
@@ -62,6 +64,9 @@ def process_args(args):
     if args.krb5:
         output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip()
 
+    if args.sssd:
+        output["local_users_only"] = "local_users_only"
+
     if args.yescrypt:
         output["unix_extended_encryption"] = "yescrypt shadow"
     elif args.sha512:

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 9b078f3..4065e89 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -7,34 +7,55 @@ auth		sufficient	pam_ssh.so
 auth		[success={{ 4 if homed else 3 }} default=ignore]      pam_krb5.so {{ krb5_params }}
 {% endif %}
 
+{% if sssd %}
+auth		[default=1 ignore=ignore success=ok]	pam_usertype.so isregular
+auth		[default=3 ignore=ignore success=ok]	pam_localuser.so
+{% endif %}
+
 auth		requisite	pam_faillock.so preauth
+
 {% if homed %}
 auth            [success=2 default=ignore]      pam_systemd_home.so
 {% endif %}
+
+{% if sssd %}
+auth            sufficient    pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }}
+{% else %}
 auth            [success=1 new_authtok_reqd=1 ignore=ignore default=bad]      pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+{% endif %}
 auth		[default=die]	pam_faillock.so authfail
-
+{% if sssd %}
+auth		sufficient	pam_sss.so forward_pass {{ debug|default('', true) }}
+{% endif %}
 {% if caps %}
 auth		optional	pam_cap.so
 {% endif %}
-
+{% if sssd %}
+auth		sufficient	pam_deny.so
+{% endif %}
 {% if krb5 %}
 account		[success=2 default=ignore]	pam_krb5.so {{ krb5_params }}
 {% endif %}
 
 {% if homed %}
-account         [success=1 default=ignore]      pam_systemd_home.so
+account         [success={{ 2 if sssd else 1 }} default=ignore]      pam_systemd_home.so
 {% endif %}
 
 account		required	pam_unix.so {{ debug|default('', true) }}
 account         required        pam_faillock.so
+{% if sssd %}
+account		sufficient	pam_localuser.so
+account		sufficient	pam_usertype.so issystem
+account		[default=bad success=ok user_unknown=ignore] pam_sss.so {{ debug|default('', true) }}
+account		required	pam_permit.so
+{% endif %}
 
 {% if passwdqc %}
 password	required	pam_passwdqc.so config=/etc/security/passwdqc.conf
 {% endif %}
 
 {% if pwquality %}
-password        required        pam_pwquality.so
+password        required        pam_pwquality.so {{ local_users_only|default('', true ) }}
 {% endif %}
 
 {% if pwhistory %}
@@ -50,9 +71,14 @@ password        [success=1 default=ignore]      pam_systemd_home.so
 {% endif %}
 
 {% if passwdqc or pwquality %}
-password	required	pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+password	{{ 'sufficient' if sssd else 'required' }}	pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
 {% else %}
-password        required        pam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+password        {{ 'sufficient' if sssd else 'required' }}        pam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+{% endif %}
+
+{% if sssd %}
+password	sufficient	pam_sss.so use_authtok
+password	required	pam_deny.so
 {% endif %}
 
 {% if pam_ssh %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 536db49..4c5585b 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -13,3 +13,7 @@ session         [success=1 default=ignore]      pam_systemd_home.so
 {% endif %}
 
 session		required	pam_unix.so {{ debug|default('', true) }}
+
+{% if sssd %}
+session		optional	pam_sss.so {{ debug|default('', true) }}
+{% endif %}