summaryrefslogtreecommitdiff
path: root/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.sh
diff options
context:
space:
mode:
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.sh')
-rw-r--r--meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.sh48
1 files changed, 48 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.sh b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.sh
new file mode 100644
index 000000000..f66f40beb
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+# Convert OpenBMC linux-PAM config files
+
+# Location of config files this script modifies:
+# PAM_CONF_DIR - path to the PAM config files
+# SECURITY_CONF_DIR - path to the security config files
+PAM_CONF_DIR=/etc/pam.d
+SECURITY_CONF_DIR=/etc/security
+
+# Handle common-password:
+# Change cracklib to pwquality and handle the minlen parameter
+pam_cracklib=$(grep "^password.*pam_cracklib.so" ${PAM_CONF_DIR}/common-password)
+if [ -n "${pam_cracklib}" ]
+then
+ echo "Changing ${PAM_CONF_DIR}/common-password to use pam_pwquality.so (was pam_cracklib.so)" >&2
+ minlen=$(echo ${pam_cracklib} | sed -e "s/.*minlen=\([[:alnum:]]*\).*/\1/")
+ echo " Converting parameter minlen=${minlen} to ${SECURITY_CONF_DIR}/pwquality.conf minlen" >&2
+ sed -i.bak -e "s/^minlen=.*/minlen=$minlen/" ${SECURITY_CONF_DIR}/pwquality.conf
+ pwquality='password [success=ok default=die] pam_pwquality.so debug'
+ sed -i.bak -e "s/^password.*pam_cracklib.so.*/$pwquality/" ${PAM_CONF_DIR}/common-password
+ echo "# This file was converted by $0" >>${PAM_CONF_DIR}/common-password
+fi
+
+# Handle common-auth:
+# Change tally2 to faillock and handle the deny & unlock_time parameters
+pam_tally2=$(grep "^auth.*pam_tally2.so" ${PAM_CONF_DIR}/common-auth)
+if [ -n "${pam_tally2}" ]
+then
+ echo "Changing ${PAM_CONF_DIR}/common-auth to use pam_faillock.so (was pam_tally2.so)" >&2
+ deny=$(echo ${pam_tally2} | sed -e "s/.*deny=\([[:alnum:]]*\).*/\1/")
+ unlock_time=$(echo ${pam_tally2} | sed -e "s/.*unlock_time=\([[:alnum:]]*\).*/\1/")
+ # Change faillock.conf parameters
+ echo " Converting parameter deny=${deny} to ${SECURITY_CONF_DIR}/faillock.conf deny" >&2
+ echo " Converting parameter unlock_time=${unlock_time} to ${SECURITY_CONF_DIR}/faillock.conf unlock_time" >&2
+ sed -i.bak \
+ -e "s/^deny=.*/deny=$deny/" \
+ -e "s/^unlock_time=.*/unlock_time=$unlock_time/" \
+ ${SECURITY_CONF_DIR}/faillock.conf
+ # Change pam_tally2 to pam_faillock (changes the overall auth stack)
+ authfail='auth [default=die] pam_faillock.so authfail'
+ authsucc='auth sufficient pam_faillock.so authsucc'
+ sed -i.bak \
+ -e "/^auth.*pam_tally2.so.*$/d" \
+ -e "/^auth.*pam_deny.so/i $authfail\n$authsucc" \
+ ${PAM_CONF_DIR}/common-auth
+ echo "# This file was converted by $0" >>${PAM_CONF_DIR}/common-auth
+fi
+
generated by cgit v1.2.3 (git 2.39.0) at 2024-05-18 08:06:21 +0300