diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-extended')
3 files changed, 101 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/pam-ipmi_%.bbappend b/meta-openbmc-mods/meta-common/recipes-extended/pam/pam-ipmi_%.bbappend new file mode 100644 index 000000000..08f8c58b0 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/pam-ipmi_%.bbappend @@ -0,0 +1,7 @@ +do_install_append () { +# Remove ipmi_pass from image, if debug-tweaks is not enabled + ${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', '', 'rm ${D}/${sysconfdir}/ipmi_pass', d)} +} + +# latest upstream HEAD until meta-phosphor autobumps +SRCREV = "c2ef3319b42d86862b479e08e652ab36a26a14db" diff --git a/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/pam.d/login b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/pam.d/login new file mode 100644 index 000000000..51dd3a83b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/pam.d/login @@ -0,0 +1,90 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# Note that it is included as a "requisite" module. No password prompts will +# be displayed if this module fails to avoid having the root password +# transmitted on unsecure ttys. +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root). +auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 + +# Allow only uid 0 for login prompt authentication +auth required pam_succeed_if.so uid eq 0 + +# Do regular pam unix based authentication. Allow null password. +auth [success=2 default=ignore] pam_unix.so quiet nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +account include common-account +password include common-password +session include common-session diff --git a/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend new file mode 100644 index 000000000..283d787e5 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend @@ -0,0 +1,4 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +PAM_SRC_URI += "file://pam.d/login \ + " |