From 6ad4e5bc647bd823fd10fca9022b7129df2fa369 Mon Sep 17 00:00:00 2001 From: Richard Marian Thomaiyar Date: Wed, 3 Oct 2018 14:06:51 +0530 Subject: Enable pam-ipmi modules in pam password stack Enabled pam-ipmicheck & pam-ipmisave modules in pam password stacked modules. This modules will store 'ipmi' group users password in encrypted form in /etc/ipmi_pass file along with /etc/shadow. This special file will be used by phosphor-ipmi-net during RAKP messages. This will not affect users who doesn't belong to 'ipmi' group. (From meta-phosphor rev: 945a28a80ea24c59441ce511aff95092121dfc78) Change-Id: I1b9e2c78c1e0b8a0f8da2a28c6d89638c45f692d Signed-off-by: Richard Marian Thomaiyar Signed-off-by: Brad Bishop --- meta-phosphor/recipes-core/pam/libpam/pam.d/common-password | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/meta-phosphor/recipes-core/pam/libpam/pam.d/common-password b/meta-phosphor/recipes-core/pam/libpam/pam.d/common-password index ddd7ca1d7..ac3f368c8 100644 --- a/meta-phosphor/recipes-core/pam/libpam/pam.d/common-password +++ b/meta-phosphor/recipes-core/pam/libpam/pam.d/common-password @@ -16,9 +16,11 @@ # See the pam_unix manpage for other options. # here are the per-package modules (the "Primary" block) -password [success=ok default=die] pam_cracklib.so debug enforce_for_root reject_username minlen=8 difok=0 +password [success=ok default=die] pam_ipmicheck.so spec_grp_name=ipmi +password [success=ok default=die] pam_cracklib.so debug enforce_for_root reject_username minlen=8 difok=0 use_authtok #password [success=ok ignore=ignore default=die] pam_pwhistory.so debug enforce_for_root remember=0 use_authtok -password [success=1 default=die] pam_unix.so sha512 use_authtok +password [success=ok default=die] pam_unix.so sha512 use_authtok +password [success=1 default=die] pam_ipmisave.so spec_grp_name=ipmi spec_pass_file=/etc/ipmi_pass key_file=/etc/key_file # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; -- cgit v1.2.3