RDEPENDS:${PN}-runtime += "${MLPREFIX}pam-plugin-localuser-${libpam_suffix}" RDEPENDS:${PN}-runtime += "${MLPREFIX}pam-plugin-faillock-${libpam_suffix}" RDEPENDS:${PN}-runtime += "libpwquality" RDEPENDS:${PN}-runtime:remove = "${MLPREFIX}pam-plugin-cracklib-${libpam_suffix}" RDEPENDS:${PN}-runtime:remove = "${MLPREFIX}pam-plugin-tally2-${libpam_suffix}" FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += " file://pam.d/common-password \ file://pam.d/common-account \ file://pam.d/common-auth \ file://pam.d/common-session \ file://faillock.conf \ file://convert-pam-configs.service \ file://convert-pam-configs.sh \ " inherit systemd SYSTEMD_SERVICE:${PN} += "convert-pam-configs.service" FILES:${PN} += "${bindir}/convert-pam-configs.sh \ ${systemd_system_unitdir}/convert-pam-configs.service \ " do_install:append() { install -d ${D}/etc/security install -m 0644 ${WORKDIR}/faillock.conf ${D}/etc/security install -d ${D}${bindir} install -m 0755 ${WORKDIR}/convert-pam-configs.sh ${D}${bindir} install -d ${D}${systemd_system_unitdir} install -m 0644 ${WORKDIR}/convert-pam-configs.service ${D}${systemd_system_unitdir} } # # Background: # 1. Linux-PAM modules tally2 and cracklib were removed in libpam_1.5, # which prompted OpenBMC to change to the faillock and pwquality modules. # The PAM config files under /etc/pam.d were changed accordingly. # 2. OpenBMC implementations store Redfish property values in PAM config files. # For example, the D-Bus property maxLoginAttemptBeforeLockout is stored in # /etc/pam.d/common-auth as the pam_tally2.so deny= parameter value. # 3. The /etc directory is readonly and has a readwrite overlayfs. That # means when a config file changes, an overlay file is created which hides # the readonly version. # # Problem scenario: # 1. Begin with a BMC that has a firmware image which has the old PAM # modules and the old PAM config files which have modified parameters. # For example, there is an overlay file for /etc/pam.d/common-auth. # 2. Perform a firmware update to a firmware image which has the new PAM # modules. The updated image will have not have the old PAM modules. # It will have the new PAM config files in its readonly file system and # the old PAM config files in its readwrite overlay. # 3. Note that PAM authentication will always fail at this point because # the old PAM config files in the overlay tell PAM to use the old PAM # modules which are not present on the system. # # Two possible recoveries are: # A. Factory reset the BMC. This will clear the readwrite overlay, # allowing PAM to use the readonly version. # B. Convert the old PAM config files to the new style. See below. # # Service: The convert-pam-configs.service updates the old-style PAM config # files on the BMC: it changes uses of the old modules to the new modules # and carries forward configuration parameters. A key point is that files # are written to *only* as needed to convert uses of the old modules to the # new modules. See the conversion tool for details. # # This service can be removed when the BMC no longer supports a direct # firware update path from a version which has the old PAM configs to a # version which has the new PAM configs. # # In case of downgrade, Factory reset is recommended. Current logic in existing # images won't be able to take care of these settings during downgrade.