summaryrefslogtreecommitdiff
path: root/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/convert-pam-configs.sh
blob: f66f40beb4729de9cc0a89c43a7f354cb7a90dde (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

#!/bin/sh
# Convert OpenBMC linux-PAM config files

# Location of config files this script modifies:
#   PAM_CONF_DIR - path to the PAM config files
#   SECURITY_CONF_DIR - path to the security config files
PAM_CONF_DIR=/etc/pam.d
SECURITY_CONF_DIR=/etc/security

# Handle common-password:
#   Change cracklib to pwquality and handle the minlen parameter
pam_cracklib=$(grep "^password.*pam_cracklib.so" ${PAM_CONF_DIR}/common-password)
if [ -n "${pam_cracklib}" ]
then
    echo "Changing ${PAM_CONF_DIR}/common-password to use pam_pwquality.so (was pam_cracklib.so)" >&2
    minlen=$(echo ${pam_cracklib} | sed -e "s/.*minlen=\([[:alnum:]]*\).*/\1/")
    echo "  Converting parameter minlen=${minlen} to ${SECURITY_CONF_DIR}/pwquality.conf minlen" >&2
    sed -i.bak -e "s/^minlen=.*/minlen=$minlen/" ${SECURITY_CONF_DIR}/pwquality.conf
    pwquality='password        [success=ok default=die]        pam_pwquality.so debug'
    sed -i.bak -e "s/^password.*pam_cracklib.so.*/$pwquality/" ${PAM_CONF_DIR}/common-password
    echo "# This file was converted by $0" >>${PAM_CONF_DIR}/common-password
fi

# Handle common-auth:
#   Change tally2 to faillock and handle the deny & unlock_time parameters
pam_tally2=$(grep "^auth.*pam_tally2.so" ${PAM_CONF_DIR}/common-auth)
if [ -n "${pam_tally2}" ]
then
    echo "Changing ${PAM_CONF_DIR}/common-auth to use pam_faillock.so (was pam_tally2.so)" >&2
    deny=$(echo ${pam_tally2} | sed -e "s/.*deny=\([[:alnum:]]*\).*/\1/")
    unlock_time=$(echo ${pam_tally2} | sed -e "s/.*unlock_time=\([[:alnum:]]*\).*/\1/")
    # Change faillock.conf parameters
    echo "  Converting parameter deny=${deny} to ${SECURITY_CONF_DIR}/faillock.conf deny" >&2
    echo "  Converting parameter unlock_time=${unlock_time} to ${SECURITY_CONF_DIR}/faillock.conf unlock_time" >&2
    sed -i.bak \
        -e "s/^deny=.*/deny=$deny/" \
        -e "s/^unlock_time=.*/unlock_time=$unlock_time/" \
        ${SECURITY_CONF_DIR}/faillock.conf
    # Change pam_tally2 to pam_faillock (changes the overall auth stack)
    authfail='auth    [default=die]                   pam_faillock.so authfail'
    authsucc='auth    sufficient                      pam_faillock.so authsucc'
    sed -i.bak \
        -e "/^auth.*pam_tally2.so.*$/d" \
        -e "/^auth.*pam_deny.so/i $authfail\n$authsucc" \
        ${PAM_CONF_DIR}/common-auth
    echo "# This file was converted by $0" >>${PAM_CONF_DIR}/common-auth
fi
generated by cgit v1.2.3 (git 2.39.0) at 2024-05-18 07:41:52 +0300