blob: 65a4d6d683b1efab67b6c83c480132c666b11f4d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
RDEPENDS:${PN}-runtime += "${MLPREFIX}pam-plugin-localuser-${libpam_suffix}"
RDEPENDS:${PN}-runtime += "${MLPREFIX}pam-plugin-faillock-${libpam_suffix}"
RDEPENDS:${PN}-runtime += "libpwquality"
RDEPENDS:${PN}-runtime:remove = "${MLPREFIX}pam-plugin-cracklib-${libpam_suffix}"
RDEPENDS:${PN}-runtime:remove = "${MLPREFIX}pam-plugin-tally2-${libpam_suffix}"
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += " file://pam.d/common-password \
file://pam.d/common-account \
file://pam.d/common-auth \
file://pam.d/common-session \
file://faillock.conf \
file://convert-pam-configs.service \
file://convert-pam-configs.sh \
"
inherit systemd
SYSTEMD_SERVICE:${PN} += "convert-pam-configs.service"
FILES:${PN} += "${bindir}/convert-pam-configs.sh \
${systemd_system_unitdir}/convert-pam-configs.service \
"
do_install:append() {
install -d ${D}/etc/security
install -m 0644 ${WORKDIR}/faillock.conf ${D}/etc/security
install -d ${D}${bindir}
install -m 0755 ${WORKDIR}/convert-pam-configs.sh ${D}${bindir}
install -d ${D}${systemd_system_unitdir}
install -m 0644 ${WORKDIR}/convert-pam-configs.service ${D}${systemd_system_unitdir}
}
#
# Background:
# 1. Linux-PAM modules tally2 and cracklib were removed in libpam_1.5,
# which prompted OpenBMC to change to the faillock and pwquality modules.
# The PAM config files under /etc/pam.d were changed accordingly.
# 2. OpenBMC implementations store Redfish property values in PAM config files.
# For example, the D-Bus property maxLoginAttemptBeforeLockout is stored in
# /etc/pam.d/common-auth as the pam_tally2.so deny= parameter value.
# 3. The /etc directory is readonly and has a readwrite overlayfs. That
# means when a config file changes, an overlay file is created which hides
# the readonly version.
#
# Problem scenario:
# 1. Begin with a BMC that has a firmware image which has the old PAM
# modules and the old PAM config files which have modified parameters.
# For example, there is an overlay file for /etc/pam.d/common-auth.
# 2. Perform a firmware update to a firmware image which has the new PAM
# modules. The updated image will have not have the old PAM modules.
# It will have the new PAM config files in its readonly file system and
# the old PAM config files in its readwrite overlay.
# 3. Note that PAM authentication will always fail at this point because
# the old PAM config files in the overlay tell PAM to use the old PAM
# modules which are not present on the system.
#
# Two possible recoveries are:
# A. Factory reset the BMC. This will clear the readwrite overlay,
# allowing PAM to use the readonly version.
# B. Convert the old PAM config files to the new style. See below.
#
# Service: The convert-pam-configs.service updates the old-style PAM config
# files on the BMC: it changes uses of the old modules to the new modules
# and carries forward configuration parameters. A key point is that files
# are written to *only* as needed to convert uses of the old modules to the
# new modules. See the conversion tool for details.
#
# This service can be removed when the BMC no longer supports a direct
# firware update path from a version which has the old PAM configs to a
# version which has the new PAM configs.
#
# In case of downgrade, Factory reset is recommended. Current logic in existing
# images won't be able to take care of these settings during downgrade.
|
