From fed2d7294b340540e5a4c54df66cbf6eec25b17a Mon Sep 17 00:00:00 2001 From: ffqq Date: Thu, 25 Jan 2024 16:37:20 +0300 Subject: [PATCH] security/pam: add pam configuration --- security/pam/SCHEMATIC | 15 +++++++++------ security/pam/files/other | 9 +++++++++ security/pam/files/system-auth | 23 +++++++++++++++++++++++ security/pam/files/system-local-login | 6 ++++++ security/pam/files/system-login | 21 +++++++++++++++++++++ security/pam/files/system-remote-login | 6 ++++++ 6 files changed, 74 insertions(+), 6 deletions(-) create mode 100644 security/pam/files/other create mode 100644 security/pam/files/system-auth create mode 100644 security/pam/files/system-local-login create mode 100644 security/pam/files/system-login create mode 100644 security/pam/files/system-remote-login diff --git a/security/pam/SCHEMATIC b/security/pam/SCHEMATIC index e669773..1afe2d0 100644 --- a/security/pam/SCHEMATIC +++ b/security/pam/SCHEMATIC @@ -9,11 +9,12 @@ yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, sha256crypt, md5crypt, Sun It provides the traditional Unix crypt and crypt_r interfaces, as well as a set of extended interfaces pioneered by Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn, and crypt_gensalt_ra." category="security" -version="1.5.3" +version="1.5.3_1" +version2="${version%%_*}" maintainer="ffqq@danwin1210.de" www="https://github.com/linux-pam/linux-pam" -master_site="https://github.com/linux-pam/linux-pam/releases/download/v$version" -source_name="linux-$name-$version.tar.xz" +master_site="https://github.com/linux-pam/linux-pam/releases/download/v$version2" +source_name="linux-$name-$version2.tar.xz" license_logic="single" # accepted values: single, and, or licenses=("GPLv2") @@ -21,9 +22,9 @@ build_dependencies=("devel/gmake" "lang/gcc" "security/libxcrypt" "textproc/flex run_dependencies=("system/glibc" "security/libxcrypt") build_process() { - cd Linux-PAM-$version - curl -LO https://github.com/linux-pam/linux-pam/releases/download/v$version/Linux-PAM-$version-docs.tar.xz # fetch docs - tar -xf Linux-PAM-$version-docs.tar.xz + cd Linux-PAM-$version2 + curl -LO https://github.com/linux-pam/linux-pam/releases/download/v$version2/Linux-PAM-$version2-docs.tar.xz # fetch docs + tar -xf Linux-PAM-$version2-docs.tar.xz ./configure --prefix=/usr \ --sbindir=/usr/sbin \ --sysconfdir=/etc \ @@ -34,4 +35,6 @@ build_process() { make -j$(nproc) make DESTDIR="$TAMANDUA_STAGE_DIR" install chmod -v 4755 $TAMANDUA_STAGE_DIR/usr/sbin/unix_chkpwd + mkdir -p $TAMANDUA_STAGE_DIR/etc/pam.d + cp -v $TAMANDUA_FILES_DIR/* $TAMANDUA_STAGE_DIR/etc/pam.d } \ No newline at end of file diff --git a/security/pam/files/other b/security/pam/files/other new file mode 100644 index 0000000..5246d82 --- /dev/null +++ b/security/pam/files/other @@ -0,0 +1,9 @@ +#%PAM-1.0 +auth required pam_deny.so +auth required pam_warn.so +account required pam_deny.so +account required pam_warn.so +password required pam_deny.so +password required pam_warn.so +session required pam_deny.so +session required pam_warn.so \ No newline at end of file diff --git a/security/pam/files/system-auth b/security/pam/files/system-auth new file mode 100644 index 0000000..d0fc734 --- /dev/null +++ b/security/pam/files/system-auth @@ -0,0 +1,23 @@ +#%PAM-1.0 + +auth required pam_faillock.so preauth +# Optionally use requisite above if you do not want to prompt for the password +# on locked accounts. +auth [success=1 default=bad] pam_unix.so try_first_pass nullok +auth [default=die] pam_faillock.so authfail +auth optional pam_permit.so +auth required pam_env.so +auth required pam_faillock.so authsucc +# If you drop the above call to pam_faillock.so the lock will be done also +# on non-consecutive authentication failures. + +account required pam_unix.so +account optional pam_permit.so +account required pam_time.so + +password required pam_unix.so try_first_pass nullok shadow +password optional pam_permit.so + +session required pam_limits.so +session required pam_unix.so +session optional pam_permit.so \ No newline at end of file diff --git a/security/pam/files/system-local-login b/security/pam/files/system-local-login new file mode 100644 index 0000000..08657cc --- /dev/null +++ b/security/pam/files/system-local-login @@ -0,0 +1,6 @@ +#%PAM-1.0 + +auth include system-login +account include system-login +password include system-login +session include system-login \ No newline at end of file diff --git a/security/pam/files/system-login b/security/pam/files/system-login new file mode 100644 index 0000000..1f67be6 --- /dev/null +++ b/security/pam/files/system-login @@ -0,0 +1,21 @@ +#%PAM-1.0 + +auth required pam_shells.so +auth requisite pam_nologin.so +auth include system-auth + +account required pam_access.so +account required pam_nologin.so +account include system-auth + +password include system-auth + +session optional pam_loginuid.so +session optional pam_keyinit.so force revoke +session include system-auth +session optional pam_motd.so +session optional pam_mail.so dir=/var/spool/mail standard quiet +session optional pam_umask.so +-session optional pam_elogind.so +session required pam_env.so user_readenv=1 +-session optional pam_rundir.so \ No newline at end of file diff --git a/security/pam/files/system-remote-login b/security/pam/files/system-remote-login new file mode 100644 index 0000000..08657cc --- /dev/null +++ b/security/pam/files/system-remote-login @@ -0,0 +1,6 @@ +#%PAM-1.0 + +auth include system-login +account include system-login +password include system-login +session include system-login \ No newline at end of file