Commit c040f73b9c44a06deaf95dd6932d634ec71b0856 - libpam-afs-session

Add example PAM configurations for Debian, Red Hat, and Solaris based on Stanford's Linux configurations and a Solaris configuration from Maciej Malek. Hopefully I didn't break anything while merging examples. Russ Allbery 16 years ago

6 changed file(s) with 175 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all

-0

NEWS less more

13	13	with the Solaris pam_krb5.
14	14
15	15	Document bad interactions with pam_keyinit on Linux in README.
	16
	17	Add example PAM configurations for Debian, Red Hat, and Solaris based
	18	on Stanford's Linux configurations and a Solaris configuration from
	19	Maciej Malek. Hopefully I didn't break anything while merging
	20	examples.
16	21
17	22	Add compiler and linker flags for AIX. Thanks, Thomas Williams.
18	23

+11

-0

examples/debian/common-account less more

	0	# /etc/pam.d/common-account -- Authorization settings common to all services.
	1	#
	2	# This file is included from other service-specific PAM config files on
	3	# Debian, and should contain a list of the authorization modules that define
	4	# the central access policy for use on the system.
	5	#
	6	# Deny service to users whose accounts are expired in /etc/shadow and check
	7	# krb5_kuserok for logins via Kerberos.
	8
	9	account required pam_unix.so
	10	account required pam_krb5.so

+14

-0

examples/debian/common-auth less more

	0	# /etc/pam.d/common-auth -- Authentication settings common to all services.
	1	#
	2	# This file is included from other service-specific PAM config files on
	3	# Debian, and should contain a list of the authentication modules that
	4	# define the central authentication scheme for use on the system (e.g.,
	5	# /etc/shadow, LDAP, Kerberos, etc.).
	6	#
	7	# Use the traditional Unix authentication mechanisms and fall back to
	8	# Kerberos if that fails. Include pam_afs_session so that calls to
	9	# pam_setcred will acquire an AFS PAG and tokens.
	10
	11	auth sufficient pam_unix.so try_first_pass nullok_secure
	12	auth [success=ok default=die] pam_krb5.so use_first_pass forwardable
	13	auth [default=done] pam_afs_session.so

+13

-0

examples/debian/common-session less more

	0	# /etc/pam.d/common-session -- Session-related modules common to all services
	1	#
	2	# This file is included from other service-specific PAM config files on
	3	# Debian, and should contain a list of modules that define tasks to be
	4	# performed at the start and end of sessions of any kind (both interactive
	5	# and non-interactive).
	6	#
	7	# Manage Kerberos credentials, create an AFS PAG and get a token if
	8	# appropriate, and then handle the regular Unix session.
	9
	10	session optional pam_krb5.so
	11	session optional pam_afs_session.so
	12	session required pam_unix.so

+29

-0

examples/redhat/system-auth less more

	0	# /etc/pam.d/system-auth -- PAM configuration for all services.
	1	#
	2	# This file is included from other service-specific PAM config files on
	3	# Red Hat, and should define common default PAM actions for all services.
	4	#
	5	# Try local authentication first and then Kerberos. Run pam_afs_session
	6	# from both the auth and session groups. program could also be set while
	7	# building pam_afs_session or in /etc/krb5.conf (if built with Kerberos
	8	# support).
	9
	10	auth required /lib/security/$ISA/pam_env.so
	11	auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
	12	auth [success=ok default=1] /lib/security/$ISA/pam_krb5.so
	13	auth [default=done] /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog
	14	auth required /lib/security/$ISA/pam_deny.so
	15
	16	account required /lib/security/$ISA/pam_krb5.so
	17	account required /lib/security/$ISA/pam_unix.so
	18
	19	session optional /lib/security/$ISA/pam_krb5.so
	20	session required /lib/security/$ISA/pam_afs_session.so program=/usr/bin/aklog
	21	session required /lib/security/$ISA/pam_limits.so
	22	session required /lib/security/$ISA/pam_unix.so
	23
	24	# No Kerberos or AFS bits here at all, although you could use pam_krb5 to
	25	# do password changes through Kerberos.
	26	password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
	27	password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
	28	password required /lib/security/$ISA/pam_deny.so

+103

-0

examples/solaris/pam.conf less more

	0	# pam.conf example for Solaris.
	1	#
	2	# This example was based on a configuration from Maciej Malek:
	3	#
	4	# pam.conf (Solaris 10 11/06, OpenAFS 1.4.4, pam_afs_session 1.5)
	5	#
	6	# Works with dtlogin, can be also used for "telnet" and "ftp" Only
	7	# Kerberos accounts are able to login. For local unix account use "su"
	8	# or console login
	9	#
	10	# This configuration was created and tested on Solaris 10, 11/06 SPARC
	11	# client, OpenAFS server and OpenLDAP+Kerberos are on separate
	12	# machines. pam_afs_session module compiled with libs from openAFS
	13	# 1.4.4, gcc 3.4.6.
	14	#
	15	# Maciej Malek
	16	# Network Administrator
	17	# Ericpol Telecom, Poland
	18
	19	# Graphical login. This requires Kerberos login.
	20
	21	dtlogin auth requisite pam_authtok_get.so.1
	22	dtlogin auth required pam_dhkeys.so.1
	23	dtlogin auth required pam_unix_cred.so.1
	24	dtlogin auth requisite pam_krb5.so.1
	25	dtlogin auth optional pam_afs_session.so always_aklog
	26
	27	# To try local authentication first, instead do the following:
	28	#dtlogin auth requisite pam_authtok_get.so.1
	29	#dtlogin auth required pam_dhkeys.so.1
	30	#dtlogin auth required pam_unix_cred.so.1
	31	#dtlogin auth sufficient pam_unix_auth.so.1
	32	#dtlogin auth requisite pam_krb5.so.1
	33	#dtlogin auth optional pam_afs_session.so always_aklog
	34
	35	dtlogin account requisite pam_roles.so.1
	36	dtlogin account required pam_unix_account.so.1
	37	dtlogin account required pam_krb5.so.1
	38
	39	# Including pam_afs_session here is pointless and breaks with older
	40	# versions of pam_afs_session that didn't recognize aklog failure.
	41	dtlogin session optional pam_unix_session.so.1
	42	dtlogin session optional pam_krb5.so.1
	43
	44	# Console login, which doesn't use Kerberos at all or get AFS tokens. To
	45	# use Kerberos and get AFS tokens for it as well, use a configuration like
	46	# the one for dtlogin above.
	47
	48	login auth requisite pam_authtok_get.so.1
	49	login auth required pam_dhkeys.so.1
	50	login auth required pam_unix_cred.so.1
	51	login auth sufficient pam_unix_auth.so.1
	52
	53	# Likewise, su doesn't use Kerberos at all.
	54
	55	su auth requisite pam_authtok_get.so.1
	56	su auth required pam_dhkeys.so.1
	57	su auth required pam_unix_cred.so.1
	58	su auth required pam_unix_auth.so.1
	59	su account required pam_unix_account.so.1
	60
	61	# Solaris SSH configuration. Call pam_afs_session after pam_krb5 to set
	62	# up AFS tokens with GSS-API credential delegation or with ticket caches
	63	# acquired through password authentication.
	64
	65	sshd-gssapi session required pam_krb5_ccache.so.1 clean
	66	sshd-gssapi session required pam_afs_session.so.1
	67	sshd-gssapi session required pam_unix_session.so.1
	68	#
	69	sshd-kbdint session required pam_krb5_ccache.so.1 clean
	70	sshd-kbdint session required pam_afs_session.so.1 ignore_root
	71	sshd-kbdint session required pam_unix_session.so.1
	72
	73	# Password changes. This uses local passwords; you could add pam_krb5
	74	# here to do password changes through Kerberos.
	75
	76	passwd auth sufficient pam_passwd_auth.so.1
	77
	78	other password required pam_dhkeys.so.1
	79	other password requisite pam_authtok_get.so.1
	80	other password requisite pam_authtok_check.so.1
	81	other password required pam_authtok_store.so.1
	82
	83	# Don't call pam_krb5 for cron.
	84
	85	cron account required pam_unix_account.so.1
	86
	87	# Generic configuration for everything else. Here, we assume that calling
	88	# pam_afs_session from the session group is sufficient, requiring that
	89	# setcred be called before session if using the Solaris pam_krb5.
	90
	91	other auth requisite pam_authtok_get.so.1
	92	other auth required pam_dhkeys.so.1
	93	other auth required pam_unix_cred.so.1
	94	other auth sufficient pam_krb5.so.1
	95	other auth required pam_unix_auth.so.1
	96
	97	other account requisite pam_roles.so.1
	98	other account required pam_unix_account.so.1
	99	other account sufficient pam_krb5.so.1
	100
	101	other session required pam_unix_session.so.1
	102	other session required pam_afs_session.so retain_after_close