From c519a8c83d58117c9cf9e8d853ecff98692c485f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= <hugo@lysator.liu.se>
Date: Mon, 25 Oct 2021 03:01:53 +0200
Subject: [PATCH] Simplify kerberos/pam for RedHat family.
RedHat, CentOS, and Rocky config was already identical. Simplify it to
be the same, files included.
---
files/pam/fingerprint-auth-CentOS | 19 ---------------
files/pam/password-auth-CentOS | 24 -------------------
files/pam/password-auth-Rocky | 24 -------------------
files/pam/system-auth-CentOS | 24 -------------------
files/pam/system-auth-Rocky | 24 -------------------
manifests/kerberos/pam/linux.pp | 2 +-
.../pam/linux/{centos.pp => redhat.pp} | 10 ++++----
7 files changed, 6 insertions(+), 121 deletions(-)
delete mode 100644 files/pam/fingerprint-auth-CentOS
delete mode 100644 files/pam/password-auth-CentOS
delete mode 100644 files/pam/password-auth-Rocky
delete mode 100644 files/pam/system-auth-CentOS
delete mode 100644 files/pam/system-auth-Rocky
rename manifests/kerberos/pam/linux/{centos.pp => redhat.pp} (87%)
diff --git a/files/pam/fingerprint-auth-CentOS b/files/pam/fingerprint-auth-CentOS
deleted file mode 100644
index 0d2cf0b..0000000
--- a/files/pam/fingerprint-auth-CentOS
+++ /dev/null
@@ -1,19 +0,0 @@
-#%PAM-1.0
-# This file is auto-generated.
-# User changes will be destroyed the next time authconfig is run.
-auth required pam_env.so
-auth sufficient pam_fprintd.so
-auth required pam_deny.so
-
-account required pam_unix.so broken_shadow
-account sufficient pam_succeed_if.so uid < 500 quiet
-account [default=bad success=ok user_unknown=ignore] pam_krb5.so
-account required pam_permit.so
-
-password required pam_deny.so
-
-session optional pam_keyinit.so revoke
-session required pam_limits.so
-session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
-session required pam_unix.so
-session optional pam_krb5.so
diff --git a/files/pam/password-auth-CentOS b/files/pam/password-auth-CentOS
deleted file mode 100644
index 8395c4a..0000000
--- a/files/pam/password-auth-CentOS
+++ /dev/null
@@ -1,24 +0,0 @@
-#%PAM-1.0
-# This file is auto-generated.
-# User changes will be destroyed the next time authconfig is run.
-auth required pam_env.so
-auth sufficient pam_unix.so nullok try_first_pass
-auth requisite pam_succeed_if.so uid >= 500 quiet
-auth sufficient pam_krb5.so use_first_pass
-auth required pam_deny.so
-
-account required pam_unix.so broken_shadow
-account sufficient pam_succeed_if.so uid < 500 quiet
-account [default=bad success=ok user_unknown=ignore] pam_krb5.so
-account required pam_permit.so
-
-password requisite pam_cracklib.so try_first_pass retry=3 type=
-password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
-password sufficient pam_krb5.so use_authtok
-password required pam_deny.so
-
-session optional pam_keyinit.so revoke
-session required pam_limits.so
-session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
-session required pam_unix.so
-session optional pam_krb5.so
diff --git a/files/pam/password-auth-Rocky b/files/pam/password-auth-Rocky
deleted file mode 100644
index 8395c4a..0000000
--- a/files/pam/password-auth-Rocky
+++ /dev/null
@@ -1,24 +0,0 @@
-#%PAM-1.0
-# This file is auto-generated.
-# User changes will be destroyed the next time authconfig is run.
-auth required pam_env.so
-auth sufficient pam_unix.so nullok try_first_pass
-auth requisite pam_succeed_if.so uid >= 500 quiet
-auth sufficient pam_krb5.so use_first_pass
-auth required pam_deny.so
-
-account required pam_unix.so broken_shadow
-account sufficient pam_succeed_if.so uid < 500 quiet
-account [default=bad success=ok user_unknown=ignore] pam_krb5.so
-account required pam_permit.so
-
-password requisite pam_cracklib.so try_first_pass retry=3 type=
-password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
-password sufficient pam_krb5.so use_authtok
-password required pam_deny.so
-
-session optional pam_keyinit.so revoke
-session required pam_limits.so
-session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
-session required pam_unix.so
-session optional pam_krb5.so
diff --git a/files/pam/system-auth-CentOS b/files/pam/system-auth-CentOS
deleted file mode 100644
index 8395c4a..0000000
--- a/files/pam/system-auth-CentOS
+++ /dev/null
@@ -1,24 +0,0 @@
-#%PAM-1.0
-# This file is auto-generated.
-# User changes will be destroyed the next time authconfig is run.
-auth required pam_env.so
-auth sufficient pam_unix.so nullok try_first_pass
-auth requisite pam_succeed_if.so uid >= 500 quiet
-auth sufficient pam_krb5.so use_first_pass
-auth required pam_deny.so
-
-account required pam_unix.so broken_shadow
-account sufficient pam_succeed_if.so uid < 500 quiet
-account [default=bad success=ok user_unknown=ignore] pam_krb5.so
-account required pam_permit.so
-
-password requisite pam_cracklib.so try_first_pass retry=3 type=
-password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
-password sufficient pam_krb5.so use_authtok
-password required pam_deny.so
-
-session optional pam_keyinit.so revoke
-session required pam_limits.so
-session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
-session required pam_unix.so
-session optional pam_krb5.so
diff --git a/files/pam/system-auth-Rocky b/files/pam/system-auth-Rocky
deleted file mode 100644
index 8395c4a..0000000
--- a/files/pam/system-auth-Rocky
+++ /dev/null
@@ -1,24 +0,0 @@
-#%PAM-1.0
-# This file is auto-generated.
-# User changes will be destroyed the next time authconfig is run.
-auth required pam_env.so
-auth sufficient pam_unix.so nullok try_first_pass
-auth requisite pam_succeed_if.so uid >= 500 quiet
-auth sufficient pam_krb5.so use_first_pass
-auth required pam_deny.so
-
-account required pam_unix.so broken_shadow
-account sufficient pam_succeed_if.so uid < 500 quiet
-account [default=bad success=ok user_unknown=ignore] pam_krb5.so
-account required pam_permit.so
-
-password requisite pam_cracklib.so try_first_pass retry=3 type=
-password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
-password sufficient pam_krb5.so use_authtok
-password required pam_deny.so
-
-session optional pam_keyinit.so revoke
-session required pam_limits.so
-session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
-session required pam_unix.so
-session optional pam_krb5.so
diff --git a/manifests/kerberos/pam/linux.pp b/manifests/kerberos/pam/linux.pp
index 1836fc3..d3ecafb 100644
--- a/manifests/kerberos/pam/linux.pp
+++ b/manifests/kerberos/pam/linux.pp
@@ -26,7 +26,7 @@ class lyslogin::kerberos::pam::linux
# pam_krb5 is no longer in the repos, instead, pull our own.
require ::profiles::lysator_repo
}
- include ::lyslogin::kerberos::pam::linux::centos
+ include ::lyslogin::kerberos::pam::linux::redhat
}
default: {
fail('The os on this machine is not supported by this module.')
diff --git a/manifests/kerberos/pam/linux/centos.pp b/manifests/kerberos/pam/linux/redhat.pp
similarity index 87%
rename from manifests/kerberos/pam/linux/centos.pp
rename to manifests/kerberos/pam/linux/redhat.pp
index ee0a42b..a074830 100644
--- a/manifests/kerberos/pam/linux/centos.pp
+++ b/manifests/kerberos/pam/linux/redhat.pp
@@ -1,5 +1,5 @@
-#CentOS relevant stuff
-class lyslogin::kerberos::pam::linux::centos
+# RedHat-family relevant stuff
+class lyslogin::kerberos::pam::linux::redhat
{
file {
'/etc/pam.d/system-auth':
@@ -7,21 +7,21 @@ class lyslogin::kerberos::pam::linux::centos
owner => 'root',
group => 'root',
mode => '0644',
- source => "puppet:///modules/lyslogin/pam/system-auth-${$facts['os']['name']}",
+ source => "puppet:///modules/lyslogin/pam/system-auth-${$facts['os']['family']}",
require =>[ File['krb5.conf'], Package[$lyslogin::kerberos::pam::linux::pam_krb5] ];
'/etc/pam.d/password-auth':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
- source => "puppet:///modules/lyslogin/pam/password-auth-${$facts['os']['name']}",
+ source => "puppet:///modules/lyslogin/pam/password-auth-${$facts['os']['family']}",
require =>[ File['krb5.conf'], Package[$lyslogin::kerberos::pam::linux::pam_krb5] ];
'/etc/pam.d/fingerprint-auth':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
- source => "puppet:///modules/lyslogin/pam/fingerprint-auth-${facts['os']['name']}",
+ source => "puppet:///modules/lyslogin/pam/fingerprint-auth-${facts['os']['family']}",
require =>[ File['krb5.conf'], Package[$lyslogin::kerberos::pam::linux::pam_krb5] ];
}
--
GitLab