pkgdefs/common_files/i.pamconf

	i.pamconf revision 7c478bd95313f5f23a4c958a745db2134aa03244
#!/bin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
#ident	"%Z%%M%	%I%	%E% SMI"
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
CLEANUP_FILE=/tmp/CLEANUP
PAM_TMP=/tmp/pam_conf.$$
KERB_ENTRIES=$PAM_TMP/scr.$$
PPP_ENTRIES=$PAM_TMP/scp.$$
CRON_ENTRIES=$PAM_TMP/scc.$$
mkdir $PAM_TMP  || exit 1
KRB5_CONF_FILE=$BASEDIR/etc/krb5/krb5.conf
COMMENT_PREFIX="#"

PATH="/usr/bin:/usr/sbin:${PATH}"
export PATH

kerberos_configured() {
	if [ -f $KRB5_CONF_FILE ]; then
		grep "___default_realm___" $KRB5_CONF_FILE > /dev/null 2>&1
		if [ $? = 1 ]; then
			COMMENT_PREFIX=""
		fi
	fi
}

setup_kerb_changes() {
#
# No comments or blanks lines allowed in entries below
#
cat > ${KERB_ENTRIES} << EOF
krlogin		auth		required	pam_unix_cred.so.1
krlogin		auth		binding		pam_krb5.so.1
krlogin		auth		required	pam_unix_auth.so.1
krsh		auth		required	pam_unix_cred.so.1
krsh		auth		binding		pam_krb5.so.1
krsh		auth		required	pam_unix_auth.so.1
ktelnet		auth		required	pam_unix_cred.so.1
ktelnet		auth		binding		pam_krb5.so.1
ktelnet		auth		required	pam_unix_auth.so.1
EOF
}

setup_ppp_changes() {
#
# No comments or blanks lines allowed in entries below
#
cat > ${PPP_ENTRIES} << EOF
ppp		auth		requisite	pam_authtok_get.so.1
ppp		auth		required	pam_dhkeys.so.1
ppp		auth		required	pam_unix_cred.so.1
ppp		auth		required	pam_unix_auth.so.1
ppp		auth		required	pam_dial_auth.so.1
EOF
}

setup_cron_changes(){
#
# No comments or blanks lines allowed in entries below
#
cat > ${CRON_ENTRIES} << EOF
cron		account		required	pam_unix_account.so.1
EOF
}
#
kerberos_configured
setup_kerb_changes
setup_ppp_changes
setup_cron_changes
while read src dest
do
    if [ ! -f $dest ] ; then
	cp $src $dest
    else
	echo "${dest} default entries updated, \c" \
		>> ${CLEANUP_FILE}
	echo "please examine/update customized entries" \
		>> ${CLEANUP_FILE}
	#
	#Update pam.conf with relative pathname
	#
	if grep '/usr/lib/security/$ISA/pam_' $dest > /dev/null 2>&1; then
		sed 's,/usr/lib/security/$ISA/,	', \
			$dest > /tmp/pamconf.$$
		cp /tmp/pamconf.$$ $dest
		rm -f /tmp/pamconf.$$
	fi
	if grep '/usr/lib/security/pam_' $dest > /dev/null 2>&1; then
		sed 's,/usr/lib/security/,	', \
			$dest > /tmp/pamconf.$$
		cp /tmp/pamconf.$$ $dest
		rm -f /tmp/pamconf.$$
	fi
#
# Update pam.conf with entries for PAM modules pam_authtok_get,
# pam_authtok_check, pam_authtok_store, pam_unix_auth, pam_unix_account,
# pam_unix_cred, pam_unix_session, pam_dhkeys and pam_passwd_auth
#

	echo "${dest} updating pam_unix with default PAM entries \c" \
		>> ${CLEANUP_FILE}
	echo "please examine/update any new entries" \
		>> ${CLEANUP_FILE}
	nawk  '/^#/ { print; next } \
	$4 ~ /pam_unix.so/ && $2 == "auth" { \
		print $1 "\t" $2 " " "requisite\t\t" \
		"pam_authtok_get.so.1"; \
		print $1 "\t" $2 " " $3 "\t\t" \
		"pam_dhkeys.so.1"; \
		print $1 "\t" $2 " " $3 "\t\t" \
		"pam_unix_cred.so.1"; \
		print $1 "\t" $2 " " $3 "\t\t" \
		"pam_unix_auth.so.1"; \
		next \
	} \
	$4 ~ /pam_passwd_auth.so.1/ && $2 == "auth" { \
		if ($1 == "passwd") \
			passwd_seen = 1;\
	}\
	$4 ~ /pam_rhosts_auth/ && $1 == "rsh" && $3 == "required" { \
		print $1 "\t" $2 " " "sufficient\t\t" $4; \
		print $1 "\t" $2 " " "required\t\t" "pam_unix_cred.so.1"; \
		next \
	}\
	$4 ~ /pam_unix_cred/ && $3 == "required" { \
		cred_seen = 1;\
		print; \
		next \
	}\
	$4 ~ /pam_unix_auth/ && $1 == "rsh" && $3 == "required" { \
		if (cred_seen == 0) { \
			print $1 "\t" $2 " " "required\t\t" \
			"pam_unix_cred.so.1"; \
		} \
		next \
	} \
	$4 ~ /pam_unix_auth/ && $3 == "required" { \
		if (cred_seen == 0) { \
			print $1 "\t" $2 " " "required\t\t" \
			"pam_unix_cred.so.1"; \
		} \
		print ; \
		next \
	}\
	END {
		if (passwd_seen == 0) { \
			print "passwd" "\t" "auth required\t\t" \
			"pam_passwd_auth.so.1"; \
		} \
	} \

	$4 ~ /pam_unix.so/ && $2 == "account" { \
		print $1 "\t" $2 " " $3 "\t\t" \
		"pam_unix_account.so.1"; \
		next \
	} \
	$4 ~ /pam_unix.so/ && $2 == "session" { \
		print $1 "\t" $2 " " $3 "\t\t" \
		"pam_unix_session.so.1"; \
		next \
	} \
	$4 ~ /pam_unix.so/ && $2 == "password" { \
		print $1 "\t" $2 " " $3 "\t\t" \
		"pam_dhkeys.so.1"; \
		print $1 "\t" $2 " " "requisite\t\t" \
		"pam_authtok_get.so.1"; \
		print $1 "\t" $2 " " "requisite\t\t" \
		"pam_authtok_check.so.1"; \
		print $1 "\t" $2 " " $3 "\t\t" \
		"pam_authtok_store.so.1"; \
		next \
	} \
	{ print }' $dest > /tmp/pamconf.$$
	cp /tmp/pamconf.$$ $dest
	rm -f /tmp/pamconf.$$
#
#update pam.conf with entries for roles
#
	grep 'pam_roles.so' $dest > /dev/null 2>&1
	if [ $? = 1 ] ; then
		echo "${dest} updating default entries for roles, \c" \
		    >> ${CLEANUP_FILE}
		echo "please examine/update any new entries" \
		    >> ${CLEANUP_FILE}
		nawk  '/^#/ { print; next } \
		$4 ~ /pam_role_auth/	{ next } \
		$2 == "account" && $4 ~ /pam_unix/ { \
				print $1 "\t" $2 " requisite\t\t" \
				  "pam_roles.so.1"; \
				print;	\
				next \
			} \
		{ print }' $dest > /tmp/pamconf.$$
		cp /tmp/pamconf.$$ $dest
		rm -f /tmp/pamconf.$$
    	fi

#
#update pam.conf with entries for projects
#
	grep 'pam_projects.so' $dest > /dev/null 2>&1
	if [ $? = 0 ] ; then
		echo "${dest} removing pam_project.so" >> ${CLEANUP_FILE}
		grep -v pam_projects.so $dest > /tmp/pamconf.$$
		cp /tmp/pamconf.$$ $dest
		rm -f /tmp/pamconf.$$
    	fi
#
# update pam.conf to append PPP entries if not already present
# (note: default list above already has role added, so we
# must do this after the upgrade above has run.)
#
	rm -f /tmp/pamconf.$$
	while read e1 e2 e3 e4 e5
	do
		# See if the entry already exists
		grep \
"^[# 	]*$e1[ 	][ 	]*$e2[ 	][ 	]*$e3[ 	][ 	]*$e4" \
		$dest >/dev/null 2>&1
		if [ $? = 1 ] ; then
			# Doesn't exist, enter into pam.conf
			echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$
		fi
	done < ${PPP_ENTRIES}
	# Append PPP lines if any were not present already.
	if [ -f /tmp/pamconf.$$ ] ; then
		cat /tmp/pamconf.$$ >> $dest
		echo "${dest} updating entries for PPP; \c" \
		    >> ${CLEANUP_FILE}
		echo "please examine/update any new entries" \
		    >> ${CLEANUP_FILE}
    		rm -f /tmp/pamconf.$$
    	fi
#
# update pam.conf to append cron entries if not already present
# (note: the kerberos default list above already has the cron entried added.)
#
	rm -f /tmp/pamconf.$$
	while read e1 e2 e3 e4 e5
	do
		# See if the entry already exists
		grep \
"^[# 	]*$e1[ 	][ 	]*$e2[ 	][ 	]*$e3[ 	][ 	]*$e4" \
		$dest >/dev/null 2>&1
		if [ $? = 1 ] ; then
			# Doesn't exist, enter into pam.conf
			echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$
		fi
	done < ${CRON_ENTRIES}
	# Append cron lines if any were not present already.
	if [ -f /tmp/pamconf.$$ ] ; then
		cat /tmp/pamconf.$$ >> $dest
		echo "${dest} updating entries for cron, \c" \
		    >> ${CLEANUP_FILE}
		echo "please examine/update any new entries" \
		    >> ${CLEANUP_FILE}
    		rm -f /tmp/pamconf.$$
    	fi
#
# update pam.conf to append kerberos entries if not already present
#
	rm -f /tmp/pamconf.$$
	cat ${KERB_ENTRIES} |
    	(while read e1 e2 e3 e4 e5
	do
		# See if the entry already exists
		grep \
"^[# 	]*$e1[ 	][ 	]*$e2[ 	][ 	]*$e3[ 	][ 	]*$e4" \
		$dest >/dev/null 2>&1
		if [ $? = 1 ] ; then
			# Check if service name is 'dtlogin' and it is
			# mentioned explicitly, then add kerberos 'dtlogin'
			if [ $e1 = "dtlogin" ]; then
				if grep "^[# 	]*$e1[ 	][ 	]*$e2[ 	]" \
					$dest >/dev/null 2>&1; then
					echo "$COMMENT_PREFIX$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$
				fi
			else
			# Doesn't exist, enter into pam.conf
			echo "$COMMENT_PREFIX$e1\t$e2 $e3\t\t$e4 $e5" >> \
				/tmp/pamconf.$$
			fi
		fi
	done)
	# Append kerberos lines if any were not present already.
    	if [ -f /tmp/pamconf.$$ ] ; then
		cat /tmp/pamconf.$$ >> $dest
		echo "${dest} updating entries to add kerberos, \c" \
		    >> ${CLEANUP_FILE}
		echo "please examine/update any new entries" \
		    >> ${CLEANUP_FILE}
    		rm -f /tmp/pamconf.$$
    	fi

#
# notify pam_ldap users to manually intervene and examine/update their pam.conf
# due to the change in pam_ldap functionalty.
#
	grep '^[^#].*pam_ldap.so' $dest > /dev/null 2>&1
	if [ $? = 0 ] ; then
		echo "${dest} please examine/update the pam_ldap configuration \c" \
		    >> ${CLEANUP_FILE}
		echo "because its functionality has changed, \c" \
		    >> ${CLEANUP_FILE}
		echo "refer to pam_ldap(5) documentation for more information" \
		    >> ${CLEANUP_FILE}
    	fi
#
    fi
done
#
rm -rf $PAM_TMP
exit 0