i.pamconf revision f875b4ebb1dd9fdbeb043557cab38ab3bf7f6e01
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews# CDDL HEADER START
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater# The contents of this file are subject to the terms of the
fb84f9014321c5f33c4682de5661b579fcde318fAndreas Gustafsson# Common Development and Distribution License (the "License").
fb84f9014321c5f33c4682de5661b579fcde318fAndreas Gustafsson# You may not use this file except in compliance with the License.
af5073d03288a53b646ec3b807ac25ced64d7879Mark Andrews# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# See the License for the specific language governing permissions
af5073d03288a53b646ec3b807ac25ced64d7879Mark Andrews# and limitations under the License.
af5073d03288a53b646ec3b807ac25ced64d7879Mark Andrews# When distributing Covered Code, include this CDDL HEADER in each
af5073d03288a53b646ec3b807ac25ced64d7879Mark Andrews# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
fb84f9014321c5f33c4682de5661b579fcde318fAndreas Gustafsson# If applicable, add the following below this CDDL HEADER, with the
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater# fields enclosed by brackets "[]" replaced with your own identifying
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# information: Portions Copyright [yyyy] [name of copyright owner]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# CDDL HEADER END
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein#ident "%Z%%M% %I% %E% SMI"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# Use is subject to license terms.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# No comments or blanks lines allowed in entries below
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinkrlogin auth required pam_unix_cred.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinkrlogin auth required pam_krb5.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinkrsh auth required pam_unix_cred.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinkrsh auth required pam_krb5.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinktelnet auth required pam_unix_cred.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinktelnet auth required pam_krb5.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# No comments or blanks lines allowed in entries below
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinppp auth requisite pam_authtok_get.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinppp auth required pam_dhkeys.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinppp auth required pam_unix_cred.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinppp auth required pam_unix_auth.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinppp auth required pam_dial_auth.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# No comments or blanks lines allowed in entries below
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeincron account required pam_unix_account.so.1
b49958b502ee45022010a0b1bed3968f598895a4Automatic Updater# No comments or blanks lines allowed in entries below
b3cbb2f1ad021349e89807f3492df6e4e679cd56Mark Andrewsdtlogin account requisite pam_roles.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeindtlogin account required pam_unix_account.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeindtsession account requisite pam_roles.so.1
9fbbfb5757a1e3e86d7dea62c4e63ffc2303ca2bAutomatic Updaterdtsession account required pam_unix_account.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingdm account requisite pam_roles.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeingdm account required pam_unix_account.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinxscreensaver account requisite pam_roles.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinxscreensaver account required pam_unix_account.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinpasswd account requisite pam_roles.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinpasswd account required pam_unix_account.so.1
61e1dc26d62c2a0059e3ca7efe2ad0f4a5b8df92Mark Andrewsdtpasswd account requisite pam_roles.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeindtpasswd account required pam_unix_account.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinother account required pam_tsol_account.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if [ ! -f $dest ] ; then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "${dest} default entries updated, \c" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "please examine/update customized entries" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein #Update pam.conf with relative pathname
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if grep '/usr/lib/security/$ISA/pam_' $dest > /dev/null 2>&1; then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if grep '/usr/lib/security/pam_' $dest > /dev/null 2>&1; then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# Update pam.conf with entries for PAM modules pam_authtok_get,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# pam_authtok_check, pam_authtok_store, pam_unix_auth, pam_unix_account,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# pam_unix_cred, pam_unix_session, pam_dhkeys and pam_passwd_auth
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "${dest} updating pam_unix with default PAM entries \c" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "please examine/update any new entries" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein $4 ~ /pam_unix.so/ && $2 == "auth" { \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " " "requisite\t\t" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " " $3 "\t\t" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " " $3 "\t\t" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " " $3 "\t\t" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein $4 ~ /pam_passwd_auth.so.1/ && $2 == "auth" { \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if ($1 == "passwd") \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein passwd_seen = 1;\
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein $4 ~ /pam_rhosts_auth/ && $1 == "rsh" && $3 == "required" { \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " " "sufficient\t\t" $4; \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " " "required\t\t" "pam_unix_cred.so.1"; \
1c09d68dfd18b6e839c8cd68b78c11b3ccca4160Automatic Updater $4 ~ /pam_unix_cred/ && $3 == "required" { \
1c09d68dfd18b6e839c8cd68b78c11b3ccca4160Automatic Updater cred_seen = 1;\
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein $4 ~ /pam_unix_auth/ && $1 == "rsh" && $3 == "required" { \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if (cred_seen == 0) { \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " " "required\t\t" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein $4 ~ /pam_unix_auth/ && $3 == "required" { \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if (cred_seen == 0) { \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " " "required\t\t" \
f6da30bb5447c23d880b09f601441e70c5313557Mark Andrews if (passwd_seen == 0) { \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print "passwd" "\t" "auth required\t\t" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein $4 ~ /pam_unix.so/ && $2 == "account" { \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " " $3 "\t\t" \
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews $4 ~ /pam_unix.so/ && $2 == "session" { \
8c9957e63274e6ea44d182703116307b1a65dabbMark Andrews print $1 "\t" $2 " " $3 "\t\t" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein $4 ~ /pam_unix.so/ && $2 == "password" { \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " " $3 "\t\t" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " " "requisite\t\t" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " " "requisite\t\t" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " " $3 "\t\t" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein#update pam.conf with entries for roles
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if [ $? = 1 ] ; then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "${dest} updating default entries for roles, \c" \
7329012471d165cd3dc4180ad2a0a43de91e7f01Mark Andrews echo "please examine/update any new entries" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein $4 ~ /pam_role_auth/ { next } \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein $2 == "account" && $4 ~ /pam_unix/ { \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein print $1 "\t" $2 " requisite\t\t" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein#update pam.conf with entries for projects
9fbbfb5757a1e3e86d7dea62c4e63ffc2303ca2bAutomatic Updater if [ $? = 0 ] ; then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "${dest} removing pam_project.so" >> ${CLEANUP_FILE}
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# update pam.conf to append PPP entries if not already present
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# (note: default list above already has role added, so we
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# must do this after the upgrade above has run.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein # See if the entry already exists
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein"^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if [ $? = 1 ] ; then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein # Doesn't exist, enter into pam.conf
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews # Append PPP lines if any were not present already.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "${dest} updating entries for PPP; \c" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "please examine/update any new entries" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# update pam.conf to append cron entries if not already present
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# (note: the kerberos default list above already has the cron entried added.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein # See if the entry already exists
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein"^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if [ $? = 1 ] ; then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein # Doesn't exist, enter into pam.conf
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein # Append cron lines if any were not present already.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "${dest} updating entries for cron, \c" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "please examine/update any new entries" \
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews# update pam.conf to remove the rlogin entry that uses pam_krb5.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "Couldn't edit /tmp/pamconf.$$, rlogin lines have not been \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein updated to remove pam_krb5.so.1." \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# update pam.conf to remove obsolete flags used with pam_krb5.so.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -e "s/\(pam_krb5.so.1.*\)use_first_pass/\1/g" \
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater -e "s/\(pam_krb5.so.1.*\)try_first_pass/\1/g" \
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater -e "s/\(pam_krb5.so.1.*\)use_xfn_pass/\1/g" \
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater -e "s/\(pam_krb5.so.1.*\)try_xfn_pass/\1/g" \
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater echo "Couldn't edit /tmp/pamconf.$$ to remove obsolete flags: \
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater acceptor, use_first_pass, try_first_pass, use_xfn_pass, try_xfn_pass." \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# update pam.conf to remove the unnecessary unix_auth entries for the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# kerberized services.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sed -e "/^[# ]*krlogin[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -e "/^[# ]*krsh[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -e "/^[# ]*ktelnet[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -e "s/^\([# ]*krlogin[ ]*auth[ ]*\)binding/\1required/" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -e "s/^\([# ]*krsh[ ]*auth[ ]*\)binding/\1required/" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -e "s/^\([# ]*ktelnet[ ]*auth[ ]*\)binding/\1required/" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "Couldn't edit /tmp/pamconf.$$, krlogin, krsh, ktelnet may \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein still have pam_unix_auth in their stacks." \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# update pam.conf to append kerberos entries if not already present
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (while read e1 e2 e3 e4 e5
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if [ $? = 1 ] ; then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein # mentioned explicitly, then add kerberos 'dtlogin'
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein $dest >/dev/null 2>&1; then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein # Does exist. To maintain proper stacking order: remove it
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein grep "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sed -e "/^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4/d" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein # Append kerberos lines if any were not present already.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "${dest} updating entries to add kerberos, \c" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "please examine/update any new entries" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# notify pam_ldap users to manually intervene and examine/update their pam.conf
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# due to the change in pam_ldap functionalty.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein grep '^[^#].*pam_ldap.so' $dest > /dev/null 2>&1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if [ $? = 0 ] ; then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "${dest} please examine/update the pam_ldap configuration \c" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "because its functionality has changed, \c" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "refer to pam_ldap(5) documentation for more information" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# Update pam.conf to append Trusted Extensions entries if not
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews# already present.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein # If this is the 'other' entry, add it unless it already
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein"^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if [ $? = 1 ] ; then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein # Doesn't exist, enter into pam.conf
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "$e1\t$e2 $e3\t\t$e4 $e5" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein # Add other entries unless they already have a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein # stack of their own.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if [ $? = 1 ] ; then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "$e1\t$e2 $e3\t\t$e4 $e5" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein # Append TX lines if any were not present already.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "${dest} updating entries for Trusted Extensions; \c" \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein echo "please examine/update any new entries" \