mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-12-22 02:58:28 +00:00
authentication - prepping system build
This commit is contained in:
parent
1b185b581d
commit
242c506bcd
@ -1,6 +1,7 @@
|
||||
---
|
||||
|
||||
ipaclient_domain = rockylinux.org
|
||||
ipaclient_realm = ROCKYLINUX.ORG
|
||||
ipaadmin_principal = admin
|
||||
ipaclient_no_ntp = true
|
||||
ipaclient_mkhomedir = true
|
||||
|
@ -0,0 +1 @@
|
||||
RedHat-8-system-auth
|
@ -0,0 +1,40 @@
|
||||
{imply "with-smartcard" if "with-smartcard-required"}
|
||||
auth required pam_env.so
|
||||
auth required pam_faildelay.so delay=2000000
|
||||
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 {include if "with-faillock"}
|
||||
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
|
||||
auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
|
||||
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
||||
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
||||
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
||||
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
||||
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||||
auth sufficient pam_sss.so forward_pass
|
||||
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"}
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_access.so {include if "with-pamaccess"}
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 1000 quiet
|
||||
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||
account required pam_permit.so
|
||||
|
||||
password requisite pam_pwquality.so try_first_pass local_users_only minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 retry=3
|
||||
password requisite pam_pwhistory.so use_authok remember=5
|
||||
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
||||
password sufficient pam_sss.so use_authtok
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
||||
session optional pam_sss.so
|
1
ansible/playbooks/files/etc/pam.d/CentOS-7-system-auth-ac
Symbolic link
1
ansible/playbooks/files/etc/pam.d/CentOS-7-system-auth-ac
Symbolic link
@ -0,0 +1 @@
|
||||
RedHat-7-system-auth-ac
|
34
ansible/playbooks/files/etc/pam.d/RedHat-7-system-auth-ac
Normal file
34
ansible/playbooks/files/etc/pam.d/RedHat-7-system-auth-ac
Normal file
@ -0,0 +1,34 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authconfig is run.
|
||||
auth required pam_env.so
|
||||
auth required pam_faildelay.so delay=2000000
|
||||
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
|
||||
auth [default=1 success=ok] pam_localuser.so
|
||||
auth [success=done ignore=ignore default=bad] pam_unix.so nullok try_first_pass
|
||||
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||||
auth sufficient pam_sss.so forward_pass
|
||||
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_faillock.so
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 1000 quiet
|
||||
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||
account required pam_permit.so
|
||||
|
||||
password requisite pam_pwquality.so try_first_pass minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 local_users_only retry=3
|
||||
password requisite pam_pwhistory.so use_authok remember=5
|
||||
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
|
||||
password sufficient pam_sss.so use_authtok
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session optional pam_oddjob_mkhomedir.so umask=0077
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
||||
session optional pam_sss.so
|
||||
|
@ -30,7 +30,7 @@
|
||||
- name: Configure harden settings
|
||||
include: tasks/harden.yml
|
||||
|
||||
- name: Configure PAM and SSSD
|
||||
- name: Configure PAM
|
||||
include: tasks/authentication.yml
|
||||
|
||||
post_tasks:
|
||||
|
@ -1,3 +1,65 @@
|
||||
---
|
||||
# Configures PAM and SSSD post-ipa client installation. It is recommended that
|
||||
# that we use a custom authselect profile and build it out from there.
|
||||
- name: Enterprise Linux 7 PAM Configuration
|
||||
copy:
|
||||
src: "etc/pam.d/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth-ac"
|
||||
dest: "{{ item }}"
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
with_items:
|
||||
- /etc/pam.d/system-auth-ac
|
||||
- /etc/pam.d/password-auth-ac
|
||||
when:
|
||||
- ansible_facts['os_family'] == 'RedHat'
|
||||
- ansible_facts['distribution_major_version'] == '7'
|
||||
|
||||
- name: Enterprise Linux 8 PAM Configuration
|
||||
when:
|
||||
- ansible_facts['os_family'] == 'RedHat'
|
||||
- ansible_facts['distribution_major_version'] == '8'
|
||||
block:
|
||||
- name: Ensure Custom Profile is removed
|
||||
file:
|
||||
state: absent
|
||||
path: /etc/authselect/custom/sssd-rocky
|
||||
|
||||
- name: Create custom authselect profile based on sssd
|
||||
command: >
|
||||
/usr/bin/authselect create-profile sssd-rocky
|
||||
--base-on sssd
|
||||
--symlink-dconf
|
||||
--symlink-meta
|
||||
--symlink=postlogin
|
||||
--symlink=smartcard-auth
|
||||
--symlink=fingerprint-auth
|
||||
|
||||
- name: Override system-auth and password-auth
|
||||
copy:
|
||||
src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
|
||||
dest: "{{ item }}"
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
||||
with_items:
|
||||
- /etc/authselect/custom/sssd-aoc/system-auth
|
||||
- /etc/authselect/custom/sssd-aoc/password-auth
|
||||
|
||||
- name: Select New Profile
|
||||
command: >
|
||||
/usr/bin/authselect select custom/sssd-aoc
|
||||
without-nullok
|
||||
with-faillock
|
||||
with-mkhomedir
|
||||
with-sudo
|
||||
--force
|
||||
|
||||
- name: Apply new settings
|
||||
command: /usr/bin/authselect apply-changes
|
||||
|
||||
- name: Enable oddjobd
|
||||
service:
|
||||
name: oddjobd
|
||||
state: started
|
||||
enabled: yes
|
||||
|
@ -6,6 +6,7 @@ bin_sudo: /usr/bin/sudo
|
||||
kernel_boot_options: audit=1
|
||||
grub_config_path_link: /etc/grub2.cfg
|
||||
grub_config_path_efi: /etc/grub2-efi.cfg
|
||||
ipatype: client
|
||||
|
||||
# Removing TFTP for now because there will likely be tftp/pxe servers
|
||||
remove_packages:
|
||||
|
Loading…
Reference in New Issue
Block a user