From 242c506bcd5b76961faab528baf039118d5d4329 Mon Sep 17 00:00:00 2001 From: nazunalika Date: Sat, 12 Dec 2020 12:58:00 -0700 Subject: [PATCH] authentication - prepping system build --- .../production/group_vars/ipaclients/main.yml | 1 + .../custom/sssd-rocky/CentOS-8-system-auth | 1 + .../custom/sssd-rocky/RedHat-8-system-auth | 40 ++++++++++++ .../files/etc/pam.d/CentOS-7-system-auth-ac | 1 + .../files/etc/pam.d/RedHat-7-system-auth-ac | 34 ++++++++++ .../playbooks/init-rocky-system-config.yml | 2 +- ansible/playbooks/tasks/authentication.yml | 62 +++++++++++++++++++ ansible/playbooks/vars/RedHat.yml | 1 + 8 files changed, 141 insertions(+), 1 deletion(-) create mode 120000 ansible/playbooks/files/etc/authselect/custom/sssd-rocky/CentOS-8-system-auth create mode 100644 ansible/playbooks/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth create mode 120000 ansible/playbooks/files/etc/pam.d/CentOS-7-system-auth-ac create mode 100644 ansible/playbooks/files/etc/pam.d/RedHat-7-system-auth-ac diff --git a/ansible/inventories/production/group_vars/ipaclients/main.yml b/ansible/inventories/production/group_vars/ipaclients/main.yml index f7cdda5..3ded04c 100644 --- a/ansible/inventories/production/group_vars/ipaclients/main.yml +++ b/ansible/inventories/production/group_vars/ipaclients/main.yml @@ -1,6 +1,7 @@ --- ipaclient_domain = rockylinux.org +ipaclient_realm = ROCKYLINUX.ORG ipaadmin_principal = admin ipaclient_no_ntp = true ipaclient_mkhomedir = true diff --git a/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/CentOS-8-system-auth b/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/CentOS-8-system-auth new file mode 120000 index 0000000..62848fb --- /dev/null +++ b/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/CentOS-8-system-auth @@ -0,0 +1 @@ +RedHat-8-system-auth \ No newline at end of file diff --git a/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth b/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth new file mode 100644 index 0000000..d4e9a0d --- /dev/null +++ b/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth @@ -0,0 +1,40 @@ +{imply "with-smartcard" if "with-smartcard-required"} +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 {include if "with-faillock"} +auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"} +auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"} +auth sufficient pam_fprintd.so {include if "with-fingerprint"} +auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} +auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"} +auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet +auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"} +auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"} +auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"} +auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass +auth requisite pam_succeed_if.so uid >= 1000 quiet_success +auth sufficient pam_sss.so forward_pass +auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"} +auth required pam_deny.so + +account required pam_access.so {include if "with-pamaccess"} +account required pam_faillock.so {include if "with-faillock"} +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so try_first_pass local_users_only minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 retry=3 +password requisite pam_pwhistory.so use_authok remember=5 +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"} +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so diff --git a/ansible/playbooks/files/etc/pam.d/CentOS-7-system-auth-ac b/ansible/playbooks/files/etc/pam.d/CentOS-7-system-auth-ac new file mode 120000 index 0000000..456a8fc --- /dev/null +++ b/ansible/playbooks/files/etc/pam.d/CentOS-7-system-auth-ac @@ -0,0 +1 @@ +RedHat-7-system-auth-ac \ No newline at end of file diff --git a/ansible/playbooks/files/etc/pam.d/RedHat-7-system-auth-ac b/ansible/playbooks/files/etc/pam.d/RedHat-7-system-auth-ac new file mode 100644 index 0000000..c20a81b --- /dev/null +++ b/ansible/playbooks/files/etc/pam.d/RedHat-7-system-auth-ac @@ -0,0 +1,34 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 +auth [default=1 success=ok] pam_localuser.so +auth [success=done ignore=ignore default=bad] pam_unix.so nullok try_first_pass +auth requisite pam_succeed_if.so uid >= 1000 quiet_success +auth sufficient pam_sss.so forward_pass +auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 +auth required pam_deny.so + +account required pam_faillock.so +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 1000 quiet +account [default=bad success=ok user_unknown=ignore] pam_sss.so +account required pam_permit.so + +password requisite pam_pwquality.so try_first_pass minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 local_users_only retry=3 +password requisite pam_pwhistory.so use_authok remember=5 +password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok +password sufficient pam_sss.so use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session optional pam_oddjob_mkhomedir.so umask=0077 +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_sss.so + diff --git a/ansible/playbooks/init-rocky-system-config.yml b/ansible/playbooks/init-rocky-system-config.yml index 11d6e0b..2bc6d12 100644 --- a/ansible/playbooks/init-rocky-system-config.yml +++ b/ansible/playbooks/init-rocky-system-config.yml @@ -30,7 +30,7 @@ - name: Configure harden settings include: tasks/harden.yml - - name: Configure PAM and SSSD + - name: Configure PAM include: tasks/authentication.yml post_tasks: diff --git a/ansible/playbooks/tasks/authentication.yml b/ansible/playbooks/tasks/authentication.yml index 6521ec9..c863e99 100644 --- a/ansible/playbooks/tasks/authentication.yml +++ b/ansible/playbooks/tasks/authentication.yml @@ -1,3 +1,65 @@ --- # Configures PAM and SSSD post-ipa client installation. It is recommended that # that we use a custom authselect profile and build it out from there. +- name: Enterprise Linux 7 PAM Configuration + copy: + src: "etc/pam.d/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth-ac" + dest: "{{ item }}" + mode: "0644" + owner: root + group: root + with_items: + - /etc/pam.d/system-auth-ac + - /etc/pam.d/password-auth-ac + when: + - ansible_facts['os_family'] == 'RedHat' + - ansible_facts['distribution_major_version'] == '7' + +- name: Enterprise Linux 8 PAM Configuration + when: + - ansible_facts['os_family'] == 'RedHat' + - ansible_facts['distribution_major_version'] == '8' + block: + - name: Ensure Custom Profile is removed + file: + state: absent + path: /etc/authselect/custom/sssd-rocky + + - name: Create custom authselect profile based on sssd + command: > + /usr/bin/authselect create-profile sssd-rocky + --base-on sssd + --symlink-dconf + --symlink-meta + --symlink=postlogin + --symlink=smartcard-auth + --symlink=fingerprint-auth + + - name: Override system-auth and password-auth + copy: + src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth" + dest: "{{ item }}" + mode: '0644' + owner: root + group: root + with_items: + - /etc/authselect/custom/sssd-aoc/system-auth + - /etc/authselect/custom/sssd-aoc/password-auth + + - name: Select New Profile + command: > + /usr/bin/authselect select custom/sssd-aoc + without-nullok + with-faillock + with-mkhomedir + with-sudo + --force + + - name: Apply new settings + command: /usr/bin/authselect apply-changes + + - name: Enable oddjobd + service: + name: oddjobd + state: started + enabled: yes diff --git a/ansible/playbooks/vars/RedHat.yml b/ansible/playbooks/vars/RedHat.yml index 284156c..64c9bab 100644 --- a/ansible/playbooks/vars/RedHat.yml +++ b/ansible/playbooks/vars/RedHat.yml @@ -6,6 +6,7 @@ bin_sudo: /usr/bin/sudo kernel_boot_options: audit=1 grub_config_path_link: /etc/grub2.cfg grub_config_path_efi: /etc/grub2-efi.cfg +ipatype: client # Removing TFTP for now because there will likely be tftp/pxe servers remove_packages: