infrastructure/mono-infrastructure
7
0
Fork 0
mirror of https://github.com/rocky-linux/infrastructure synced 2024-11-22 13:11:29 +00:00
Code Issues Projects Releases Wiki Activity

authentication - prepping system build

Browse Source
This commit is contained in:
nazunalika 2020-12-12 12:58:00 -07:00
parent 1b185b581d
commit 242c506bcd
8 changed files with 141 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ansible/inventories/production/group_vars/ipaclients/main.yml
View File

@ -1,6 +1,7 @@
--- ---
ipaclient_domain = rockylinux.org ipaclient_domain = rockylinux.org
ipaclient_realm = ROCKYLINUX.ORG
ipaadmin_principal = admin ipaadmin_principal = admin
ipaclient_no_ntp = true ipaclient_no_ntp = true
ipaclient_mkhomedir = true ipaclient_mkhomedir = true

1
ansible/playbooks/files/etc/authselect/custom/sssd-rocky/CentOS-8-system-auth Symbolic link
View File

@ -0,0 +1 @@
RedHat-8-system-auth

40
ansible/playbooks/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth Normal file
View File

@ -0,0 +1,40 @@
{imply "with-smartcard" if "with-smartcard-required"}
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 {include if "with-faillock"}
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 retry=3
password requisite pam_pwhistory.so use_authok remember=5
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

1
ansible/playbooks/files/etc/pam.d/CentOS-7-system-auth-ac Symbolic link
View File

@ -0,0 +1 @@
RedHat-7-system-auth-ac

34
ansible/playbooks/files/etc/pam.d/RedHat-7-system-auth-ac Normal file
View File

@ -0,0 +1,34 @@
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=bad] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 local_users_only retry=3
password requisite pam_pwhistory.so use_authok remember=5
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

2
ansible/playbooks/init-rocky-system-config.yml
View File

@ -30,7 +30,7 @@
- name: Configure harden settings - name: Configure harden settings
include: tasks/harden.yml include: tasks/harden.yml
- name: Configure PAM and SSSD - name: Configure PAM
include: tasks/authentication.yml include: tasks/authentication.yml
post_tasks: post_tasks:

62
ansible/playbooks/tasks/authentication.yml
View File

@ -1,3 +1,65 @@
--- ---
# Configures PAM and SSSD post-ipa client installation. It is recommended that # Configures PAM and SSSD post-ipa client installation. It is recommended that
# that we use a custom authselect profile and build it out from there. # that we use a custom authselect profile and build it out from there.
- name: Enterprise Linux 7 PAM Configuration
copy:
src: "etc/pam.d/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth-ac"
dest: "{{ item }}"
mode: "0644"
owner: root
group: root
with_items:
- /etc/pam.d/system-auth-ac
- /etc/pam.d/password-auth-ac
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version'] == '7'
- name: Enterprise Linux 8 PAM Configuration
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version'] == '8'
block:
- name: Ensure Custom Profile is removed
file:
state: absent
path: /etc/authselect/custom/sssd-rocky
- name: Create custom authselect profile based on sssd
command: >
/usr/bin/authselect create-profile sssd-rocky
--base-on sssd
--symlink-dconf
--symlink-meta
--symlink=postlogin
--symlink=smartcard-auth
--symlink=fingerprint-auth
- name: Override system-auth and password-auth
copy:
src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
dest: "{{ item }}"
mode: '0644'
owner: root
group: root
with_items:
- /etc/authselect/custom/sssd-aoc/system-auth
- /etc/authselect/custom/sssd-aoc/password-auth
- name: Select New Profile
command: >
/usr/bin/authselect select custom/sssd-aoc
without-nullok
with-faillock
with-mkhomedir
with-sudo
--force
- name: Apply new settings
command: /usr/bin/authselect apply-changes
- name: Enable oddjobd
service:
name: oddjobd
state: started
enabled: yes

1
ansible/playbooks/vars/RedHat.yml
View File

@ -6,6 +6,7 @@ bin_sudo: /usr/bin/sudo
kernel_boot_options: audit=1 kernel_boot_options: audit=1
grub_config_path_link: /etc/grub2.cfg grub_config_path_link: /etc/grub2.cfg
grub_config_path_efi: /etc/grub2-efi.cfg grub_config_path_efi: /etc/grub2-efi.cfg
ipatype: client
# Removing TFTP for now because there will likely be tftp/pxe servers # Removing TFTP for now because there will likely be tftp/pxe servers
remove_packages: remove_packages: