mirror of
https://github.com/rocky-linux/infrastructure
synced 2024-11-25 14:41:28 +00:00
authentication - prepping system build
This commit is contained in:
parent
1b185b581d
commit
242c506bcd
@ -1,6 +1,7 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
ipaclient_domain = rockylinux.org
|
ipaclient_domain = rockylinux.org
|
||||||
|
ipaclient_realm = ROCKYLINUX.ORG
|
||||||
ipaadmin_principal = admin
|
ipaadmin_principal = admin
|
||||||
ipaclient_no_ntp = true
|
ipaclient_no_ntp = true
|
||||||
ipaclient_mkhomedir = true
|
ipaclient_mkhomedir = true
|
||||||
|
@ -0,0 +1 @@
|
|||||||
|
RedHat-8-system-auth
|
@ -0,0 +1,40 @@
|
|||||||
|
{imply "with-smartcard" if "with-smartcard-required"}
|
||||||
|
auth required pam_env.so
|
||||||
|
auth required pam_faildelay.so delay=2000000
|
||||||
|
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 {include if "with-faillock"}
|
||||||
|
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
|
||||||
|
auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
|
||||||
|
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
||||||
|
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||||
|
auth required pam_u2f.so cue nouserok {include if "with-pam-u2f-2fa"}
|
||||||
|
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
||||||
|
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
||||||
|
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
||||||
|
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
||||||
|
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||||
|
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||||||
|
auth sufficient pam_sss.so forward_pass
|
||||||
|
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"}
|
||||||
|
auth required pam_deny.so
|
||||||
|
|
||||||
|
account required pam_access.so {include if "with-pamaccess"}
|
||||||
|
account required pam_faillock.so {include if "with-faillock"}
|
||||||
|
account required pam_unix.so
|
||||||
|
account sufficient pam_localuser.so
|
||||||
|
account sufficient pam_succeed_if.so uid < 1000 quiet
|
||||||
|
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||||
|
account required pam_permit.so
|
||||||
|
|
||||||
|
password requisite pam_pwquality.so try_first_pass local_users_only minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 retry=3
|
||||||
|
password requisite pam_pwhistory.so use_authok remember=5
|
||||||
|
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
||||||
|
password sufficient pam_sss.so use_authtok
|
||||||
|
password required pam_deny.so
|
||||||
|
|
||||||
|
session optional pam_keyinit.so revoke
|
||||||
|
session required pam_limits.so
|
||||||
|
-session optional pam_systemd.so
|
||||||
|
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
|
||||||
|
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||||
|
session required pam_unix.so
|
||||||
|
session optional pam_sss.so
|
1
ansible/playbooks/files/etc/pam.d/CentOS-7-system-auth-ac
Symbolic link
1
ansible/playbooks/files/etc/pam.d/CentOS-7-system-auth-ac
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
RedHat-7-system-auth-ac
|
34
ansible/playbooks/files/etc/pam.d/RedHat-7-system-auth-ac
Normal file
34
ansible/playbooks/files/etc/pam.d/RedHat-7-system-auth-ac
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
# This file is auto-generated.
|
||||||
|
# User changes will be destroyed the next time authconfig is run.
|
||||||
|
auth required pam_env.so
|
||||||
|
auth required pam_faildelay.so delay=2000000
|
||||||
|
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
|
||||||
|
auth [default=1 success=ok] pam_localuser.so
|
||||||
|
auth [success=done ignore=ignore default=bad] pam_unix.so nullok try_first_pass
|
||||||
|
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||||||
|
auth sufficient pam_sss.so forward_pass
|
||||||
|
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
|
||||||
|
auth required pam_deny.so
|
||||||
|
|
||||||
|
account required pam_faillock.so
|
||||||
|
account required pam_unix.so
|
||||||
|
account sufficient pam_localuser.so
|
||||||
|
account sufficient pam_succeed_if.so uid < 1000 quiet
|
||||||
|
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||||
|
account required pam_permit.so
|
||||||
|
|
||||||
|
password requisite pam_pwquality.so try_first_pass minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 local_users_only retry=3
|
||||||
|
password requisite pam_pwhistory.so use_authok remember=5
|
||||||
|
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
|
||||||
|
password sufficient pam_sss.so use_authtok
|
||||||
|
password required pam_deny.so
|
||||||
|
|
||||||
|
session optional pam_keyinit.so revoke
|
||||||
|
session required pam_limits.so
|
||||||
|
-session optional pam_systemd.so
|
||||||
|
session optional pam_oddjob_mkhomedir.so umask=0077
|
||||||
|
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||||
|
session required pam_unix.so
|
||||||
|
session optional pam_sss.so
|
||||||
|
|
@ -30,7 +30,7 @@
|
|||||||
- name: Configure harden settings
|
- name: Configure harden settings
|
||||||
include: tasks/harden.yml
|
include: tasks/harden.yml
|
||||||
|
|
||||||
- name: Configure PAM and SSSD
|
- name: Configure PAM
|
||||||
include: tasks/authentication.yml
|
include: tasks/authentication.yml
|
||||||
|
|
||||||
post_tasks:
|
post_tasks:
|
||||||
|
@ -1,3 +1,65 @@
|
|||||||
---
|
---
|
||||||
# Configures PAM and SSSD post-ipa client installation. It is recommended that
|
# Configures PAM and SSSD post-ipa client installation. It is recommended that
|
||||||
# that we use a custom authselect profile and build it out from there.
|
# that we use a custom authselect profile and build it out from there.
|
||||||
|
- name: Enterprise Linux 7 PAM Configuration
|
||||||
|
copy:
|
||||||
|
src: "etc/pam.d/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth-ac"
|
||||||
|
dest: "{{ item }}"
|
||||||
|
mode: "0644"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
with_items:
|
||||||
|
- /etc/pam.d/system-auth-ac
|
||||||
|
- /etc/pam.d/password-auth-ac
|
||||||
|
when:
|
||||||
|
- ansible_facts['os_family'] == 'RedHat'
|
||||||
|
- ansible_facts['distribution_major_version'] == '7'
|
||||||
|
|
||||||
|
- name: Enterprise Linux 8 PAM Configuration
|
||||||
|
when:
|
||||||
|
- ansible_facts['os_family'] == 'RedHat'
|
||||||
|
- ansible_facts['distribution_major_version'] == '8'
|
||||||
|
block:
|
||||||
|
- name: Ensure Custom Profile is removed
|
||||||
|
file:
|
||||||
|
state: absent
|
||||||
|
path: /etc/authselect/custom/sssd-rocky
|
||||||
|
|
||||||
|
- name: Create custom authselect profile based on sssd
|
||||||
|
command: >
|
||||||
|
/usr/bin/authselect create-profile sssd-rocky
|
||||||
|
--base-on sssd
|
||||||
|
--symlink-dconf
|
||||||
|
--symlink-meta
|
||||||
|
--symlink=postlogin
|
||||||
|
--symlink=smartcard-auth
|
||||||
|
--symlink=fingerprint-auth
|
||||||
|
|
||||||
|
- name: Override system-auth and password-auth
|
||||||
|
copy:
|
||||||
|
src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
|
||||||
|
dest: "{{ item }}"
|
||||||
|
mode: '0644'
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
with_items:
|
||||||
|
- /etc/authselect/custom/sssd-aoc/system-auth
|
||||||
|
- /etc/authselect/custom/sssd-aoc/password-auth
|
||||||
|
|
||||||
|
- name: Select New Profile
|
||||||
|
command: >
|
||||||
|
/usr/bin/authselect select custom/sssd-aoc
|
||||||
|
without-nullok
|
||||||
|
with-faillock
|
||||||
|
with-mkhomedir
|
||||||
|
with-sudo
|
||||||
|
--force
|
||||||
|
|
||||||
|
- name: Apply new settings
|
||||||
|
command: /usr/bin/authselect apply-changes
|
||||||
|
|
||||||
|
- name: Enable oddjobd
|
||||||
|
service:
|
||||||
|
name: oddjobd
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
@ -6,6 +6,7 @@ bin_sudo: /usr/bin/sudo
|
|||||||
kernel_boot_options: audit=1
|
kernel_boot_options: audit=1
|
||||||
grub_config_path_link: /etc/grub2.cfg
|
grub_config_path_link: /etc/grub2.cfg
|
||||||
grub_config_path_efi: /etc/grub2-efi.cfg
|
grub_config_path_efi: /etc/grub2-efi.cfg
|
||||||
|
ipatype: client
|
||||||
|
|
||||||
# Removing TFTP for now because there will likely be tftp/pxe servers
|
# Removing TFTP for now because there will likely be tftp/pxe servers
|
||||||
remove_packages:
|
remove_packages:
|
||||||
|
Loading…
Reference in New Issue
Block a user