authentication - prepping system build

2024-11-22 05:01:27 +00:00 · 2020-12-12 12:58:00 -07:00 · 2020-12-12 12:58:00 -07:00 · 242c506bcd
commit 242c506bcd
parent 1b185b581d
8 changed files with 141 additions and 1 deletions
--- a/ansible/inventories/production/group_vars/ipaclients/main.yml
+++ b/ansible/inventories/production/group_vars/ipaclients/main.yml
@ -1,6 +1,7 @@
 ---

 ipaclient_domain = rockylinux.org
+ipaclient_realm = ROCKYLINUX.ORG
 ipaadmin_principal = admin
 ipaclient_no_ntp = true
 ipaclient_mkhomedir = true
--- a/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/CentOS-8-system-auth
+++ b/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/CentOS-8-system-auth
@ -0,0 +1 @@
+RedHat-8-system-auth
--- a/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth
+++ b/ansible/playbooks/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth
@ -0,0 +1,40 @@
+{imply "with-smartcard" if "with-smartcard-required"}
+auth        required                                     pam_env.so
+auth        required                                     pam_faildelay.so delay=2000000
+auth        required                                     pam_faillock.so preauth audit silent deny=5 unlock_time=900 {include if "with-faillock"}
+auth        [success=1 default=ignore]                   pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
+auth        [success=done ignore=ignore default=die]     pam_sss.so require_cert_auth ignore_authinfo_unavail   {include if "with-smartcard-required"}
+auth        sufficient                                   pam_fprintd.so                                         {include if "with-fingerprint"}
+auth        sufficient                                   pam_u2f.so cue                                         {include if "with-pam-u2f"}
+auth        required                                     pam_u2f.so cue nouserok                                {include if "with-pam-u2f-2fa"}
+auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
+auth        [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {exclude if "with-smartcard"}
+auth        [default=2 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-smartcard"}
+auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth           {include if "with-smartcard"}
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
+auth        sufficient                                   pam_sss.so forward_pass
+auth        required                                     pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900       {include if "with-faillock"}
+auth        required                                     pam_deny.so
+
+account     required                                     pam_access.so                                          {include if "with-pamaccess"}
+account     required                                     pam_faillock.so                                        {include if "with-faillock"}
+account     required                                     pam_unix.so
+account     sufficient                                   pam_localuser.so
+account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+account     required                                     pam_permit.so
+
+password    requisite                                    pam_pwquality.so try_first_pass local_users_only minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 retry=3
+password    requisite                                    pam_pwhistory.so use_authok remember=5
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password    sufficient                                   pam_sss.so use_authtok
+password    required                                     pam_deny.so
+
+session     optional                                     pam_keyinit.so revoke
+session     required                                     pam_limits.so
+-session    optional                                     pam_systemd.so
+session     optional                                     pam_oddjob_mkhomedir.so umask=0077                    {include if "with-mkhomedir"}
+session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
+session     required                                     pam_unix.so
+session     optional                                     pam_sss.so
--- a/ansible/playbooks/files/etc/pam.d/CentOS-7-system-auth-ac
+++ b/ansible/playbooks/files/etc/pam.d/CentOS-7-system-auth-ac
@ -0,0 +1 @@
+RedHat-7-system-auth-ac
--- a/ansible/playbooks/files/etc/pam.d/RedHat-7-system-auth-ac
+++ b/ansible/playbooks/files/etc/pam.d/RedHat-7-system-auth-ac
@ -0,0 +1,34 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        required      pam_faildelay.so delay=2000000
+auth        required      pam_faillock.so preauth audit silent deny=5 unlock_time=900
+auth        [default=1 success=ok] pam_localuser.so
+auth        [success=done ignore=ignore default=bad] pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
+auth        sufficient    pam_sss.so forward_pass
+auth        [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
+auth        required      pam_deny.so
+
+account     required      pam_faillock.so
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+account     required      pam_permit.so
+
+password    requisite     pam_pwquality.so try_first_pass minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 local_users_only retry=3
+password    requisite     pam_pwhistory.so use_authok remember=5
+password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
+password    sufficient    pam_sss.so use_authtok
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+session     optional      pam_oddjob_mkhomedir.so umask=0077
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+session     optional      pam_sss.so
+
--- a/ansible/playbooks/init-rocky-system-config.yml
+++ b/ansible/playbooks/init-rocky-system-config.yml
@ -30,7 +30,7 @@
    - name: Configure harden settings
      include: tasks/harden.yml

-    - name: Configure PAM and SSSD
+    - name: Configure PAM
      include: tasks/authentication.yml

  post_tasks:
--- a/ansible/playbooks/tasks/authentication.yml
+++ b/ansible/playbooks/tasks/authentication.yml
@ -1,3 +1,65 @@
 ---
 # Configures PAM and SSSD post-ipa client installation. It is recommended that
 # that we use a custom authselect profile and build it out from there.
+- name: Enterprise Linux 7 PAM Configuration
+  copy:
+    src: "etc/pam.d/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth-ac"
+    dest: "{{ item }}"
+    mode: "0644"
+    owner: root
+    group: root
+  with_items:
+    - /etc/pam.d/system-auth-ac
+    - /etc/pam.d/password-auth-ac
+  when:
+    - ansible_facts['os_family'] == 'RedHat'
+    - ansible_facts['distribution_major_version'] == '7'
+
+- name: Enterprise Linux 8 PAM Configuration
+  when:
+    - ansible_facts['os_family'] == 'RedHat'
+    - ansible_facts['distribution_major_version'] == '8'
+  block:
+    - name: Ensure Custom Profile is removed
+      file:
+        state: absent
+        path: /etc/authselect/custom/sssd-rocky
+
+    - name: Create custom authselect profile based on sssd
+      command: >
+        /usr/bin/authselect create-profile sssd-rocky
+        --base-on sssd
+        --symlink-dconf
+        --symlink-meta
+        --symlink=postlogin
+        --symlink=smartcard-auth
+        --symlink=fingerprint-auth
+
+    - name: Override system-auth and password-auth
+      copy:
+        src: "etc/authselect/custom/sssd-aoc/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
+        dest: "{{ item }}"
+        mode: '0644'
+        owner: root
+        group: root
+      with_items:
+        - /etc/authselect/custom/sssd-aoc/system-auth
+        - /etc/authselect/custom/sssd-aoc/password-auth
+
+    - name: Select New Profile
+      command: >
+        /usr/bin/authselect select custom/sssd-aoc
+        without-nullok
+        with-faillock
+        with-mkhomedir
+        with-sudo
+        --force
+
+    - name: Apply new settings
+      command: /usr/bin/authselect apply-changes
+
+    - name: Enable oddjobd
+      service:
+        name: oddjobd
+        state: started
+        enabled: yes
--- a/ansible/playbooks/vars/RedHat.yml
+++ b/ansible/playbooks/vars/RedHat.yml
@ -6,6 +6,7 @@ bin_sudo: /usr/bin/sudo
 kernel_boot_options: audit=1
 grub_config_path_link: /etc/grub2.cfg
 grub_config_path_efi: /etc/grub2-efi.cfg
+ipatype: client

 # Removing TFTP for now because there will likely be tftp/pxe servers
 remove_packages: