[debian-edu-commits] debian-edu/ 02/02: Add PAM module to reject Kerberos password changes and point users to the Gosa web page instead to try to keep the password databases in sync (Closes: 704461). Depend on libpam-python for this.
Petter Reinholdtsen
pere at moszumanska.debian.org
Sat Oct 11 08:16:52 UTC 2014
This is an automated email from the git hooks/post-receive script.
pere pushed a commit to branch master
in repository debian-edu-config.
commit d9ae549ed43409db74fd11e3478df9f45deebde5
Author: Petter Reinholdtsen <pere at hungry.com>
Date: Sat Oct 11 10:16:25 2014 +0200
Add PAM module to reject Kerberos password changes and point users to the Gosa web page instead to try to keep the password databases in sync (Closes: 704461). Depend on libpam-python for this.
---
Makefile | 2 +
cf/cf.krb5client | 9 ++++
debian/changelog | 3 ++
debian/control | 1 +
debian/debian-edu-config.prerm | 3 ++
share/debian-edu-config/pam-config-nopwdchange | 6 +++
share/debian-edu-config/pam-nopwdchange.py | 60 ++++++++++++++++++++++++++
7 files changed, 84 insertions(+)
diff --git a/Makefile b/Makefile
index 45a8a71..b0487fd 100644
--- a/Makefile
+++ b/Makefile
@@ -456,6 +456,8 @@ install: install-testsuite
share/debian-edu-config/pam-config-ccreds-check \
share/debian-edu-config/pam-config-ccreds-save \
share/debian-edu-config/pam-config-mkhomedir \
+ share/debian-edu-config/pam-config-nopwdchange \
+ share/debian-edu-config/pam-nopwdchange.py \
; do \
$(INSTALL_DATA) $$f $(DESTDIR)/usr/$$f ; \
done
diff --git a/cf/cf.krb5client b/cf/cf.krb5client
index 372c198..1f2932f 100644
--- a/cf/cf.krb5client
+++ b/cf/cf.krb5client
@@ -1,11 +1,20 @@
#
# Configure KRB5 client
#
+
+links:
+ debian.installation.!standalone::
+ /usr/share/pam-configs/edu-nopwdchange ->! /usr/share/debian-edu-config/pam-config-nopwdchange
+
shellcommands:
# setup-roaming generate its own krb5.conf, no need to do it here.
debian.installation.!standalone.!roaming::
"/usr/share/debian-edu-config/tools/sssd-generate-config -k > /etc/krb5.conf"
+ debian.installation.!standalone.secondpass::
+ # Activate changes to pam-configs in /etc/pam.d/
+ "/usr/sbin/pam-auth-update --package"
+
files:
debian.secondpass.!standalone::
/etc/krb5.conf mode=644 act=fixall
diff --git a/debian/changelog b/debian/changelog
index f3d1851..c686b1f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -22,6 +22,9 @@ debian-edu-config (1.810) UNRELEASED; urgency=high
* Move our squid3.conf to the correct Makefile block to avoid
installing it with the execute bit. Thank you, lintian!
* Add new web page translations (da, id, pt_BR) to the binary package.
+ * Add PAM module to reject Kerberos password changes and point users
+ to the Gosa web page instead to try to keep the password databases
+ in sync (Closes: 704461). Depend on libpam-python for this.
-- Wolfgang Schweer <wschweer at arcor.de> Tue, 07 Oct 2014 12:47:06 +0200
diff --git a/debian/control b/debian/control
index 7156a86..1eee9dc 100644
--- a/debian/control
+++ b/debian/control
@@ -57,6 +57,7 @@ Depends: ${misc:Depends}
, libproxy1-plugin-kconfig
, uuid
, swaks
+ , libpam-python
Recommends: resolvconf, ddccontrol | xresprobe, syslinux, memtest86+, libnotify-bin, lsof, binutils
Suggests: atftpd | tftpd-hpa
Breaks: nslcd (<< 0.7.7), dhcp3-client (<< 4.1.1-P1-9), dhcp3-server (<< 4.1.1-P1-9), slapd (<< 2.4.23-5), debian-edu-install (<< 1.521~svn74617)
diff --git a/debian/debian-edu-config.prerm b/debian/debian-edu-config.prerm
index 677eedb..8782714 100644
--- a/debian/debian-edu-config.prerm
+++ b/debian/debian-edu-config.prerm
@@ -22,6 +22,9 @@ case "$1" in
dpkg-divert --package debian-edu-config --remove /usr/share/pam-configs/krb5
rm /usr/share/pam-configs/edu-krb5
fi
+ if [ remove = "$1" ] && [ -e /usr/share/pam-configs/edu-nopwdchange ]; then
+ rm /usr/share/pam-configs/edu-nopwdchange
+ fi
pam-auth-update --package --remove edu-group edu-umask
;;
esac
diff --git a/share/debian-edu-config/pam-config-nopwdchange b/share/debian-edu-config/pam-config-nopwdchange
new file mode 100644
index 0000000..e31b877
--- /dev/null
+++ b/share/debian-edu-config/pam-config-nopwdchange
@@ -0,0 +1,6 @@
+Name: Block password change for LDAP users, suggest Gosa instead.
+Default: yes
+Priority: 10
+Password-Type: Additional
+Password-Final:
+ required pam_python.so /usr/share/debian-edu-config/pam-nopwdchange.py
diff --git a/share/debian-edu-config/pam-nopwdchange.py b/share/debian-edu-config/pam-nopwdchange.py
new file mode 100644
index 0000000..efe9f25
--- /dev/null
+++ b/share/debian-edu-config/pam-nopwdchange.py
@@ -0,0 +1,60 @@
+#!/usr/bin/env python
+#
+# Reject password change, ask people to use the Gosa web interface
+# instead.
+
+import sys
+import syslog
+import pwd
+
+def pam_sm_setcred(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
+
+def pam_sm_authenticate(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
+
+def pam_sm_acct_mgmt(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
+
+def pam_sm_open_session(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
+
+def pam_sm_close_session(pamh, flags, argv):
+ return pamh.PAM_SUCCESS
+
+def pam_sm_chauthtok(pamh, flags, argv):
+ syslog.openlog("pam_edu_nopwdchange", syslog.LOG_PID, syslog.LOG_AUTH)
+ syslog.syslog("calling pam_sm_chauthtok()")
+ user = pamh.get_user(None)
+ userinfo = pwd.getpwnam(user)
+ uid = userinfo[2]
+ if 1000 <= uid:
+ text = "\nPlease visit https://www/gosa to change your password for Debian Edu / Skolelinux. Thanks!\n"
+ msg = pamh.Message(pamh.PAM_TEXT_INFO, text)
+ pamh.conversation(msg)
+ syslog.syslog("rejected password change for user %s" % user)
+ return pamh.PAM_SYSTEM_ERR
+ return pamh.PAM_SUCCESS
+
+# Test if the code work. Argument is username to simulate login for.
+if __name__ == '__main__':
+ syslog.openlog("pam_nopwdchange", syslog.LOG_PID, syslog.LOG_AUTH)
+ user = sys.argv[1]
+ class pam_handler:
+ PAM_SUCCESS = 1
+ PAM_USER_UNKNOWN = 2
+ PAM_SYSTEM_ERR = 3
+ PAM_TRY_AGAIN = 4
+ PAM_TEXT_INFO = 5
+ def get_user(self, arg):
+ return user
+ def Message(self, tag, str):
+ return str
+ def conversation(self, msg):
+ print "PAM conversation: " + msg
+ return
+ pamh = pam_handler()
+ if pamh.PAM_SUCCESS == pam_sm_chauthtok(pamh, None, None):
+ print "pam_sm_chauthtok returned PAM_SUCCESS"
+ else:
+ print "pam_sm_chauthtok returned PAM_SYSTEM_ERR"
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git
More information about the debian-edu-commits
mailing list