OpenSolaris_b135/pkgdefs/common_files/i.pamconf
#!/bin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
CLEANUP_FILE=/tmp/CLEANUP
PAM_TMP=/tmp/pam_conf.$$
KERB_ENTRIES=$PAM_TMP/scr.$$
PPP_ENTRIES=$PAM_TMP/scp.$$
CRON_ENTRIES=$PAM_TMP/scc.$$
CUPS_ENTRIES=$PAM_TMP/scd.$$
mkdir $PAM_TMP || exit 1
PATH="/usr/bin:/usr/sbin:${PATH}"
export PATH
setup_kerb_changes() {
#
# No comments or blanks lines allowed in entries below
#
cat > ${KERB_ENTRIES} << EOF
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
EOF
}
setup_ppp_changes() {
#
# No comments or blanks lines allowed in entries below
#
cat > ${PPP_ENTRIES} << EOF
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
EOF
}
setup_cron_changes(){
#
# No comments or blanks lines allowed in entries below
#
cat > ${CRON_ENTRIES} << EOF
cron account required pam_unix_account.so.1
EOF
}
setup_cups_changes(){
#
# No comments or blanks lines allowed in entries below
#
cat > ${CUPS_ENTRIES} << EOF
cups account required pam_unix_account.so.1
EOF
}
# Returns zero (success) if system is labeled (aka Trusted Extensions).
# 1 otherwise.
#
is_system_labeled() {
[ ! -x /bin/plabel ] && return 1
/bin/plabel > /dev/null 2>&1
return $?
}
# Add any entries for Trusted Extensions, during initial install.
# This is dependent on whether TX is enabled.
add_tx_entries() {
is_system_labeled
if [ $? = 0 ] ; then
grep '^[ ]*other.*account.*pam_tsol_account' $dest \
> /dev/null 2>&1
if [ $? -ne 0 ] ; then
# Append new entry
cat >> $dest << EOF
other account required pam_tsol_account.so.1
EOF
echo "${dest} entry added for Trusted Extensions; \c" \
>> ${CLEANUP_FILE}
fi
fi
}
#
setup_kerb_changes
setup_ppp_changes
setup_cron_changes
setup_cups_changes
while read src dest
do
if [ ! -f $dest ] ; then
cp $src $dest
# Dynamically add any entries for Trusted Extensions if it's enabled
add_tx_entries
else
echo "${dest} default entries updated, \c" \
>> ${CLEANUP_FILE}
echo "please examine/update customized entries" \
>> ${CLEANUP_FILE}
#
#Update pam.conf with relative pathname
#
if grep '/usr/lib/security/$ISA/pam_' $dest > /dev/null 2>&1; then
sed 's,/usr/lib/security/$ISA/, ', \
$dest > /tmp/pamconf.$$
cp /tmp/pamconf.$$ $dest
rm -f /tmp/pamconf.$$
fi
if grep '/usr/lib/security/pam_' $dest > /dev/null 2>&1; then
sed 's,/usr/lib/security/, ', \
$dest > /tmp/pamconf.$$
cp /tmp/pamconf.$$ $dest
rm -f /tmp/pamconf.$$
fi
#
# Update pam.conf with entries for PAM modules pam_authtok_get,
# pam_authtok_check, pam_authtok_store, pam_unix_auth, pam_unix_account,
# pam_unix_cred, pam_unix_session, pam_dhkeys and pam_passwd_auth
#
echo "${dest} updating pam_unix with default PAM entries \c" \
>> ${CLEANUP_FILE}
echo "please examine/update any new entries" \
>> ${CLEANUP_FILE}
nawk '/^#/ { print; next } \
$4 ~ /pam_unix.so/ && $2 == "auth" { \
print $1 "\t" $2 " " "requisite\t\t" \
"pam_authtok_get.so.1"; \
print $1 "\t" $2 " " $3 "\t\t" \
"pam_dhkeys.so.1"; \
print $1 "\t" $2 " " $3 "\t\t" \
"pam_unix_cred.so.1"; \
print $1 "\t" $2 " " $3 "\t\t" \
"pam_unix_auth.so.1"; \
next \
} \
$4 ~ /pam_passwd_auth.so.1/ && $2 == "auth" { \
if ($1 == "passwd") \
passwd_seen = 1;\
}\
$4 ~ /pam_rhosts_auth/ && $1 == "rsh" && $3 == "required" { \
print $1 "\t" $2 " " "sufficient\t\t" $4; \
print $1 "\t" $2 " " "required\t\t" "pam_unix_cred.so.1"; \
next \
}\
$4 ~ /pam_unix_cred/ && $3 == "required" { \
cred_seen = 1;\
print; \
next \
}\
$4 ~ /pam_unix_auth/ && $1 == "rsh" && $3 == "required" { \
if (cred_seen == 0) { \
print $1 "\t" $2 " " "required\t\t" \
"pam_unix_cred.so.1"; \
} \
next \
} \
$4 ~ /pam_unix_auth/ && $3 == "required" { \
if (cred_seen == 0) { \
print $1 "\t" $2 " " "required\t\t" \
"pam_unix_cred.so.1"; \
} \
print ; \
next \
}\
END {
if (passwd_seen == 0) { \
print "passwd" "\t" "auth required\t\t" \
"pam_passwd_auth.so.1"; \
} \
} \
$4 ~ /pam_unix.so/ && $2 == "account" { \
print $1 "\t" $2 " " $3 "\t\t" \
"pam_unix_account.so.1"; \
next \
} \
$4 ~ /pam_unix.so/ && $2 == "session" { \
print $1 "\t" $2 " " $3 "\t\t" \
"pam_unix_session.so.1"; \
next \
} \
$4 ~ /pam_unix.so/ && $2 == "password" { \
print $1 "\t" $2 " " $3 "\t\t" \
"pam_dhkeys.so.1"; \
print $1 "\t" $2 " " "requisite\t\t" \
"pam_authtok_get.so.1"; \
print $1 "\t" $2 " " "requisite\t\t" \
"pam_authtok_check.so.1"; \
print $1 "\t" $2 " " $3 "\t\t" \
"pam_authtok_store.so.1"; \
next \
} \
{ print }' $dest > /tmp/pamconf.$$
cp /tmp/pamconf.$$ $dest
rm -f /tmp/pamconf.$$
#
#update pam.conf with entries for roles
#
grep 'pam_roles.so' $dest > /dev/null 2>&1
if [ $? = 1 ] ; then
echo "${dest} updating default entries for roles, \c" \
>> ${CLEANUP_FILE}
echo "please examine/update any new entries" \
>> ${CLEANUP_FILE}
nawk '/^#/ { print; next } \
$4 ~ /pam_role_auth/ { next } \
$2 == "account" && $4 ~ /pam_unix/ { \
print $1 "\t" $2 " requisite\t\t" \
"pam_roles.so.1"; \
print; \
next \
} \
{ print }' $dest > /tmp/pamconf.$$
cp /tmp/pamconf.$$ $dest
rm -f /tmp/pamconf.$$
fi
#
#update pam.conf with entries for projects
#
grep 'pam_projects.so' $dest > /dev/null 2>&1
if [ $? = 0 ] ; then
echo "${dest} removing pam_project.so" >> ${CLEANUP_FILE}
grep -v pam_projects.so $dest > /tmp/pamconf.$$
cp /tmp/pamconf.$$ $dest
rm -f /tmp/pamconf.$$
fi
#
# update pam.conf to append PPP entries if not already present
# (note: default list above already has role added, so we
# must do this after the upgrade above has run.)
#
rm -f /tmp/pamconf.$$
while read e1 e2 e3 e4 e5
do
# See if the entry already exists
grep \
"^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \
$dest >/dev/null 2>&1
if [ $? = 1 ] ; then
# Doesn't exist, enter into pam.conf
echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$
fi
done < ${PPP_ENTRIES}
# Append PPP lines if any were not present already.
if [ -f /tmp/pamconf.$$ ] ; then
cat /tmp/pamconf.$$ >> $dest
echo "${dest} updating entries for PPP; \c" \
>> ${CLEANUP_FILE}
echo "please examine/update any new entries" \
>> ${CLEANUP_FILE}
rm -f /tmp/pamconf.$$
fi
#
# update pam.conf to append cron entries if not already present
# (note: the kerberos default list above already has the cron entried added.)
#
rm -f /tmp/pamconf.$$
while read e1 e2 e3 e4 e5
do
# See if the entry already exists
grep \
"^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \
$dest >/dev/null 2>&1
if [ $? = 1 ] ; then
# Doesn't exist, enter into pam.conf
echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$
fi
done < ${CRON_ENTRIES}
# Append cron lines if any were not present already.
if [ -f /tmp/pamconf.$$ ] ; then
cat /tmp/pamconf.$$ >> $dest
echo "${dest} updating entries for cron, \c" \
>> ${CLEANUP_FILE}
echo "please examine/update any new entries" \
>> ${CLEANUP_FILE}
rm -f /tmp/pamconf.$$
fi
#
# update pam.conf to append cups entries if not already present
#
rm -f /tmp/pamconf.$$
while read e1 e2 e3 e4 e5
do
# See if the entry already exists
grep \
"^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \
$dest >/dev/null 2>&1
if [ $? = 1 ] ; then
# Doesn't exist, enter into pam.conf
echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$
fi
done < ${CUPS_ENTRIES}
# Append cups lines if any were not present already.
if [ -f /tmp/pamconf.$$ ] ; then
cat /tmp/pamconf.$$ >> $dest
echo "${dest} updating entries for cups, \c" \
>> ${CLEANUP_FILE}
echo "please examine/update any new entries" \
>> ${CLEANUP_FILE}
rm -f /tmp/pamconf.$$
fi
#
# update pam.conf to remove the rlogin entry that uses pam_krb5.so.1
#
rm -f /tmp/pamconf.$$
sed -e "/^[# ]*rlogin.*pam_krb5.so.1/d" \
$dest > /tmp/pamconf.$$
if [ $? -ne 0 ]; then
echo "Couldn't edit /tmp/pamconf.$$, rlogin lines have not been \
updated to remove pam_krb5.so.1." \
>> ${CLEANUP_FILE}
else
cp /tmp/pamconf.$$ $dest
fi
#
# update pam.conf to remove obsolete flags used with pam_krb5.so.1
#
rm -f /tmp/pamconf.$$
sed -e "s/\(pam_krb5.so.1.*\)acceptor/\1/g" \
-e "s/\(pam_krb5.so.1.*\)use_first_pass/\1/g" \
-e "s/\(pam_krb5.so.1.*\)try_first_pass/\1/g" \
-e "s/\(pam_krb5.so.1.*\)use_xfn_pass/\1/g" \
-e "s/\(pam_krb5.so.1.*\)try_xfn_pass/\1/g" \
$dest > /tmp/pamconf.$$
if [ $? -ne 0 ]; then
echo "Couldn't edit /tmp/pamconf.$$ to remove obsolete flags: \
acceptor, use_first_pass, try_first_pass, use_xfn_pass, try_xfn_pass." \
>> ${CLEANUP_FILE}
else
cp /tmp/pamconf.$$ $dest
fi
#
# update pam.conf to remove the unnecessary unix_auth entries for the
# kerberized services.
#
rm -f /tmp/pamconf.$$
sed -e "/^[# ]*krlogin[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \
-e "/^[# ]*krsh[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \
-e "/^[# ]*ktelnet[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \
-e "s/^\([# ]*krlogin[ ]*auth[ ]*\)binding/\1required/" \
-e "s/^\([# ]*krsh[ ]*auth[ ]*\)binding/\1required/" \
-e "s/^\([# ]*ktelnet[ ]*auth[ ]*\)binding/\1required/" \
$dest > /tmp/pamconf.$$
if [ $? -ne 0 ]; then
echo "Couldn't edit /tmp/pamconf.$$, krlogin, krsh, ktelnet may \
still have pam_unix_auth in their stacks." \
>> ${CLEANUP_FILE}
else
cp /tmp/pamconf.$$ $dest
fi
#
# update pam.conf to append kerberos entries if not already present
#
rm -f /tmp/pamconf.$$
cat ${KERB_ENTRIES} |
(while read e1 e2 e3 e4 e5
do
# See if the entry already exists
grep \
"^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \
$dest >/dev/null 2>&1
if [ $? = 1 ] ; then
# Check if service name is 'dtlogin' and it is
# mentioned explicitly, then add kerberos 'dtlogin'
if [ $e1 = "dtlogin" ]; then
if grep "^[# ]*$e1[ ][ ]*$e2[ ]" \
$dest >/dev/null 2>&1; then
echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$
fi
else
# Doesn't exist, enter into pam.conf
echo "$e1\t$e2 $e3\t\t$e4 $e5" >> \
/tmp/pamconf.$$
fi
else
# Does exist. To maintain proper stacking order: remove it
# and append it to the bottom of the conf file.
grep "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \
$dest >> /tmp/pamconf.$$ 2>/dev/null
sed -e "/^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4/d" \
$dest > /tmp/pamconf2.$$
mv /tmp/pamconf2.$$ $dest
fi
done)
# Append kerberos lines if any were not present already.
if [ -f /tmp/pamconf.$$ ] ; then
cat /tmp/pamconf.$$ >> $dest
echo "${dest} updating entries to add kerberos, \c" \
>> ${CLEANUP_FILE}
echo "please examine/update any new entries" \
>> ${CLEANUP_FILE}
rm -f /tmp/pamconf.$$
fi
#
# notify pam_ldap users to manually intervene and examine/update their pam.conf
# due to the change in pam_ldap functionalty.
#
grep '^[^#].*pam_ldap.so' $dest > /dev/null 2>&1
if [ $? = 0 ] ; then
echo "${dest} please examine/update the pam_ldap configuration \c" \
>> ${CLEANUP_FILE}
echo "because its functionality has changed, \c" \
>> ${CLEANUP_FILE}
echo "refer to pam_ldap(5) documentation for more information" \
>> ${CLEANUP_FILE}
fi
fi
done
#
rm -rf $PAM_TMP
exit 0