HCoop / hcoop / zz_old / debian / hcoop-admin-common-config.git / blame
| Commit | Line | Data |
|---|---|---|
| e7f171e9 CE |
1 | #!/usr/bin/perl -p |
| 2 | ||
| 3 | # Patch the login/ssh configs to check pam_listfile on admin nodes | |
| 4 | ||
| 5 | # Note: tried using pam-auth-update, but no dice: we need to generally | |
| 6 | # allow any kerberos user to authenticate for non-interactive | |
| 7 | # services... but Debian's PAM framework only separates | |
| 8 | # interactive/non-interactive session modules. It is possible to use | |
| 9 | # pam_listfile as a session module, but this has the unfortunate side | |
| 10 | # effect of allowing the account to authenticate &c before booting | |
| 11 | # them during session setup. | |
| 12 | ||
| 13 | # At least we can just shove this at the beginning of the file and be | |
| 14 | # done with it. | |
| 15 | ||
| 16 | BEGIN { | |
| 17 | print "#HCOOP BEGIN\n"; | |
| 18 | print "# DO NOT MODIFY THIS BLOCK, IT WILL BE OVERWRITTEN UNCONDITIONALLY\n"; | |
| 19 | print "account requisite pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop onerr=succeed\n"; | |
| 20 | print "auth required pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop onerr=succeed\n"; | |
| 21 | print "#HCOOP END\n"; | |
| 22 | ||
| 23 | } | |
| 24 | ||
| 25 | # kill old block if one exists | |
| 26 | if (/#HCOOP BEGIN/../#HCOOP END/) { | |
| 27 | $_ = ''; | |
| 28 | } |