Commit | Line | Data |
---|---|---|
e7f171e9 CE |
1 | #!/usr/bin/perl -p |
2 | ||
3 | # Patch the login/ssh configs to check pam_listfile on admin nodes | |
4 | ||
5 | # Note: tried using pam-auth-update, but no dice: we need to generally | |
6 | # allow any kerberos user to authenticate for non-interactive | |
7 | # services... but Debian's PAM framework only separates | |
8 | # interactive/non-interactive session modules. It is possible to use | |
9 | # pam_listfile as a session module, but this has the unfortunate side | |
10 | # effect of allowing the account to authenticate &c before booting | |
11 | # them during session setup. | |
12 | ||
13 | # At least we can just shove this at the beginning of the file and be | |
14 | # done with it. | |
15 | ||
16 | BEGIN { | |
17 | print "#HCOOP BEGIN\n"; | |
18 | print "# DO NOT MODIFY THIS BLOCK, IT WILL BE OVERWRITTEN UNCONDITIONALLY\n"; | |
19 | print "account requisite pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop onerr=succeed\n"; | |
20 | print "auth required pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop onerr=succeed\n"; | |
21 | print "#HCOOP END\n"; | |
22 | ||
23 | } | |
24 | ||
25 | # kill old block if one exists | |
26 | if (/#HCOOP BEGIN/../#HCOOP END/) { | |
27 | $_ = ''; | |
28 | } |