| 1 | #!/usr/bin/perl -p |
| 2 | |
| 3 | # Patch the login/ssh configs to check pam_listfile on admin nodes |
| 4 | |
| 5 | # Note: tried using pam-auth-update, but no dice: we need to generally |
| 6 | # allow any kerberos user to authenticate for non-interactive |
| 7 | # services... but Debian's PAM framework only separates |
| 8 | # interactive/non-interactive session modules. It is possible to use |
| 9 | # pam_listfile as a session module, but this has the unfortunate side |
| 10 | # effect of allowing the account to authenticate &c before booting |
| 11 | # them during session setup. |
| 12 | |
| 13 | # At least we can just shove this at the beginning of the file and be |
| 14 | # done with it. |
| 15 | |
| 16 | BEGIN { |
| 17 | print "#HCOOP BEGIN\n"; |
| 18 | print "# DO NOT MODIFY THIS BLOCK, IT WILL BE OVERWRITTEN UNCONDITIONALLY\n"; |
| 19 | print "account requisite pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop onerr=succeed\n"; |
| 20 | print "auth required pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop onerr=succeed\n"; |
| 21 | print "#HCOOP END\n"; |
| 22 | |
| 23 | } |
| 24 | |
| 25 | # kill old block if one exists |
| 26 | if (/#HCOOP BEGIN/../#HCOOP END/) { |
| 27 | $_ = ''; |
| 28 | } |