3 # Patch the login/ssh configs to check pam_listfile on admin nodes
5 # Note: tried using pam-auth-update, but no dice: we need to generally
6 # allow any kerberos user to authenticate for non-interactive
7 # services... but Debian's PAM framework only separates
8 # interactive/non-interactive session modules. It is possible to use
9 # pam_listfile as a session module, but this has the unfortunate side
10 # effect of allowing the account to authenticate &c before booting
11 # them during session setup.
13 # At least we can just shove this at the beginning of the file and be
17 print "#HCOOP BEGIN\n";
18 print "# DO NOT MODIFY THIS BLOCK, IT WILL BE OVERWRITTEN UNCONDITIONALLY\n";
19 print "account requisite pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop onerr=succeed\n";
20 print "auth required pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop onerr=succeed\n";
25 # kill old block if one exists
26 if (/#HCOOP BEGIN/../#HCOOP END/) {