debian/prepend-listfile-rules.pl

   1 #!/usr/bin/perl -p
   2
   3 # Patch the login/ssh configs to check pam_listfile on admin nodes
   4
   5 # Note: tried using pam-auth-update, but no dice: we need to generally
   6 # allow any kerberos user to authenticate for non-interactive
   7 # services... but Debian's PAM framework only separates
   8 # interactive/non-interactive session modules. It is possible to use
   9 # pam_listfile as a session module, but this has the unfortunate side
  10 # effect of allowing the account to authenticate &c before booting
  11 # them during session setup.
  12
  13 # At least we can just shove this at the beginning of the file and be
  14 # done with it.
  15
  16 BEGIN {
  17     print "#HCOOP BEGIN\n";
  18     print "# DO NOT MODIFY THIS BLOCK, IT WILL BE OVERWRITTEN UNCONDITIONALLY\n";
  19     print "account    requisite    pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop onerr=succeed\n";
  20     print "auth       required pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop  onerr=succeed\n";
  21     print "#HCOOP END\n";
  22
  23 }
  24
  25 # kill old block if one exists
  26 if (/#HCOOP BEGIN/../#HCOOP END/) {
  27     $_ = '';
  28 }