Add pam_listfile checking to login and ssh pam configs

[hcoop/zz_old/debian/hcoop-admin-common-config.git] / debian / prepend-listfile-rules.pl

diff --git a/debian/prepend-listfile-rules.pl b/debian/prepend-listfile-rules.pl
new file mode 100755 (executable)
index 0000000..0a16fad
--- /dev/null
+++ b/debian/prepend-listfile-rules.pl
@@ -0,0 +1,28 @@
+#!/usr/bin/perl -p
+
+# Patch the login/ssh configs to check pam_listfile on admin nodes
+
+# Note: tried using pam-auth-update, but no dice: we need to generally
+# allow any kerberos user to authenticate for non-interactive
+# services... but Debian's PAM framework only separates
+# interactive/non-interactive session modules. It is possible to use
+# pam_listfile as a session module, but this has the unfortunate side
+# effect of allowing the account to authenticate &c before booting
+# them during session setup.
+
+# At least we can just shove this at the beginning of the file and be
+# done with it.
+
+BEGIN {
+    print "#HCOOP BEGIN\n";
+    print "# DO NOT MODIFY THIS BLOCK, IT WILL BE OVERWRITTEN UNCONDITIONALLY\n";
+    print "account    requisite    pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop onerr=succeed\n";
+    print "auth       required pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop  onerr=succeed\n";
+    print "#HCOOP END\n";
+
+}
+
+# kill old block if one exists
+if (/#HCOOP BEGIN/../#HCOOP END/) {
+    $_ = '';
+}