Source: hcoop-admin-common-config
-Section: hcoop-config/base
+Section: hcoop-config/admin
Priority: extra
Maintainer: Clinton Ebadi <clinton@unknownlamer.org>
Build-Depends: cdbs (>= 0.4.85~),
Package: hcoop-admin-common-config
Architecture: all
-Depends: cdbs, sudo, ${misc:Depends}
+Depends: cdbs, sudo, openssh-server, ${misc:Depends}
Provides: ${diverted-files}
Conflicts: ${diverted-files}
Description: HCoop admin access configuration
--- /dev/null
+#!/usr/bin/perl -p
+
+# Patch the login/ssh configs to check pam_listfile on admin nodes
+
+# Note: tried using pam-auth-update, but no dice: we need to generally
+# allow any kerberos user to authenticate for non-interactive
+# services... but Debian's PAM framework only separates
+# interactive/non-interactive session modules. It is possible to use
+# pam_listfile as a session module, but this has the unfortunate side
+# effect of allowing the account to authenticate &c before booting
+# them during session setup.
+
+# At least we can just shove this at the beginning of the file and be
+# done with it.
+
+BEGIN {
+ print "#HCOOP BEGIN\n";
+ print "# DO NOT MODIFY THIS BLOCK, IT WILL BE OVERWRITTEN UNCONDITIONALLY\n";
+ print "account requisite pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop onerr=succeed\n";
+ print "auth required pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop onerr=succeed\n";
+ print "#HCOOP END\n";
+
+}
+
+# kill old block if one exists
+if (/#HCOOP BEGIN/../#HCOOP END/) {
+ $_ = '';
+}
DEB_DIVERT_FILES_hcoop-admin-common-config += \
/etc/login.restrict.hcoop
+DEB_TRANSFORM_FILES_hcoop-admin-common-config += \
+ /etc/pam.d/login.hcoop \
+ /etc/pam.d/ssh.hcoop
+
#DEB_REMOVE_FILES_hcoop-admin-common-config += \
# /etc/sudoers.d/admins \
# /etc/sudoers.d/domtool
--- /dev/null
+prepend-listfile-rules.pl
\ No newline at end of file
--- /dev/null
+prepend-listfile-rules.pl
\ No newline at end of file