From: Clinton Ebadi <clinton@unknownlamer.org>
Date: Tue, 5 Jun 2012 07:16:04 +0000 (-0400)
Subject: Add pam_listfile checking to login and ssh pam configs
X-Git-Tag: debian/1~3
X-Git-Url: https://git.hcoop.net/hcoop/zz_old/debian/hcoop-admin-common-config.git/commitdiff_plain/e7f171e90c18066b5290ef510caeef3ecb3d5868

Add pam_listfile checking to login and ssh pam configs
* Some evil mish-mash of perl seems to get the job done
---

diff --git a/debian/control b/debian/control
index b4b21b6..91901a7 100644
--- a/debian/control
+++ b/debian/control
@@ -1,5 +1,5 @@
 Source: hcoop-admin-common-config
-Section: hcoop-config/base
+Section: hcoop-config/admin
 Priority: extra
 Maintainer: Clinton Ebadi <clinton@unknownlamer.org>
 Build-Depends: cdbs (>= 0.4.85~),
@@ -13,7 +13,7 @@ Vcs-Browser: http://git.hcoop.net/?p=hcoop/debian/hcoop-admin-common-config.git;
 
 Package: hcoop-admin-common-config
 Architecture: all
-Depends: cdbs, sudo, ${misc:Depends}
+Depends: cdbs, sudo, openssh-server, ${misc:Depends}
 Provides: ${diverted-files}
 Conflicts: ${diverted-files}
 Description: HCoop admin access configuration
diff --git a/debian/prepend-listfile-rules.pl b/debian/prepend-listfile-rules.pl
new file mode 100755
index 0000000..0a16fad
--- /dev/null
+++ b/debian/prepend-listfile-rules.pl
@@ -0,0 +1,28 @@
+#!/usr/bin/perl -p
+
+# Patch the login/ssh configs to check pam_listfile on admin nodes
+
+# Note: tried using pam-auth-update, but no dice: we need to generally
+# allow any kerberos user to authenticate for non-interactive
+# services... but Debian's PAM framework only separates
+# interactive/non-interactive session modules. It is possible to use
+# pam_listfile as a session module, but this has the unfortunate side
+# effect of allowing the account to authenticate &c before booting
+# them during session setup.
+
+# At least we can just shove this at the beginning of the file and be
+# done with it.
+
+BEGIN {
+    print "#HCOOP BEGIN\n";
+    print "# DO NOT MODIFY THIS BLOCK, IT WILL BE OVERWRITTEN UNCONDITIONALLY\n";
+    print "account    requisite    pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop onerr=succeed\n";
+    print "auth       required pam_listfile.so item=user sense=allow file=/etc/login.restrict.hcoop  onerr=succeed\n";
+    print "#HCOOP END\n";
+
+}
+
+# kill old block if one exists
+if (/#HCOOP BEGIN/../#HCOOP END/) {
+    $_ = '';
+}
diff --git a/debian/rules b/debian/rules
index a71e866..b02b6a6 100755
--- a/debian/rules
+++ b/debian/rules
@@ -13,6 +13,10 @@ DEB_DIVERT_EXTENSION =.hcoop
 DEB_DIVERT_FILES_hcoop-admin-common-config += \
 	/etc/login.restrict.hcoop
 
+DEB_TRANSFORM_FILES_hcoop-admin-common-config += \
+	/etc/pam.d/login.hcoop \
+	/etc/pam.d/ssh.hcoop
+
 #DEB_REMOVE_FILES_hcoop-admin-common-config += \
 #	/etc/sudoers.d/admins \
 #	/etc/sudoers.d/domtool
diff --git a/debian/transform_login.hcoop b/debian/transform_login.hcoop
new file mode 120000
index 0000000..cc35f32
--- /dev/null
+++ b/debian/transform_login.hcoop
@@ -0,0 +1 @@
+prepend-listfile-rules.pl
\ No newline at end of file
diff --git a/debian/transform_ssh.hcoop b/debian/transform_ssh.hcoop
new file mode 120000
index 0000000..cc35f32
--- /dev/null
+++ b/debian/transform_ssh.hcoop
@@ -0,0 +1 @@
+prepend-listfile-rules.pl
\ No newline at end of file