Closed amateo closed 1 year ago
@ghoneycutt It appears this PR matches a fresh 22.04.1 install.
This PR matches the same configuration as a fresh 22.04.01 install. As I can see #251 configures PAM as 20.04, but the fresh configuration is different between 20.04 and 22.04.
Out of curiosity installed a minimal Ubuntu 22.04 install from ISO and did verification for #245 again and everything looks correct. However this pull request was made around 3/4s a year ago. It might have changed with 22.04.1.
# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
# cp -r /etc/pam.d/ ~
# puppet agent ....
# cd ~/pam.d
# # for file in *; do echo $file; diff --suppress-common-lines -y <(grep -vE '^#|^$' $file) <(grep -vE '^#|^$' /etc/pam.d/$file); done
chfn
chpasswd
chsh
common-account
common-auth
common-password
common-session
common-session-noninteractive
> session optional pam_systemd.so
login
newusers
other
passwd
polkit-1
runuser
runuser-l
sshd
> account required pam_access.so
su
su-l
sudo
sudo-i
Looks correct to me. pam_access.so is added because sshd_pam_access is set to true. Regarding pam_systemd.so in #245 I added the following:
However another change I found is that session optional pam_systemd.so gets added to /etc/pam.d/common-session-noninteractive because it is using the same configuration data as /etc/pam.d/common-session where it is present.
It could be that they decide to change the PAM config 22.04.1? Haven't compared the settings in #245 with Ubuntu 22.04.1.
Just realized #245 wasn't even mentioned previously here. Not sure why it was excluded though?
@anders-larsson , I haven't checked with puppet apply. And I also don't know which exact version of ubuntu have you tried.
But I have a fresh installation of Ubuntu Server 22.04.01 (the current ubuntu server I can download from its website). In this version, common-password file has the line
password [success=1 default=ignore] pam_unix.so obscure yescrypt
but in #251 the line is:
- 'password [success=1 default=ignore] pam_unix.so obscure sha512'
in your #245 it is correct:
- 'password [success=1 default=ignore] pam_unix.so obscure yescrypt'
Yeah, I realized after I had pasted my first message that it wasn't about #245 but there are in total 3 pull requests for Ubuntu 22.04 support :)
Let's hope at least one of them gets merged soon (and RHEL9 support too). Would be nice to be able to move back to the upstream module again.
This is superseded by #245
Thank you for your efforts!
Released in v3.10.0
There are differences between #254 and #251. The default values should match a default, minimal install of the platform. Which values are correct?