search

ghoneycutt / puppet-module-pam

Puppet module to manage PAM
Other
18 stars 80 forks source link

Add support for Ubuntu 22.04 #254

Closed amateo closed 1 year ago

ghoneycutt commented 1 year ago

There are differences between #254 and #251. The default values should match a default, minimal install of the platform. Which values are correct?

grzleadams commented 1 year ago

@ghoneycutt It appears this PR matches a fresh 22.04.1 install.

amateo commented 1 year ago

This PR matches the same configuration as a fresh 22.04.01 install. As I can see #251 configures PAM as 20.04, but the fresh configuration is different between 20.04 and 22.04.

anders-larsson commented 1 year ago

Out of curiosity installed a minimal Ubuntu 22.04 install from ISO and did verification for #245 again and everything looks correct. However this pull request was made around 3/4s a year ago. It might have changed with 22.04.1.

# cat /etc/os-release 
PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
# cp -r /etc/pam.d/ ~
# puppet agent ....
# cd ~/pam.d
# # for file in *; do echo $file; diff --suppress-common-lines -y <(grep -vE '^#|^$' $file) <(grep -vE '^#|^$' /etc/pam.d/$file); done
chfn
chpasswd
chsh
common-account
common-auth
common-password
common-session
common-session-noninteractive
                                                              > session optional        pam_systemd.so 
login
newusers
other
passwd
polkit-1
runuser
runuser-l
sshd
                                                              > account    required     pam_access.so
su
su-l
sudo
sudo-i

Looks correct to me. pam_access.so is added because sshd_pam_access is set to true. Regarding pam_systemd.so in #245 I added the following:

However another change I found is that session optional        pam_systemd.so gets added to /etc/pam.d/common-session-noninteractive because it is using the same configuration data as /etc/pam.d/common-session where it is present.

It could be that they decide to change the PAM config 22.04.1? Haven't compared the settings in #245 with Ubuntu 22.04.1.

anders-larsson commented 1 year ago

Just realized #245 wasn't even mentioned previously here. Not sure why it was excluded though?

amateo commented 1 year ago

@anders-larsson , I haven't checked with puppet apply. And I also don't know which exact version of ubuntu have you tried.

But I have a fresh installation of Ubuntu Server 22.04.01 (the current ubuntu server I can download from its website). In this version, common-password file has the line

password [success=1 default=ignore] pam_unix.so obscure yescrypt

but in #251 the line is:

- 'password [success=1 default=ignore] pam_unix.so obscure sha512'

in your #245 it is correct:

- 'password [success=1 default=ignore] pam_unix.so obscure yescrypt'
anders-larsson commented 1 year ago

Yeah, I realized after I had pasted my first message that it wasn't about #245 but there are in total 3 pull requests for Ubuntu 22.04 support :)

Let's hope at least one of them gets merged soon (and RHEL9 support too). Would be nice to be able to move back to the upstream module again.

treydock commented 1 year ago

This is superseded by #245

ghoneycutt commented 1 year ago

Thank you for your efforts!

Released in v3.10.0