Updates for Raspberry Pi 12 Bookworm

2024-07-23 14:18:32 -05:00
parent 9366d8b6d7
commit a17e2c6fe9
71 changed files with 488 additions and 39 deletions
--- a/roles/Password/files/nsswitch.conf
+++ b/roles/Password/files/nsswitch.conf
@@ -0,0 +1,19 @@
+# Begin /etc/nsswitch.conf
+
+passwd: files ldap
+group: files ldap
+shadow: files ldap
+
+publickey: files
+
+hosts: files dns myhostname
+networks: files
+
+protocols: files
+services: files
+ethers: files
+rpc: files
+
+netgroup: files
+
+# End /etc/nsswitch.conf
--- a/roles/Password/files/pam.d/atd
+++ b/roles/Password/files/pam.d/atd
@@ -0,0 +1,12 @@
+#%PAM-1.0
+
+auth		required	pam_unix.so
+auth		required	pam_env.so
+
+account		required	pam_access.so
+account		required	pam_unix.so
+account		required	pam_time.so
+
+session		required	pam_loginuid.so
+session		required	pam_limits.so
+session		required	pam_unix.so
--- a/roles/Password/files/pam.d/chfn
+++ b/roles/Password/files/pam.d/chfn
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+auth            required        pam_unix.so
+account         required        pam_unix.so
+session         required        pam_unix.so
+password        required        pam_permit.so
--- a/roles/Password/files/pam.d/chpasswd
+++ b/roles/Password/files/pam.d/chpasswd
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
--- a/roles/Password/files/pam.d/chsh
+++ b/roles/Password/files/pam.d/chsh
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+auth            required        pam_unix.so
+account         required        pam_unix.so
+session         required        pam_unix.so
+password        required        pam_permit.so
--- a/roles/Password/files/pam.d/crond
+++ b/roles/Password/files/pam.d/crond
@@ -0,0 +1,11 @@
+#
+# The PAM configuration file for the cron daemon
+#
+#
+# Although no PAM authentication is called, auth modules
+# are used for credential setting
+auth       include    system-auth
+account    required   pam_access.so
+account    include    system-auth
+session    required   pam_loginuid.so
+session    include    system-auth
--- a/roles/Password/files/pam.d/cups
+++ b/roles/Password/files/pam.d/cups
@@ -0,0 +1,3 @@
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so
--- a/roles/Password/files/pam.d/groupmems
+++ b/roles/Password/files/pam.d/groupmems
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
--- a/roles/Password/files/pam.d/login
+++ b/roles/Password/files/pam.d/login
@@ -0,0 +1,7 @@
+#%PAM-1.0
+
+auth       requisite    pam_nologin.so
+auth       include      system-local-login
+account    include      system-local-login
+session    include      system-local-login
+password   include      system-local-login
--- a/roles/Password/files/pam.d/newusers
+++ b/roles/Password/files/pam.d/newusers
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth
--- a/roles/Password/files/pam.d/nslcd.conf
+++ b/roles/Password/files/pam.d/nslcd.conf
@@ -0,0 +1 @@
+UiqiKXIU
--- a/roles/Password/files/pam.d/other
+++ b/roles/Password/files/pam.d/other
@@ -0,0 +1,9 @@
+#%PAM-1.0
+auth      required   pam_deny.so
+auth      required   pam_warn.so
+account   required   pam_deny.so
+account   required   pam_warn.so
+password  required   pam_deny.so
+password  required   pam_warn.so
+session   required   pam_deny.so
+session   required   pam_warn.so
--- a/roles/Password/files/pam.d/passwd
+++ b/roles/Password/files/pam.d/passwd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
+#password	required	pam_unix.so sha512 shadow use_authtok
+password    sufficient  pam_ldap.so
+password	required	pam_unix.so sha512 shadow nullok
--- a/roles/Password/files/pam.d/passwd.pacnew
+++ b/roles/Password/files/pam.d/passwd.pacnew
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth
--- a/roles/Password/files/pam.d/postgresql
+++ b/roles/Password/files/pam.d/postgresql
@@ -0,0 +1,3 @@
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so
--- a/roles/Password/files/pam.d/remote
+++ b/roles/Password/files/pam.d/remote
@@ -0,0 +1,8 @@
+#%PAM-1.0
+
+auth       required     pam_securetty.so
+auth       requisite    pam_nologin.so
+auth       include      system-remote-login
+account    include      system-remote-login
+session    include      system-remote-login
+password   include      system-remote-login
--- a/roles/Password/files/pam.d/rlogin
+++ b/roles/Password/files/pam.d/rlogin
@@ -0,0 +1,13 @@
+#%PAM-1.0
+# For root login to succeed here with pam_securetty, "rlogin" must be
+# listed in /etc/securetty.
+auth       required     pam_nologin.so
+auth       required     pam_securetty.so
+auth       required     pam_env.so
+auth       sufficient   pam_rhosts.so
+auth       include      system-auth
+account    include      system-auth
+password   include      system-auth
+session	   optional     pam_keyinit.so    force revoke
+session    required     pam_loginuid.so
+session    include      system-auth
--- a/roles/Password/files/pam.d/rsh
+++ b/roles/Password/files/pam.d/rsh
@@ -0,0 +1,11 @@
+#%PAM-1.0
+# For root login to succeed here with pam_securetty, "rsh" must be
+# listed in /etc/securetty.
+auth       required     pam_nologin.so
+auth       required     pam_securetty.so
+auth       required     pam_env.so
+auth       required     pam_rhosts.so
+account    include      system-auth
+session	   optional     pam_keyinit.so    force revoke
+session    required     pam_loginuid.so
+session    include      system-auth
--- a/roles/Password/files/pam.d/runuser
+++ b/roles/Password/files/pam.d/runuser
@@ -0,0 +1,4 @@
+#%PAM-1.0
+
+auth    sufficient      pam_rootok.so
+session include         system-login
--- a/roles/Password/files/pam.d/runuser-l
+++ b/roles/Password/files/pam.d/runuser-l
@@ -0,0 +1,4 @@
+#%PAM-1.0
+
+auth    sufficient      pam_rootok.so
+session include         system-login
--- a/roles/Password/files/pam.d/screen
+++ b/roles/Password/files/pam.d/screen
@@ -0,0 +1 @@
+auth		required	pam_unix.so
--- a/roles/Password/files/pam.d/sshd
+++ b/roles/Password/files/pam.d/sshd
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth      include   system-remote-login
+account   include   system-remote-login
+password  include   system-remote-login
+session   include   system-remote-login
--- a/roles/Password/files/pam.d/sssd-shadowutils
+++ b/roles/Password/files/pam.d/sssd-shadowutils
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     required      pam_permit.so
--- a/roles/Password/files/pam.d/su
+++ b/roles/Password/files/pam.d/su
@@ -0,0 +1,14 @@
+#%PAM-1.0
+auth        sufficient  pam_ldap.so
+auth		sufficient	pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth		sufficient	pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth		required	pam_wheel.so use_uid
+auth		required	pam_unix.so use_first_pass
+
+account     sufficient  pam_ldap.so
+account		required	pam_unix.so
+
+session     sufficient  pam_ldap.so
+session		required	pam_unix.so
--- a/roles/Password/files/pam.d/su-l
+++ b/roles/Password/files/pam.d/su-l
@@ -0,0 +1,12 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth		sufficient	pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth		required	pam_wheel.so use_uid
+auth        sufficient  pam_ldap.so
+auth		required	pam_unix.so use_first_pass
+account     sufficient  pam_ldap.so
+account		required	pam_unix.so
+session     sufficient  pam_ldap.so
+session		required	pam_unix.so
--- a/roles/Password/files/pam.d/su-l.pacnew
+++ b/roles/Password/files/pam.d/su-l.pacnew
@@ -0,0 +1,10 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth           sufficient      pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth           required        pam_wheel.so use_uid
+auth            required        pam_unix.so
+account         required        pam_unix.so
+session	        required        pam_unix.so
+password        include         system-auth
--- a/roles/Password/files/pam.d/su.pacnew
+++ b/roles/Password/files/pam.d/su.pacnew
@@ -0,0 +1,10 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth           sufficient      pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth           required        pam_wheel.so use_uid
+auth            required        pam_unix.so
+account         required        pam_unix.so
+session	        required        pam_unix.so
+password        include         system-auth
--- a/roles/Password/files/pam.d/sudo
+++ b/roles/Password/files/pam.d/sudo
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		include		system-auth
+account		include		system-auth
+session		include		system-auth
--- a/roles/Password/files/pam.d/system-auth
+++ b/roles/Password/files/pam.d/system-auth
@@ -0,0 +1,20 @@
+#%PAM-1.0
+
+auth      sufficient pam_ldap.so
+auth      required  pam_unix.so     try_first_pass nullok
+auth      optional  pam_permit.so
+auth      required  pam_env.so
+
+account   sufficient pam_ldap.so
+account   required  pam_unix.so
+account   optional  pam_permit.so
+account   required  pam_time.so
+
+password  sufficient pam_ldap.so
+password  required  pam_unix.so     try_first_pass nullok sha512 shadow
+password  optional  pam_permit.so
+
+session   required  pam_limits.so
+session   required  pam_unix.so
+session   optional  pam_ldap.so
+session   optional  pam_permit.so
--- a/roles/Password/files/pam.d/system-auth.pacnew
+++ b/roles/Password/files/pam.d/system-auth.pacnew
@@ -0,0 +1,27 @@
+#%PAM-1.0
+
+auth       required                    pam_faillock.so      preauth
+# Optionally use requisite above if you do not want to prompt for the password
+# on locked accounts.
+-auth      [success=2 default=ignore]  pam_systemd_home.so
+auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+
+-account   [success=1 default=ignore]  pam_systemd_home.so
+account    required                    pam_unix.so
+account    optional                    pam_permit.so
+account    required                    pam_time.so
+
+-password  [success=1 default=ignore]  pam_systemd_home.so
+password   required                    pam_unix.so          try_first_pass nullok shadow
+password   optional                    pam_permit.so
+
+-session   optional                    pam_systemd_home.so
+session    required                    pam_limits.so
+session    required                    pam_unix.so
+session    optional                    pam_permit.so
--- a/roles/Password/files/pam.d/system-local-login
+++ b/roles/Password/files/pam.d/system-local-login
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth      include   system-login
+account   include   system-login
+password  include   system-login
+session   include   system-login
--- a/roles/Password/files/pam.d/system-login
+++ b/roles/Password/files/pam.d/system-login
@@ -0,0 +1,19 @@
+#%PAM-1.0
+
+auth       required   pam_shells.so
+auth       requisite  pam_nologin.so
+auth       include    system-auth
+
+account    required   pam_access.so
+account    required   pam_nologin.so
+account    include    system-auth
+
+password   include    system-auth
+
+session    optional   pam_loginuid.so
+session    include    system-auth
+session    optional   pam_motd.so          motd=/etc/motd
+session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
+-session   optional   pam_systemd.so
+session    required   pam_env.so
+#session    required   pam_mkhomedir.so skel=/etc/skel umask=0027
--- a/roles/Password/files/pam.d/system-login.pacnew
+++ b/roles/Password/files/pam.d/system-login.pacnew
@@ -0,0 +1,20 @@
+#%PAM-1.0
+
+auth       required   pam_shells.so
+auth       requisite  pam_nologin.so
+auth       include    system-auth
+
+account    required   pam_access.so
+account    required   pam_nologin.so
+account    include    system-auth
+
+password   include    system-auth
+
+session    optional   pam_loginuid.so
+session    optional   pam_keyinit.so       force revoke
+session    include    system-auth
+session    optional   pam_motd.so
+session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
+session    optional   pam_umask.so
+-session   optional   pam_systemd.so
+session    required   pam_env.so
--- a/roles/Password/files/pam.d/system-remote-login
+++ b/roles/Password/files/pam.d/system-remote-login
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth      include   system-login
+account   include   system-login
+password  include   system-login
+session   include   system-login
--- a/roles/Password/files/pam.d/system-services
+++ b/roles/Password/files/pam.d/system-services
@@ -0,0 +1,11 @@
+#%PAM-1.0
+
+auth      sufficient  pam_permit.so
+
+account   include     system-auth
+
+session   optional    pam_loginuid.so
+session   required    pam_limits.so
+session   required    pam_unix.so
+session   optional    pam_permit.so
+session   required    pam_env.so
--- a/roles/Password/files/pam.d/systemd-user
+++ b/roles/Password/files/pam.d/systemd-user
@@ -0,0 +1,5 @@
+# Used by systemd --user instances.
+
+account  include system-login
+session  required pam_loginuid.so
+session  include system-login
--- a/roles/Password/files/pam.d/vlock
+++ b/roles/Password/files/pam.d/vlock
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth required pam_unix.so
+account required pam_unix.so
+password required pam_unix.so
+session required pam_unix.so