diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_%.bbappend')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_%.bbappend | 74 |
1 files changed, 71 insertions, 3 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_%.bbappend b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_%.bbappend index 21e1d88ea..65a4d6d68 100644 --- a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_%.bbappend @@ -1,7 +1,75 @@ RDEPENDS:${PN}-runtime += "${MLPREFIX}pam-plugin-localuser-${libpam_suffix}" +RDEPENDS:${PN}-runtime += "${MLPREFIX}pam-plugin-faillock-${libpam_suffix}" +RDEPENDS:${PN}-runtime += "libpwquality" +RDEPENDS:${PN}-runtime:remove = "${MLPREFIX}pam-plugin-cracklib-${libpam_suffix}" +RDEPENDS:${PN}-runtime:remove = "${MLPREFIX}pam-plugin-tally2-${libpam_suffix}" + +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" +SRC_URI += " file://pam.d/common-password \ + file://pam.d/common-account \ + file://pam.d/common-auth \ + file://pam.d/common-session \ + file://faillock.conf \ + file://convert-pam-configs.service \ + file://convert-pam-configs.sh \ + " + +inherit systemd +SYSTEMD_SERVICE:${PN} += "convert-pam-configs.service" + +FILES:${PN} += "${bindir}/convert-pam-configs.sh \ + ${systemd_system_unitdir}/convert-pam-configs.service \ + " -#Default settings lockout duration to 300 seconds and threshold value to 10 do_install:append() { - sed -i 's/deny=0/deny=10/' ${D}${sysconfdir}/pam.d/common-auth - sed -i 's/unlock_time=0/unlock_time=300/' ${D}${sysconfdir}/pam.d/common-auth + install -d ${D}/etc/security + install -m 0644 ${WORKDIR}/faillock.conf ${D}/etc/security + + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/convert-pam-configs.sh ${D}${bindir} + + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/convert-pam-configs.service ${D}${systemd_system_unitdir} } + +# +# Background: +# 1. Linux-PAM modules tally2 and cracklib were removed in libpam_1.5, +# which prompted OpenBMC to change to the faillock and pwquality modules. +# The PAM config files under /etc/pam.d were changed accordingly. +# 2. OpenBMC implementations store Redfish property values in PAM config files. +# For example, the D-Bus property maxLoginAttemptBeforeLockout is stored in +# /etc/pam.d/common-auth as the pam_tally2.so deny= parameter value. +# 3. The /etc directory is readonly and has a readwrite overlayfs. That +# means when a config file changes, an overlay file is created which hides +# the readonly version. +# +# Problem scenario: +# 1. Begin with a BMC that has a firmware image which has the old PAM +# modules and the old PAM config files which have modified parameters. +# For example, there is an overlay file for /etc/pam.d/common-auth. +# 2. Perform a firmware update to a firmware image which has the new PAM +# modules. The updated image will have not have the old PAM modules. +# It will have the new PAM config files in its readonly file system and +# the old PAM config files in its readwrite overlay. +# 3. Note that PAM authentication will always fail at this point because +# the old PAM config files in the overlay tell PAM to use the old PAM +# modules which are not present on the system. +# +# Two possible recoveries are: +# A. Factory reset the BMC. This will clear the readwrite overlay, +# allowing PAM to use the readonly version. +# B. Convert the old PAM config files to the new style. See below. +# +# Service: The convert-pam-configs.service updates the old-style PAM config +# files on the BMC: it changes uses of the old modules to the new modules +# and carries forward configuration parameters. A key point is that files +# are written to *only* as needed to convert uses of the old modules to the +# new modules. See the conversion tool for details. +# +# This service can be removed when the BMC no longer supports a direct +# firware update path from a version which has the old PAM configs to a +# version which has the new PAM configs. +# +# In case of downgrade, Factory reset is recommended. Current logic in existing +# images won't be able to take care of these settings during downgrade. |