On 30.06.22 13:26, Shreyas.Karmahe@... wrote:From: Shreyas Karmahe <Shreyas.Karmahe@...>To enable and configure PAM for Remote and Local MFA Session VerificationSigned-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>--- .../security-customizations/files/postinst | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-)diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinstindex bb7d15b..843ce3c 100644--- a/recipes-core/security-customizations/files/postinst+++ b/recipes-core/security-customizations/files/postinst@@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts PAM_PWD_FILE="/etc/pam.d/common-password" pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then- sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"+ +sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
From: Shreyas Karmahe <Shreyas.Karmahe@...>To enable and configure PAM for Remote and Local MFA Session VerificationSigned-off-by: Shreyas Karmahe <Shreyas.Karmahe@...>--- .../security-customizations/files/postinst | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-)diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinstindex bb7d15b..843ce3c 100644--- a/recipes-core/security-customizations/files/postinst+++ b/recipes-core/security-customizations/files/postinst@@ -15,7 +15,8 @@ echo "127.0.0.1 $HOSTNAME" >> /etc/hosts PAM_PWD_FILE="/etc/pam.d/common-password" pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then- sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"+ +sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
fi sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT # CR2.10: Response to audit processing failures sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE++# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session+SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"+google_authenticator="auth required pam_google_authenticator.so nullok"+if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then+ sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"+fi+#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"Dead code? Or forgotten to activate?+echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"+# Enable PAM configuration for Remote Session+sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
fi sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" @@ -49,3 +50,15 @@ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT # CR2.10: Response to audit processing failures sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE++# CR2.11: Enable Mutli Factor Authentication for Local and Remote Session+SSHD_AUTH_CONFIG="/etc/pam.d/common-auth"+google_authenticator="auth required pam_google_authenticator.so nullok"+if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then+ sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"+fi+#sed -i "0,/^auth.*/s/^auth.*/${google_authenticator}\n&/" "${SSHD_AUTH_CONFIG}"
+echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"+# Enable PAM configuration for Remote Session+sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"+echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
© 2023 Groups.io
