From 70e535f4073f219b6905fe82326ac1563d5c09ad Mon Sep 17 00:00:00 2001 From: "A. Wilcox" Date: Wed, 8 May 2019 23:50:33 +0000 Subject: user/linux-pam: harden configuration Refuse to allow logins for accounts with no password. --- system/linux-pam/APKBUILD | 16 ++++++++-------- system/linux-pam/base-account.pamd | 4 +++- system/linux-pam/base-auth.pamd | 6 ++++-- system/linux-pam/base-password.pamd | 6 ++++-- system/linux-pam/base-session-noninteractive.pamd | 4 +++- system/linux-pam/base-session.pamd | 5 ++++- system/linux-pam/other.pamd | 4 +++- system/linux-pam/su.pamd | 7 ++++++- 8 files changed, 35 insertions(+), 17 deletions(-) diff --git a/system/linux-pam/APKBUILD b/system/linux-pam/APKBUILD index 431478d7f..0d1221a0d 100644 --- a/system/linux-pam/APKBUILD +++ b/system/linux-pam/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox pkgname=linux-pam pkgver=1.3.1 -pkgrel=1 +pkgrel=2 pkgdesc="Pluggable Authentication Modules" url="https://www.kernel.org/pub/linux/libs/pam" arch="all" @@ -87,10 +87,10 @@ sha512sums="6bc8e2a5b64686f0a23846221c5228c88418ba485b17c53b3a12f91262b5bb73566d f49edf3876cc6bcb87bbea4e7beaeb0a382d596898c755f5fbaf6c2ed4e0c8f082b2cd16dde8a74af82bb09a1334f463e07a4bb5b8a48f023ff90a67ad2fdd44 libpam-fix-build-with-eglibc-2.16.patch 82fb1ec27b370ed5d30451f31aecbacf94ff8aff9db52e79090466dcdd1b1b2c18ca7e0641b1b51a3ed78ea7203fe9464b50f63d6dbf661e10f68366c79196ae musl-fix-pam_exec.patch 8352c0bd36f776251143d1e73d92a1e746e8f23778462e441cc989afd4204887aca6b310d87ab8e5b315b13c4ad1225c87531b71a0fef693772fc7e12bcde418 use-utmpx.patch -0672ab21adb969af2a0082e2559f1196d8a4f8b1cff2836f97e5f24edb03b6aed156c61cf335a4df978e423dcd9934ffee8cb5784ed5dde704d7e5ddec4ba9f6 base-auth.pamd -85462201a4044c7e170e617d39b0eceb4790abc6c0504999117548030a16d80a9d2078d1ad97690d7d346e6374201f0c52e792ccb08ce2b1c4bbf0cc2be96f5b base-account.pamd -8223b815148c3b9b874d2c283840f6428c266e56c7cf49ce8fc508c4945ae31c837bef96dab17f64a60812d1c9cd0055cf0a50d7951d23070b69bd2e5bb9666d base-password.pamd -b0138f662715974bd865d755c5e7d403faf5b9ad1b7e2b1d1598ad7eb5764a9ff407f1a5e6ce7f16db9fc10f8d643323b494563416fd6a654032529b52213c5b base-session.pamd -444e20046843057b17c0aac14d2b71a68923b989b3d8b478bbf684698673683186e928e5ca2e6cb9a1c76abc4248044a0e10ef6b06b3f51857106796ecce250d base-session-noninteractive.pamd -d103ba06b2c4929171e09c845f9866539220cd20d8d56a03d25850342ef5eabe281e958dfe1eaefd550c00f9440e8700c1d74c88c3001f933134ca6fd7cb9b7b other.pamd -b512d691f2a6b11fc329bf91dd05ca9c589bbd444308b27d3c87c75262dedf6afc68a9739229249a4bd3d0c43cb1f871eecbb93c4fe559e0f38bdabbffd06ad7 su.pamd" +2df1d45af0f32ed3755fde2771129f73f28761e0c5d8b08ca880a0206c6eaa3a32cc1bcf27045b960f33d062cff901220acd535e319ae3c4368614dada08cd2a base-auth.pamd +62144e8f785ce324771465017a27b9a538856ba120d80d1181f5b1012d56170b712c4cd9d018ee51af387a2cdf0442c14f7d07d556abcb2e2bea54bca2c4c262 base-account.pamd +b8e6f5cf4ada79470be9f24cd414dd1bb7918ad2c973d2e19134e27016596142d32b593fff0b9f15b58dc2e9af52763070fe11667815e649c09aef5580f5bc95 base-password.pamd +59b746dbd220ccf7217f5dc01c8c2554bb18a37b48f966b63dcb189e07a19ab0b0187511fed232f26f326d734ee32fa7fd47e0194d6ebd4bed5766247165d553 base-session.pamd +2d42a0a8781a71405ca4512bb32c409ac73cbed0fc4d0bf9483f7825feae0976fd04ef2002f0a8fe4b9ff69a6b98dae060685b4da47769b09b6020a1e5ff0ef0 base-session-noninteractive.pamd +862df6a009dea562e46242552fdbcfa8bc0ebc8abbaa9cf91eae106f9e41557209dfa98cc49968fed05ca9427cb5748ff158433e3502cf80729b050e85cbd60c other.pamd +1676ee7a95041a3a9c3e3ae03bd714d72b9a47759c1b6c28511071c949df828e5f22814f3751ae4e01bb6dab4444369eeadd3d6e57a0ac8996901e6f0be97296 su.pamd" diff --git a/system/linux-pam/base-account.pamd b/system/linux-pam/base-account.pamd index 591092944..5b73e8509 100644 --- a/system/linux-pam/base-account.pamd +++ b/system/linux-pam/base-account.pamd @@ -1,3 +1,5 @@ -# basic PAM configuration for Alpine. +# Welcome to Adélie Linux. + +# This file contains the system-wide PAM configuration for account management. account required pam_unix.so diff --git a/system/linux-pam/base-auth.pamd b/system/linux-pam/base-auth.pamd index 012445aa3..8c7847a43 100644 --- a/system/linux-pam/base-auth.pamd +++ b/system/linux-pam/base-auth.pamd @@ -1,5 +1,7 @@ -# basic PAM configuration for Alpine. +# Welcome to Adélie Linux. + +# This file contains the system-wide PAM configuration for authentication. auth required pam_env.so -auth required pam_unix.so nullok_secure +auth required pam_unix.so auth required pam_nologin.so successok diff --git a/system/linux-pam/base-password.pamd b/system/linux-pam/base-password.pamd index a146a93fe..72065a2dc 100644 --- a/system/linux-pam/base-password.pamd +++ b/system/linux-pam/base-password.pamd @@ -1,3 +1,5 @@ -# basic PAM configuration for Alpine. +# Welcome to Adélie Linux. -password required pam_unix.so nullok obscure md5 sha512 +# This file contains the system-wide PAM configuration for passwords. + +password required pam_unix.so obscure sha512 minlen=8 diff --git a/system/linux-pam/base-session-noninteractive.pamd b/system/linux-pam/base-session-noninteractive.pamd index 85e07d594..b54bf0f27 100644 --- a/system/linux-pam/base-session-noninteractive.pamd +++ b/system/linux-pam/base-session-noninteractive.pamd @@ -1,4 +1,6 @@ -# basic PAM configuration for Alpine. +# Welcome to Adélie Linux. + +# This file contains the system-wide PAM configuration for session management. session required pam_limits.so session required pam_unix.so diff --git a/system/linux-pam/base-session.pamd b/system/linux-pam/base-session.pamd index bf5bcb734..973b93ada 100644 --- a/system/linux-pam/base-session.pamd +++ b/system/linux-pam/base-session.pamd @@ -1,4 +1,7 @@ -# basic PAM configuration for Alpine. +# Welcome to Adélie Linux. + +# This file contains the system-wide PAM configuration for session management +# for interactive logins. session include base-session-noninteractive session required pam_motd.so diff --git a/system/linux-pam/other.pamd b/system/linux-pam/other.pamd index 8c9797e71..9880ee1e0 100644 --- a/system/linux-pam/other.pamd +++ b/system/linux-pam/other.pamd @@ -1,4 +1,6 @@ -# basic PAM configuration for Alpine. +# Welcome to Adélie Linux. + +# This file ensures that the system-wide PAM configuration is read by default. auth include base-auth account include base-account diff --git a/system/linux-pam/su.pamd b/system/linux-pam/su.pamd index 84f2ae7ea..d2cd9eb13 100644 --- a/system/linux-pam/su.pamd +++ b/system/linux-pam/su.pamd @@ -1,4 +1,9 @@ -# basic PAM configuration for Alpine. +# Welcome to Adélie Linux. + +# This file allows root to become any user without needing that user's +# password, via pam_rootok.so. +# If you do not wish to allow this behaviour, simply remove that line. + auth sufficient pam_rootok.so auth include base-auth account include base-account -- cgit v1.2.3-60-g2f50