diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh index 7491f465d7c..66ef54e7281 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/ubuntu.sh @@ -2,4 +2,5 @@ {{{ bash_instantiate_variables("var_password_pam_retry") }}} -{{{ bash_ensure_pam_module_options('/etc/pam.d/common-password', 'password', 'requisite', 'pam_pwquality.so', 'retry', "$var_password_pam_retry", "$var_password_pam_retry") }}} +{{{ bash_pam_pwquality_enable() }}} +{{{ bash_pam_pwquality_parameter_value('retry', "$var_password_pam_retry") }}} diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh index e6e6619b9a7..02bd487048c 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/common.sh @@ -15,6 +15,9 @@ for file in ${configuration_files[@]}; do "/etc/authselect/custom/testingProfile/$file" done authselect select --force custom/testingProfile +{{% elif 'ubuntu' in product %}} +rm -f /usr/share/pam-configs/pwquality +DEBIAN_FRONTEND=noninteractive pam-auth-update {{% else %}} for file in ${configuration_files[@]}; do sed -i --follow-symlinks "/pam_pwquality\.so/d" "/etc/pam.d/$file" diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh index 51e4ad0062d..09fa74127c3 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/correct_value.pass.sh @@ -4,6 +4,19 @@ source common.sh +{{% if 'ubuntu' in product %}} +cat << EOF > /usr/share/pam-configs/pwquality +Name: Pwquality password strength checking +Default: yes +Priority: 1024 +Conflicts: cracklib +Password-Type: Primary +Password: + requisite pam_pwquality.so retry=3 +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update +{{% else %}} for file in ${configuration_files[@]}; do {{{ bash_ensure_pam_module_option('/etc/pam.d/$file', 'password', @@ -13,3 +26,4 @@ for file in ${configuration_files[@]}; do '3', '^\s*account') }}} done +{{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh index 5d2d908e8ac..a31d2849880 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/tests/wrong_value.fail.sh @@ -4,6 +4,19 @@ source common.sh +{{% if 'ubuntu' in product %}} +cat << EOF > /usr/share/pam-configs/pwquality +Name: Pwquality password strength checking +Default: yes +Priority: 1024 +Conflicts: cracklib +Password-Type: Primary +Password: + requisite pam_pwquality.so retry=7 +EOF + +DEBIAN_FRONTEND=noninteractive pam-auth-update +{{% else %}} for file in ${configuration_files[@]}; do {{{ bash_ensure_pam_module_option('/etc/pam.d/$file', 'password', @@ -13,3 +26,5 @@ for file in ${configuration_files[@]}; do '7', '^\s*account') }}} done +{{% endif %}} + diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index ee8ed93cafc..6714c0f3ac0 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -847,6 +847,28 @@ fi {{%- endmacro -%}} +{{# + Enable pam_pwquality.so PAM module by using pam-auth-update. + This option is only recommended when pam-auth-update tool is available for the system. +#}} +{{%- macro bash_pam_pwquality_enable() -%}} +conf_name=cac_pwquality +if [ ! -f /usr/share/pam-configs/"$conf_name" ]; then + cat << EOF > /usr/share/pam-configs/"$conf_name" +Name: Pwquality password strength checking +Default: yes +Priority: 1025 +Conflicts: cracklib, pwquality +Password-Type: Primary +Password: + requisite pam_pwquality.so +EOF +fi + +DEBIAN_FRONTEND=noninteractive pam-auth-update +{{%- endmacro -%}} + + {{# Validate an authselect custom profile integrity and ensures the correct file path is defined in the "PAM_FILE_PATH" variable. The macros which change PAM files are the same regardless of @@ -1052,6 +1074,38 @@ fi {{%- endmacro -%}} +{{# + Sets PAM pwquality module options and values. The module argument is not removed from pam files + since it is not inserted there in Ubuntu case. + It also assume pam_pwquality.so is added as required module for account. + +:param option: pwquality option eg. retry, minlen, dcredit +:type option: str +:param value: value of option +:type value: str + +#}} +{{%- macro bash_pam_pwquality_parameter_value(option, value='') -%}} +PWQUALITY_CONF="/etc/security/pwquality.conf" + {{%- if value == '' %}} + regex="^\s*{{{ option }}}" + line="{{{ option }}}" + {{%- else %}} + regex="^\s*{{{ option }}}\s*=" + line="{{{ option }}} = {{{ value }}}" + {{%- endif %}} + if ! grep -q $regex $PWQUALITY_CONF; then + echo $line >> $PWQUALITY_CONF + {{%- if value == '' %}} + fi + {{%- else %}} + else + sed -i --follow-symlinks 's|^\s*\({{{ option }}}\s*=\s*\)\(\S\+\)|\1'"{{{ value }}}"'|g' $PWQUALITY_CONF + fi + {{%- endif %}} +{{%- endmacro -%}} + + {{# Print a message to stderr and exit the shell