summaryrefslogtreecommitdiffstats
path: root/perl-install/authentication.pm
diff options
context:
space:
mode:
Diffstat (limited to 'perl-install/authentication.pm')
-rw-r--r--perl-install/authentication.pm140
1 files changed, 60 insertions, 80 deletions
diff --git a/perl-install/authentication.pm b/perl-install/authentication.pm
index 7c7157ce9..55491edfb 100644
--- a/perl-install/authentication.pm
+++ b/perl-install/authentication.pm
@@ -1,8 +1,8 @@
-package authentication; # $Id: authentication.pm 269894 2010-06-05 20:50:23Z tv $
+package authentication;
use common;
-my ($authentication) = @_;
+my $authentication;
sub kinds {
my $no_para = @_ == 0;
@@ -47,15 +47,15 @@ my %kind2nsswitch = (
winbind => ['winbind'],
);
-my $lib = (arch() =~ /x86_64/ ? 'lib64' : 'lib');
+my $lib = get_libdir();
my %kind2packages = (
local => [],
SmartCard => [ 'castella-pam' ],
- LDAP => [ 'openldap-clients', 'nss_ldap', 'pam_ldap', 'autofs', 'nss_updatedb' ],
- KRB5 => [ 'nss_ldap', 'pam_krb5', "${lib}sasl2-plug-gssapi", 'nss_updatedb' ],
+ LDAP => [ 'openldap-clients', 'nss-pam-ldapd', 'autofs', 'nss_updatedb' ],
+ KRB5 => [ 'nss-pam-ldapd', 'pam_krb5', "${lib}sasl2-plug-gssapi", 'nss_updatedb' ],
NIS => [ 'ypbind', 'autofs' ],
- winbind => [ 'samba-winbind', 'nss_ldap', 'pam_krb5', "${lib}sasl2-plug-gssapi" ],
+ winbind => [ 'samba-winbind', 'nss-pam-ldapd', 'pam_krb5', "${lib}sasl2-plug-gssapi" ],
);
@@ -98,9 +98,6 @@ sub ask_parameters {
if ($kind eq 'LDAP') {
$authentication->{LDAPDOMAIN} ||= domain_to_ldap_domain($net->{resolv}{DOMAINNAME});
- #$authentication->{anonymous} = "0";
- #$authentication->{cafile} = "0";
- #$authentication->{nssgrp} = "0";
$authentication->{ccreds} = 1;
# this package must be installed for 'Fetch DN' button to actually work
@@ -113,10 +110,10 @@ sub ask_parameters {
{},
{ label => N("LDAP Server"), val => \$authentication->{LDAP_server} },
{ label => N("Base dn"), val => \$authentication->{LDAPDOMAIN} },
- { val => N("Fetch base Dn "), type => button , clicked_may_quit => sub { $authentication->{LDAPDOMAIN} = fetch_dn($authentication->{LDAP_server}); 0 } },
+ { val => N("Fetch base Dn "), type => 'button' , clicked_may_quit => sub { $authentication->{LDAPDOMAIN} = fetch_dn($authentication->{LDAP_server}); 0 } },
{},
{ text => N("Use encrypt connection with TLS "), val => \$authentication->{cafile}, type => 'bool' },
- { val => N("Download CA Certificate "), type => button , disabled => sub { !$authentication->{cafile} }, clicked_may_quit => sub { $authentication->{file} = add_cafile(); 0 } },
+ { val => N("Download CA Certificate "), type => 'button' , disabled => sub { !$authentication->{cafile} }, clicked_may_quit => sub { $authentication->{file} = add_cafile(); 0 } },
{ text => N("Use Disconnect mode "), val => \$authentication->{ccreds}, type => 'bool' },
{ text => N("Use anonymous BIND "), val => \$authentication->{anonymous}, type => 'bool' , advanced => 1 },
@@ -168,10 +165,10 @@ my %level = (
{},
{ label => N("LDAP Server"), val => \$authentication->{LDAP_server}, disabled => sub { $authentication->{nsskrb} eq "1" } },
{ label => N("Base dn"), val => \$authentication->{LDAPDOMAIN} , disabled => sub { $authentication->{nsskrb} eq "1" } },
- { val => N("Fecth base Dn "), type => button , clicked_may_quit => sub { $authentication->{LDAPDOMAIN} = fetch_dn($authentication->{LDAP_server}); 0 }, disabled => sub { $authentication->{nsskrb} eq "1" } },
+ { val => N("Fetch base DN "), type => 'button' , clicked_may_quit => sub { $authentication->{LDAPDOMAIN} = fetch_dn($authentication->{LDAP_server}); 0 }, disabled => sub { $authentication->{nsskrb} eq "1" } },
{},
{ text => N("Use encrypt connection with TLS "), val => \$authentication->{cafile}, type => 'bool',, disabled => sub { $authentication->{nsskrb} eq "1" } },
- { val => N("Download CA Certificate "), type => button , disabled => sub { !$authentication->{cafile} }, clicked_may_quit => sub { $authentication->{file} = add_cafile(); 0 } },
+ { val => N("Download CA Certificate "), type => 'button' , disabled => sub { !$authentication->{cafile} }, clicked_may_quit => sub { $authentication->{file} = add_cafile(); 0 } },
{ text => N("Use anonymous BIND "), val => \$authentication->{anonymous}, type => 'bool', disabled => sub { $authentication->{nsskrb} eq "1" } },
{ label => N("Bind DN "), val => \$authentication->{LDAP_binddn}, disabled => sub { !$authentication->{anonymous} } },
{ label => N("Bind Password "), val => \$authentication->{LDAP_bindpwd}, disabled => sub { !$authentication->{anonymous} } },
@@ -275,6 +272,8 @@ sub get() {
my $authentication = {
blowfish => to_bool($system_auth =~ /\$2a\$/),
md5 => to_bool($system_auth =~ /md5/),
+ sha256 => to_bool($system_auth =~ /sha256/),
+ sha512 => to_bool($system_auth =~ /sha512/),
shadow => to_bool($system_auth =~ /shadow/),
};
@@ -328,7 +327,6 @@ sub set_raw {
my $pam_modules = $kind2pam_kind{$kind} or log::l("kind2pam_kind does not know $kind");
$pam_modules ||= [];
- sshd_config_UsePAM(@$pam_modules > 0);
set_pam_authentication($pam_modules, $authentication->{ccreds});
my $nsswitch = $kind2nsswitch{$kind} or log::l("kind2nsswitch does not know $kind");
@@ -337,7 +335,7 @@ sub set_raw {
if ($kind eq 'local') {
-output($conf_file, <<EOF);
+ output($conf_file, <<EOF);
auth=Local File
server=none
realm=none
@@ -350,7 +348,7 @@ EOF
configure_nss_ldap($authentication);
-output($conf_file, <<EOF);
+ output($conf_file, <<EOF);
auth=LDAP Directory
server=$authentication->{LDAP_server}
realm=$authentication->{LDAPDOMAIN}
@@ -365,7 +363,7 @@ EOF
configure_krb5_for_AD($authentication);
configure_nss_ldap($authentication);
-output($conf_file, <<EOF);
+ output($conf_file, <<EOF);
auth=Kerberos 5
server=$authentication->{AD_server}
realm=$authentication->{AD_domain}
@@ -397,14 +395,12 @@ EOF
run_program::rooted($::prefix, 'service', 'ypbind', 'restart');
});
-output($conf_file, <<EOF);
+ output($conf_file, <<EOF);
auth=$kind
server=$NIS_server
realm=$domain
EOF
-# } elsif ($kind eq 'winbind' || $kind eq 'AD' && $authentication->{subkind} eq 'winbind') {
-
} elsif ($kind eq 'winbind') {
my $domain = uc $authentication->{WINDOMAIN};
@@ -423,11 +419,11 @@ EOF
$when_network_is_up->(sub {
run_program::raw({ root => $::prefix, sensitive_arguments => 1 },
- #'net', 'join', $domain, '-U', $authentication->{winuser} . '%' . $authentication->{winpass});
+ #'net', 'join', $domain, '-U', $authentication->{winuser} . '%' . $authentication->{winpass});
'echo', '"', 'net', 'join', $domain, '-U', $authentication->{winuser} . '%' . $authentication->{winpass}, '"');
});
-output($conf_file, <<EOF);
+ output($conf_file, <<EOF);
auth=Windows NT4 Domain
server= none
realm=$domain
@@ -457,8 +453,8 @@ EOF
run_program::rooted($::prefix, 'service', 'winbind', 'restart');
});
-#FIXME: perhaps save the defaults values ?
-output($conf_file, <<EOF);
+ #FIXME: perhaps save the defaults values ?
+ output($conf_file, <<EOF);
auth=Windows Active Directory Domain
server= none
realm=$realm
@@ -485,11 +481,9 @@ sub pam_format_line {
sub get_raw_pam_authentication() {
my %before_deny;
foreach (cat_("$::prefix/etc/pam.d/system-auth")) {
- #my ($type, $control, $module, @para) = split;
my ($type, $_control, $other) = /(\S+)\s+(\[.*?\]|\S+)\s+(.*)/;
my ($module, @para) = split(' ', $other);
if ($module = pam_module_from_path($module)) {
- #$before_deny{$type}{$module} = \@para if $control eq 'sufficient' && member($module, pam_modules());
$before_deny{$type}{$module} = \@para if member($module, pam_modules());
}
}
@@ -530,25 +524,18 @@ sub pam_sufficient_line {
sub set_pam_authentication {
- #my (@authentication_kinds) = @_;
- my ($authentication_kinds, $ccreds) = @_;
+ my ($authentication_kinds, $o_ccreds) = @_;
my %special = (
- #auth => [ difference2(\@authentication_kinds,, [ 'mount' ]) ],
- #account => [ difference2(\@authentication_kinds, [ 'castella', 'mount' ]) ],
- #password => [ intersection(\@authentication_kinds, [ 'ldap', 'krb5' ]) ],
auth => [ difference2($authentication_kinds,, [ 'mount' ]) ],
account => [ difference2($authentication_kinds, [ 'castella', 'mount', 'ccreds' ]) ],
password => [ intersection($authentication_kinds, [ 'ldap', 'krb5', 'ccreds' ]) ],
);
my %before_first = (
- #auth => member('mount', @authentication_kinds) ? pam_format_line('auth', 'required', 'pam_mount') : '',
auth => member('mount', @$authentication_kinds) ? pam_format_line('auth', 'required', 'pam_mount') : '',
session =>
- #intersection(\@authentication_kinds, [ 'winbind', 'krb5', 'ldap' ])
intersection($authentication_kinds, [ 'winbind', 'krb5', 'ldap' ])
? pam_format_line('session', 'optional', 'pam_mkhomedir', 'skel=/etc/skel/', 'umask=0022') :
- #member('castella', @authentication_kinds)
member('castella', @$authentication_kinds)
? pam_format_line('session', 'optional', 'pam_castella') : '',
);
@@ -561,7 +548,6 @@ sub set_pam_authentication {
);
substInFile {
- #my ($type, $control, $module, @para) = split;
my ($type, $control, $other) = /(\S+)\s+(\[.*?\]|\S+)\s+(.*)/;
my ($module, @para) = split(' ', $other);
if ($module = pam_module_from_path($module)) {
@@ -585,16 +571,15 @@ sub set_pam_authentication {
(map { [ "pam_$_" ] } @$ask),
);
push @{$l[-1]}, @para_for_last;
- #$_ = join('', map { pam_format_line($type, 'sufficient', @$_) } @l);
- ### $_ = join('', map { pam_format_line($type, sufficient($ccreds, $_->[0], $type), @$_) } @l);
- $_ = join('', map { pam_sufficient_line($ccreds, $type, @$_) } @l);
+
+ $_ = join('', map { pam_sufficient_line($o_ccreds, $type, @$_) } @l);
if ($control eq 'required') {
#- ensure a pam_deny line is there. it will be added below
($module, @para) = ('pam_deny');
}
- if ($type eq 'auth' && $ccreds) {
+ if ($type eq 'auth' && $o_ccreds) {
$_ .= pam_format_line('auth', '[default=done]', 'pam_ccreds', 'action=validate use_first_pass');
$_ .= pam_format_line('auth', '[default=done]', 'pam_ccreds', 'action=store');
$_ .= pam_format_line('auth', '[default=bad]', 'pam_ccreds', 'action=update');
@@ -604,7 +589,7 @@ sub set_pam_authentication {
if (member($module, 'pam_deny', 'pam_permit')) {
$_ .= pam_format_line($type, $control,
- $type eq 'account' && $ccreds ? 'pam_permit' : 'pam_deny');
+ $type eq 'account' && $o_ccreds ? 'pam_permit' : 'pam_deny');
}
if (my $s = delete $before_first{$type}) {
$_ = $s . $_;
@@ -619,14 +604,11 @@ sub set_pam_authentication {
}
sub set_nsswitch_priority {
- #my (@kinds) = @_;
my ($kinds, $connected) = @_;
my @known = qw(nis ldap winbind compat);
substInFile {
if (my ($database, $l) = /^(\s*(?:passwd|shadow|group|automount):\s*)(.*)/) {
my @l = difference2([ split(' ', $l) ], \@known);
- # $_ = $database . join(' ', uniq('files', @kinds, @l)) . "\n";
- #}
$_ = $database . join(' ', uniq('files', @$kinds, @l)) . "\n";
}
if (/^\s*(?:passwd|group):/) {
@@ -669,7 +651,7 @@ sub read_ldap_conf() {
my %conf = map {
s/^\s*#.*//;
if_(_after_read_ldap_line($_) =~ /(\S+)\s+(.*)/, $1 => $2);
- } cat_("$::prefix/etc/ldap.conf");
+ } cat_("$::prefix/etc/nslcd.conf");
\%conf;
}
@@ -689,7 +671,7 @@ sub update_ldap_conf {
$_ .= _pre_write_ldap_line("$cmd $val\n");
}
}
- } "$::prefix/etc/ldap.conf";
+ } "$::prefix/etc/nslcd.conf";
}
sub configure_krb5_for_AD {
@@ -713,12 +695,12 @@ sub configure_krb5_for_AD {
$uc_domain = {
kdc = $authentication->{AD_server}:88
admin_server = $authentication->{AD_server}:749
- default_domain = $authentication->{DNS_domain}
+ default_domain = $authentication->{AD_domain}
}
EOF
domain_realm => <<EOF,
- .$authentication->{DNS_domain} = $uc_domain
- $authentication->{DNS_domain} = $uc_domain
+ .$authentication->{AD_domain} = $uc_domain
+ $authentication->{AD_domain} = $uc_domain
EOF
kdc => <<'EOF',
profile = /etc/kerberos/krb5kdc/kdc.conf
@@ -800,18 +782,6 @@ sub krb5_conf_update {
}
-sub sshd_config_UsePAM {
- my ($UsePAM) = @_;
- my $sshd = "$::prefix/etc/ssh/sshd_config";
- -e $sshd or return;
-
- my $val = "UsePAM " . bool2yesno($UsePAM);
- substInFile {
- $val = '' if s/^#?UsePAM.*/$val/;
- $_ .= "$val\n" if eof && $val;
- } $sshd;
-}
-
sub query_srv_names {
my ($domain) = @_;
@@ -829,7 +799,7 @@ sub enable_shadow() {
sub salt {
my ($nb) = @_;
require devices;
- open(my $F, devices::make("urandom")) or die "missing urandom";
+ open(my $F, "/dev/urandom") or die "missing urandom";
my $s; read $F, $s, $nb;
$s = pack("b8" x $nb, unpack "b6" x $nb, $s);
$s =~ tr|\0-\x3f|0-9a-zA-Z./|;
@@ -842,9 +812,23 @@ sub user_crypted_passwd {
require utf8;
utf8::encode($u->{password}); #- we don't want perl to do "smart" things in crypt()
- crypt($u->{password},
- !$authentication || $authentication->{blowfish} ? '$2a$08$' . salt(60) :
- $authentication->{md5} ? '$1$' . salt(8) : salt(2));
+ # Default to sha512
+ $authentication = { sha512 => 1 } unless $authentication;
+
+ my $salt;
+ if ($authentication->{blowfish}) {
+ $salt = '$2a$08$' . salt(60);
+ } elsif ($authentication->{md5}) {
+ $salt = '$1$' . salt(8);
+ } elsif ($authentication->{sha256}) {
+ $salt = '$5$' . salt(32);
+ } elsif ($authentication->{sha512}) {
+ $salt = '$6$' . salt(64);
+ } else {
+ $salt = salt(2);
+ }
+
+ crypt($u->{password}, $salt);
} else {
$u->{pw} || '';
}
@@ -888,15 +872,14 @@ sub pack_passwd {
}
sub add_cafile() {
- my $file;
my $in = interactive->vnew;
- $file = $in->ask_filename({ title => N("Select file") }) or return;
+ $in->ask_filename({ title => N("Select file") }) or return;
}
sub auth() {
my $in = interactive->vnew;
$in->ask_from('', N(" "), [
- { label => N("Domain Windows for authentication : " , $authentication->{WINDOMAIN}) },
+ { label => N("Domain Windows for authentication : ") . $authentication->{WINDOMAIN} },
{},
{ label => N("Domain Admin User Name"), val => \$authentication->{winuser} },
{ label => N("Domain Admin Password"), val => \$authentication->{winpass}, hidden => 1 },
@@ -915,7 +898,6 @@ sub list_domains() {
}
sub get_server_for_domain {
my $smb = fs::remote::smb->new;
- my %domains;
foreach my $server ($smb->find_servers) {
return $server->{name} if $server->{group} == $_[0];
}
@@ -930,28 +912,26 @@ sub fetch_dn {
sub configure_nss_ldap {
my ($authentication) = @_;
- #my $authentication->{domain} = $authentication->{LDAPDOMAIN} || do {
- # my $s = run_program::rooted_get_stdout($::prefix, 'ldapsearch', '-x', '-h', $authentication->{LDAP_server}, '-b', '', '-s', 'base', '+');
- # first($s =~ /namingContexts: (.+)/);
- #} or log::l("no ldap domain found on server $authentication->{LDAP_server}"), return;
update_ldap_conf(
- host => $authentication->{LDAP_server},
+ uri => $authentication->{cafile} eq '1' ? "ldaps://" . $authentication->{LDAP_server} . "/" : "ldap://" . $authentication->{LDAP_server} . "/",
base => $authentication->{LDAPDOMAIN},
);
if ($authentication->{nssgrp} eq '1') {
update_ldap_conf(
- nss_base_shadow => $authentication->{nss_shadow} . "?sub",
- nss_base_passwd => $authentication->{nss_pwd} . "?sub",
- nss_base_group => $authentication->{nss_grp} . "?sub",
+ 'base shadow' => $authentication->{nss_shadow},
+ 'base passwd' => $authentication->{nss_pwd},
+ 'base group' => $authentication->{nss_grp},
+ scope => "sub",
);
} else {
update_ldap_conf(
- nss_base_shadow => $authentication->{LDAPDOMAIN} . "?sub",
- nss_base_passwd => $authentication->{LDAPDOMAIN} . "?sub",
- nss_base_group => $authentication->{LDAPDOMAIN} . "?sub",
+ 'base shadow' => $authentication->{LDAPDOMAIN},
+ 'base passwd' => $authentication->{LDAPDOMAIN},
+ 'base group' => $authentication->{LDAPDOMAIN},
+ scope => "sub",
);
}
if ($authentication->{anonymous} eq '1') {
@@ -964,7 +944,7 @@ sub configure_nss_ldap {
if ($authentication->{cafile} eq '1') {
update_ldap_conf(
ssl => "on",
- tls_checkpeer => "yes",
+ tls_reqcert => "allow",
tls_cacertfile => $authentication->{file},
);
}
generated by cgit v1.2.1 (git 2.21.0) at 2025-10-23 14:48:25 +0000