zarb-ml/mageia-sysadm/2010-November/000885.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-sysadm] [451] restrict login to people of the group mga-commiters ( previous try was
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B451%5D%20restrict%20login%20to%20people%20of%20the%20group%0A%20mga-commiters%20%28%20previous%20try%20was&In-Reply-To=%3C20101124025046.332713FD4C%40valstar.mageia.org%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="000884.html">
   <LINK REL="Next"  HREF="000886.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-sysadm] [451] restrict login to people of the group mga-commiters ( previous try was</H1>
    <B>root at mageia.org</B> 
    <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B451%5D%20restrict%20login%20to%20people%20of%20the%20group%0A%20mga-commiters%20%28%20previous%20try%20was&In-Reply-To=%3C20101124025046.332713FD4C%40valstar.mageia.org%3E"
       TITLE="[Mageia-sysadm] [451] restrict login to people of the group mga-commiters ( previous try was">root at mageia.org
       </A><BR>
    <I>Wed Nov 24 03:50:46 CET 2010</I>
    <P><UL>
        <LI>Previous message: <A HREF="000884.html">[Mageia-sysadm] [450] s/commiters/committers/, to be in sync with the ldap group name and the dictionnary
</A></li>
        <LI>Next message: <A HREF="000886.html">[Mageia-sysadm] Puppet Report for krampouezh.mageia.org
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#885">[ date ]</a>
              <a href="thread.html#885">[ thread ]</a>
              <a href="subject.html#885">[ subject ]</a>
              <a href="author.html#885">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>Revision: 451
Author:   misc
Date:     2010-11-24 03:50:45 +0100 (Wed, 24 Nov 2010)
Log Message:
-----------
restrict login to people of the group mga-commiters ( previous try was
not working with ssh key )

Modified Paths:
--------------
    puppet/modules/pam/manifests/init.pp
    puppet/modules/pam/templates/system-auth

Modified: puppet/modules/pam/manifests/init.pp
===================================================================
--- puppet/modules/pam/manifests/init.pp	2010-11-24 02:08:32 UTC (rev 450)
+++ puppet/modules/pam/manifests/init.pp	2010-11-24 02:50:45 UTC (rev 451)
@@ -43,14 +43,17 @@
          content =&gt; template(&quot;pam/ldap.conf&quot;)
       }
   } 
-  
+ 
+  # beware , this two classes are exclusive
+ 
   # for server where only admins can connect
-  class admin_access inherits base {
+  class admin_access {
     $access_class = &quot;admin&quot;
+    include base
   }
 
   # for server where people can connect with ssh ( git, svn )
-  class committers_access inherits base {
+  class committers_access {
     # this is required, as we force the shell to be the restricted one
     # openssh will detect if the file do not exist and while refuse to log the
     # user, and erase the password ( see pam_auth.c in openssh code, seek badpw )
@@ -58,5 +61,6 @@
     # permission to use svn, git, etc must be added separatly
     include restrictshell::shell
     $access_class = &quot;committers&quot;
+    include base
   }
 }

Modified: puppet/modules/pam/templates/system-auth
===================================================================
--- puppet/modules/pam/templates/system-auth	2010-11-24 02:08:32 UTC (rev 450)
+++ puppet/modules/pam/templates/system-auth	2010-11-24 02:50:45 UTC (rev 451)
@@ -1,10 +1,4 @@
 auth    required     pam_env.so
-&lt;%- if access_class = 'admin' -%&gt;
-auth    required     pam_succeed_if.so quiet user ingroup mga-sysadmin
-&lt;%- end -%&gt;
-&lt;%- if access_class = 'committers' -%&gt;
-auth    required     pam_succeed_if.so quiet user ingroup mga-committers
-&lt;%- end -%&gt;
 # this part is here if the module don't exist
 # basically, the idea is to copy the exact detail of sufficient,
 # and add abort=ignore
@@ -15,6 +9,12 @@
 
 
 account sufficient  pam_localuser.so
+&lt;%- if access_class == 'admin' -%&gt;
+account required    pam_succeed_if.so quiet user ingroup mga-sysadmin
+&lt;%- end -%&gt;
+&lt;%- if access_class == 'committers' -%&gt;
+account required    pam_succeed_if.so quiet user ingroup mga-committers
+&lt;%- end -%&gt;
 account sufficient  pam_ldap.so
 account required    pam_deny.so
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: &lt;/pipermail/mageia-sysadm/attachments/20101124/878396e6/attachment.html&gt;
</PRE>


<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="000884.html">[Mageia-sysadm] [450] s/commiters/committers/, to be in sync with the ldap group name and the dictionnary
</A></li>
	<LI>Next message: <A HREF="000886.html">[Mageia-sysadm] Puppet Report for krampouezh.mageia.org
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#885">[ date ]</a>
              <a href="thread.html#885">[ thread ]</a>
              <a href="subject.html#885">[ subject ]</a>
              <a href="author.html#885">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>