Augeas pam.d argument checking

[Ed]

I'm trying to change the password complexity requirements in
pam.d/system-auth using augeas. I can append the values (lcredit=-1,
ucredit=-1, etc) onto the correct place, but if another value is
already present (i.e. lcredit=-2), the onlyif match statement doesn't
seem to support checking regular expressions inside of strings. How do
I check that any numeric value exists in the argument??

define passwordcomplexity($lowercase = "1", $uppercase = "1",
$numeric = "1", $special = "1") {
augeas { "add_lowercase_reqs" :
context => "/files/etc/pam.d",
changes => "set
system-auth/*[module='pam_cracklib.so']/argument[last()+1]
lcredit=-$lowercase",
onlyif => "match
system-auth/*[argument='lcredit=*'] size == 0",
}
augeas { "add_uppercase_reqs" :
context => "/files/etc/pam.d",
changes => "set
system-auth/*[module='pam_cracklib.so']/argument[last()+1]
ucredit=-$uppercase",
onlyif => "match
system-auth/*[argument='ucredit=*'] size == 0",
}
augeas { "add_numeric_reqs" :
context => "/files/etc/pam.d",
changes => "set
system-auth/*[module='pam_cracklib.so']/argument[last()+1]
dcredit=-$numeric",
onlyif => "match
system-auth/*[argument='dcredit=*'] size == 0",
}
augeas { "add_special_reqs" :
context => "/files/etc/pam.d",
changes => "set
system-auth/*[module='pam_cracklib.so']/argument[last()+1]
ocredit=-$special",
onlyif => "match
system-auth/*[argument='ocredit=*'] size == 0",
}
}

This will continuously append lcredit=-2, etc onto the end of the
line, without checking the values that currently exist:

----------------------------------------------------
password requisite pam_cracklib.so try_first_pass retry=3
maxrepeat=3 lcredit=-2 ocredit=-2 dcredit=-2
ucredit=-2 dcredit=-2 ocredit=-2 lcredit=-2
ucredit=-2
-----------------------------------------------------

~Ed

[Ed]

So based on a posting from last year, I changed the definition to just
remove and rebuild the line in pam.d/system-auth based on the
variables passed in. Although this isn't the elegant solution that I
was searching for (breaking it up to different functions and using
"onlyif"), it does get the job done. Here is what I've got:

define passwordcomplexity($retry = "3", $lowercase = "1",
$uppercase = "1", $numeric = "1", $special = "1", $maxrepeats = "3") {
augeas { "rebuild_passwordcomplex_reqs" :
context => "/files/etc/pam.d",
changes => ["rm system-auth/
*[module='pam_cracklib.so'][type='password']/argument",
"set system-auth/
*[module='pam_cracklib.so']/argument[last()+1] try_first_pass",
"set system-auth/
*[module='pam_cracklib.so']/argument[last()+1] retry=$retry",
"set system-auth/
*[module='pam_cracklib.so']/argument[last()+1] maxrepeats=
$maxrepeats",
"set system-auth/

*[module='pam_cracklib.so']/argument[last()+1] lcredit=-$lowercase",

"set system-auth/

*[module='pam_cracklib.so']/argument[last()+1] ucredit=-$uppercase",

"set system-auth/

*[module='pam_cracklib.so']/argument[last()+1] dcredit=-$numeric",

"set system-auth/

*[module='pam_cracklib.so']/argument[last()+1] ocredit=-$special"],
}

If anyone knows how to use onlyif and match/get to get an augeas
argument based on a regular expression, I'd be happy hear about it.

~Ed

[Joe McDonagh]

I created a ticket about a pam type nearly a year ago and hopefully I
can have a working type with the parsedfile provider sometime within the
next week (I should have a real-live day off Friday). I did do some
planning for type features while on a plane ride but ended up falling
asleep... so that's as far as I am right now. I'll post to the list once
I have something that resembles a working pam type.

--
Joe McDonagh
AIM: YoosingYoonickz
IRC: joe-mac on freenode
L'ennui est contre-r�volutionnaire

[David Lutterkort]

On Thu, 2010-02-18 at 18:33 -0500, Joe McDonagh wrote:
> I created a ticket about a pam type nearly a year ago and hopefully I
> can have a working type with the parsedfile provider sometime within the
> next week (I should have a real-live day off Friday). I did do some
> planning for type features while on a plane ride but ended up falling
> asleep... so that's as far as I am right now. I'll post to the list once
> I have something that resembles a working pam type.

Have you thought about doing this based on Augeas rather than
ParsedFile ? Depending on what exactly you want your type to do, you
might even be able to write it as a 'define' in puppet, rather than
having to drop to Ruby. If the logic in your type is complex enough,
though, and you have to write it in Ruby, you can still use Augeas to
access, query and modify the pam entries.

David

[Joe McDonagh]

I have not thought about using augeas because last time I tried to build
it for our standard OS (Ubuntu 8.04) IIRC it needed a newer version of
glibc.

[seph]

Joe McDonagh <joseph.e...@gmail.com> writes:

> I have not thought about using augeas because last time I tried to
> build it for our standard OS (Ubuntu 8.04) IIRC it needed a newer
> version of glibc.

I didn't have any trouble building the current ubuntu augeas packages
for 8.04. I followed the pretty normal dpkg build process for
it. (apt-get source; apt-get build-dep; debuild) No glibc weirdness.

seph

[Joe McDonagh]

That's weird, maybe I ran into something else or just flat out got
distracted/pulled in another direction.

I was thinking it might be useful for this type to have both a
parsedfile and augeas provider. What do you guys think?

And yes I do usually use definitions for stuff like this, but I just
feel like puppet should have some security types, and IIRC the solaris
ones don't differ much from the linux ones so it's partly a
unix-agnostic type.

Anybody else have more input on that last statement?

[Nigel Kersten]

add OS X to the Solaris/Linux PAM mix too? :)

OS X 10.6 in particular makes PAM a lot more useful and authoritative.

>
> --
> Joe McDonagh
> AIM: YoosingYoonickz
> IRC: joe-mac on freenode

> L'ennui est contre-révolutionnaire
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

--
nigel

[Joe McDonagh]

>> L'ennui est contre-r�volutionnaire

>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet...@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>>
>
>
>

It's good to hear that from you- I wasn't completely sure they had a PAM
implementation, cause for instance OpenBSD doesn't (which is the BSD I
currently use the most these days).

--
Joe McDonagh
AIM: YoosingYoonickz
IRC: joe-mac on freenode

L'ennui est contre-r�volutionnaire

[David Lutterkort]

On Sun, 2010-02-21 at 15:06 -0500, Joe McDonagh wrote:
> I have not thought about using augeas because last time I tried to build
> it for our standard OS (Ubuntu 8.04) IIRC it needed a newer version of
> glibc.

I haven't seen that problem - but if you run into it again, I'd very
much appreciate any build logs you have (compiler output etc.)

I try very hard to make Augeas only rely on a very minimalistic C
library (it builds on AIX ;)

David

[Joe McDonagh]

Since someone else said they built it on 8.04 I might have just gotten
distracted by something else. And I didn't even get the day off I was
counting on to get something done...