1 #!/bin/sh 2 # 3 # CDDL HEADER START 4 # 5 # The contents of this file are subject to the terms of the 6 # Common Development and Distribution License (the "License"). 7 # You may not use this file except in compliance with the License. 8 # 9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 # or http://www.opensolaris.org/os/licensing. 11 # See the License for the specific language governing permissions 12 # and limitations under the License. 13 # 14 # When distributing Covered Code, include this CDDL HEADER in each 15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 # If applicable, add the following below this CDDL HEADER, with the 17 # fields enclosed by brackets "[]" replaced with your own identifying 18 # information: Portions Copyright [yyyy] [name of copyright owner] 19 # 20 # CDDL HEADER END 21 # 22 # 23 #ident "%Z%%M% %I% %E% SMI" 24 # 25 # Copyright 2008 Sun Microsystems, Inc. All rights reserved. 26 # Use is subject to license terms. 27 # 28 CLEANUP_FILE=/tmp/CLEANUP 29 PAM_TMP=/tmp/pam_conf.$$ 30 KERB_ENTRIES=$PAM_TMP/scr.$$ 31 PPP_ENTRIES=$PAM_TMP/scp.$$ 32 CRON_ENTRIES=$PAM_TMP/scc.$$ 33 mkdir $PAM_TMP || exit 1 34 35 PATH="/usr/bin:/usr/sbin:${PATH}" 36 export PATH 37 38 setup_kerb_changes() { 39 # 40 # No comments or blanks lines allowed in entries below 41 # 42 cat > ${KERB_ENTRIES} << EOF 43 krlogin auth required pam_unix_cred.so.1 44 krlogin auth required pam_krb5.so.1 45 krsh auth required pam_unix_cred.so.1 46 krsh auth required pam_krb5.so.1 47 ktelnet auth required pam_unix_cred.so.1 48 ktelnet auth required pam_krb5.so.1 49 EOF 50 } 51 52 setup_ppp_changes() { 53 # 54 # No comments or blanks lines allowed in entries below 55 # 56 cat > ${PPP_ENTRIES} << EOF 57 ppp auth requisite pam_authtok_get.so.1 58 ppp auth required pam_dhkeys.so.1 59 ppp auth required pam_unix_cred.so.1 60 ppp auth required pam_unix_auth.so.1 61 ppp auth required pam_dial_auth.so.1 62 EOF 63 } 64 65 setup_cron_changes(){ 66 # 67 # No comments or blanks lines allowed in entries below 68 # 69 cat > ${CRON_ENTRIES} << EOF 70 cron account required pam_unix_account.so.1 71 EOF 72 } 73 74 # Returns zero (success) if system is labeled (aka Trusted Extensions). 75 # 1 otherwise. 76 # 77 is_system_labeled() { 78 [ ! -x /bin/plabel ] && return 1 79 /bin/plabel > /dev/null 2>&1 80 return $? 81 } 82 83 # Add any entries for Trusted Extensions, during initial install. 84 # This is dependent on whether TX is enabled. 85 add_tx_entries() { 86 is_system_labeled 87 if [ $? = 0 ] ; then 88 grep '^[ ]*other.*account.*pam_tsol_account' $dest \ 89 > /dev/null 2>&1 90 if [ $? -ne 0 ] ; then 91 # Append new entry 92 cat >> $dest << EOF 93 other account required pam_tsol_account.so.1 94 EOF 95 96 echo "${dest} entry added for Trusted Extensions; \c" \ 97 >> ${CLEANUP_FILE} 98 fi 99 fi 100 101 } 102 103 104 # 105 setup_kerb_changes 106 setup_ppp_changes 107 setup_cron_changes 108 while read src dest 109 do 110 if [ ! -f $dest ] ; then 111 cp $src $dest 112 113 # Dynamically add any entries for Trusted Extensions if it's enabled 114 add_tx_entries 115 else 116 echo "${dest} default entries updated, \c" \ 117 >> ${CLEANUP_FILE} 118 echo "please examine/update customized entries" \ 119 >> ${CLEANUP_FILE} 120 # 121 #Update pam.conf with relative pathname 122 # 123 if grep '/usr/lib/security/$ISA/pam_' $dest > /dev/null 2>&1; then 124 sed 's,/usr/lib/security/$ISA/, ', \ 125 $dest > /tmp/pamconf.$$ 126 cp /tmp/pamconf.$$ $dest 127 rm -f /tmp/pamconf.$$ 128 fi 129 if grep '/usr/lib/security/pam_' $dest > /dev/null 2>&1; then 130 sed 's,/usr/lib/security/, ', \ 131 $dest > /tmp/pamconf.$$ 132 cp /tmp/pamconf.$$ $dest 133 rm -f /tmp/pamconf.$$ 134 fi 135 # 136 # Update pam.conf with entries for PAM modules pam_authtok_get, 137 # pam_authtok_check, pam_authtok_store, pam_unix_auth, pam_unix_account, 138 # pam_unix_cred, pam_unix_session, pam_dhkeys and pam_passwd_auth 139 # 140 141 echo "${dest} updating pam_unix with default PAM entries \c" \ 142 >> ${CLEANUP_FILE} 143 echo "please examine/update any new entries" \ 144 >> ${CLEANUP_FILE} 145 nawk '/^#/ { print; next } \ 146 $4 ~ /pam_unix.so/ && $2 == "auth" { \ 147 print $1 "\t" $2 " " "requisite\t\t" \ 148 "pam_authtok_get.so.1"; \ 149 print $1 "\t" $2 " " $3 "\t\t" \ 150 "pam_dhkeys.so.1"; \ 151 print $1 "\t" $2 " " $3 "\t\t" \ 152 "pam_unix_cred.so.1"; \ 153 print $1 "\t" $2 " " $3 "\t\t" \ 154 "pam_unix_auth.so.1"; \ 155 next \ 156 } \ 157 $4 ~ /pam_passwd_auth.so.1/ && $2 == "auth" { \ 158 if ($1 == "passwd") \ 159 passwd_seen = 1;\ 160 }\ 161 $4 ~ /pam_rhosts_auth/ && $1 == "rsh" && $3 == "required" { \ 162 print $1 "\t" $2 " " "sufficient\t\t" $4; \ 163 print $1 "\t" $2 " " "required\t\t" "pam_unix_cred.so.1"; \ 164 next \ 165 }\ 166 $4 ~ /pam_unix_cred/ && $3 == "required" { \ 167 cred_seen = 1;\ 168 print; \ 169 next \ 170 }\ 171 $4 ~ /pam_unix_auth/ && $1 == "rsh" && $3 == "required" { \ 172 if (cred_seen == 0) { \ 173 print $1 "\t" $2 " " "required\t\t" \ 174 "pam_unix_cred.so.1"; \ 175 } \ 176 next \ 177 } \ 178 $4 ~ /pam_unix_auth/ && $3 == "required" { \ 179 if (cred_seen == 0) { \ 180 print $1 "\t" $2 " " "required\t\t" \ 181 "pam_unix_cred.so.1"; \ 182 } \ 183 print ; \ 184 next \ 185 }\ 186 END { 187 if (passwd_seen == 0) { \ 188 print "passwd" "\t" "auth required\t\t" \ 189 "pam_passwd_auth.so.1"; \ 190 } \ 191 } \ 192 193 $4 ~ /pam_unix.so/ && $2 == "account" { \ 194 print $1 "\t" $2 " " $3 "\t\t" \ 195 "pam_unix_account.so.1"; \ 196 next \ 197 } \ 198 $4 ~ /pam_unix.so/ && $2 == "session" { \ 199 print $1 "\t" $2 " " $3 "\t\t" \ 200 "pam_unix_session.so.1"; \ 201 next \ 202 } \ 203 $4 ~ /pam_unix.so/ && $2 == "password" { \ 204 print $1 "\t" $2 " " $3 "\t\t" \ 205 "pam_dhkeys.so.1"; \ 206 print $1 "\t" $2 " " "requisite\t\t" \ 207 "pam_authtok_get.so.1"; \ 208 print $1 "\t" $2 " " "requisite\t\t" \ 209 "pam_authtok_check.so.1"; \ 210 print $1 "\t" $2 " " $3 "\t\t" \ 211 "pam_authtok_store.so.1"; \ 212 next \ 213 } \ 214 { print }' $dest > /tmp/pamconf.$$ 215 cp /tmp/pamconf.$$ $dest 216 rm -f /tmp/pamconf.$$ 217 # 218 #update pam.conf with entries for roles 219 # 220 grep 'pam_roles.so' $dest > /dev/null 2>&1 221 if [ $? = 1 ] ; then 222 echo "${dest} updating default entries for roles, \c" \ 223 >> ${CLEANUP_FILE} 224 echo "please examine/update any new entries" \ 225 >> ${CLEANUP_FILE} 226 nawk '/^#/ { print; next } \ 227 $4 ~ /pam_role_auth/ { next } \ 228 $2 == "account" && $4 ~ /pam_unix/ { \ 229 print $1 "\t" $2 " requisite\t\t" \ 230 "pam_roles.so.1"; \ 231 print; \ 232 next \ 233 } \ 234 { print }' $dest > /tmp/pamconf.$$ 235 cp /tmp/pamconf.$$ $dest 236 rm -f /tmp/pamconf.$$ 237 fi 238 239 # 240 #update pam.conf with entries for projects 241 # 242 grep 'pam_projects.so' $dest > /dev/null 2>&1 243 if [ $? = 0 ] ; then 244 echo "${dest} removing pam_project.so" >> ${CLEANUP_FILE} 245 grep -v pam_projects.so $dest > /tmp/pamconf.$$ 246 cp /tmp/pamconf.$$ $dest 247 rm -f /tmp/pamconf.$$ 248 fi 249 # 250 # update pam.conf to append PPP entries if not already present 251 # (note: default list above already has role added, so we 252 # must do this after the upgrade above has run.) 253 # 254 rm -f /tmp/pamconf.$$ 255 while read e1 e2 e3 e4 e5 256 do 257 # See if the entry already exists 258 grep \ 259 "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ 260 $dest >/dev/null 2>&1 261 if [ $? = 1 ] ; then 262 # Doesn't exist, enter into pam.conf 263 echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$ 264 fi 265 done < ${PPP_ENTRIES} 266 # Append PPP lines if any were not present already. 267 if [ -f /tmp/pamconf.$$ ] ; then 268 cat /tmp/pamconf.$$ >> $dest 269 echo "${dest} updating entries for PPP; \c" \ 270 >> ${CLEANUP_FILE} 271 echo "please examine/update any new entries" \ 272 >> ${CLEANUP_FILE} 273 rm -f /tmp/pamconf.$$ 274 fi 275 # 276 # update pam.conf to append cron entries if not already present 277 # (note: the kerberos default list above already has the cron entried added.) 278 # 279 rm -f /tmp/pamconf.$$ 280 while read e1 e2 e3 e4 e5 281 do 282 # See if the entry already exists 283 grep \ 284 "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ 285 $dest >/dev/null 2>&1 286 if [ $? = 1 ] ; then 287 # Doesn't exist, enter into pam.conf 288 echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$ 289 fi 290 done < ${CRON_ENTRIES} 291 # Append cron lines if any were not present already. 292 if [ -f /tmp/pamconf.$$ ] ; then 293 cat /tmp/pamconf.$$ >> $dest 294 echo "${dest} updating entries for cron, \c" \ 295 >> ${CLEANUP_FILE} 296 echo "please examine/update any new entries" \ 297 >> ${CLEANUP_FILE} 298 rm -f /tmp/pamconf.$$ 299 fi 300 301 # 302 # update pam.conf to remove the rlogin entry that uses pam_krb5.so.1 303 # 304 rm -f /tmp/pamconf.$$ 305 sed -e "/^[# ]*rlogin.*pam_krb5.so.1/d" \ 306 $dest > /tmp/pamconf.$$ 307 if [ $? -ne 0 ]; then 308 echo "Couldn't edit /tmp/pamconf.$$, rlogin lines have not been \ 309 updated to remove pam_krb5.so.1." \ 310 >> ${CLEANUP_FILE} 311 else 312 cp /tmp/pamconf.$$ $dest 313 fi 314 315 # 316 # update pam.conf to remove obsolete flags used with pam_krb5.so.1 317 # 318 rm -f /tmp/pamconf.$$ 319 sed -e "s/\(pam_krb5.so.1.*\)acceptor/\1/g" \ 320 -e "s/\(pam_krb5.so.1.*\)use_first_pass/\1/g" \ 321 -e "s/\(pam_krb5.so.1.*\)try_first_pass/\1/g" \ 322 -e "s/\(pam_krb5.so.1.*\)use_xfn_pass/\1/g" \ 323 -e "s/\(pam_krb5.so.1.*\)try_xfn_pass/\1/g" \ 324 $dest > /tmp/pamconf.$$ 325 if [ $? -ne 0 ]; then 326 echo "Couldn't edit /tmp/pamconf.$$ to remove obsolete flags: \ 327 acceptor, use_first_pass, try_first_pass, use_xfn_pass, try_xfn_pass." \ 328 >> ${CLEANUP_FILE} 329 else 330 cp /tmp/pamconf.$$ $dest 331 fi 332 333 # 334 # update pam.conf to remove the unnecessary unix_auth entries for the 335 # kerberized services. 336 # 337 rm -f /tmp/pamconf.$$ 338 sed -e "/^[# ]*krlogin[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \ 339 -e "/^[# ]*krsh[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \ 340 -e "/^[# ]*ktelnet[ ]*auth[ ]*.*[ ]*pam_unix_auth.so.1/d" \ 341 -e "s/^\([# ]*krlogin[ ]*auth[ ]*\)binding/\1required/" \ 342 -e "s/^\([# ]*krsh[ ]*auth[ ]*\)binding/\1required/" \ 343 -e "s/^\([# ]*ktelnet[ ]*auth[ ]*\)binding/\1required/" \ 344 $dest > /tmp/pamconf.$$ 345 if [ $? -ne 0 ]; then 346 echo "Couldn't edit /tmp/pamconf.$$, krlogin, krsh, ktelnet may \ 347 still have pam_unix_auth in their stacks." \ 348 >> ${CLEANUP_FILE} 349 else 350 cp /tmp/pamconf.$$ $dest 351 fi 352 353 # 354 # update pam.conf to append kerberos entries if not already present 355 # 356 rm -f /tmp/pamconf.$$ 357 cat ${KERB_ENTRIES} | 358 (while read e1 e2 e3 e4 e5 359 do 360 # See if the entry already exists 361 grep \ 362 "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ 363 $dest >/dev/null 2>&1 364 if [ $? = 1 ] ; then 365 # Check if service name is 'dtlogin' and it is 366 # mentioned explicitly, then add kerberos 'dtlogin' 367 if [ $e1 = "dtlogin" ]; then 368 if grep "^[# ]*$e1[ ][ ]*$e2[ ]" \ 369 $dest >/dev/null 2>&1; then 370 echo "$e1\t$e2 $e3\t\t$e4 $e5" >> /tmp/pamconf.$$ 371 fi 372 else 373 # Doesn't exist, enter into pam.conf 374 echo "$e1\t$e2 $e3\t\t$e4 $e5" >> \ 375 /tmp/pamconf.$$ 376 fi 377 else 378 # Does exist. To maintain proper stacking order: remove it 379 # and append it to the bottom of the conf file. 380 grep "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ 381 $dest >> /tmp/pamconf.$$ 2>/dev/null 382 sed -e "/^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4/d" \ 383 $dest > /tmp/pamconf2.$$ 384 mv /tmp/pamconf2.$$ $dest 385 fi 386 done) 387 # Append kerberos lines if any were not present already. 388 if [ -f /tmp/pamconf.$$ ] ; then 389 cat /tmp/pamconf.$$ >> $dest 390 echo "${dest} updating entries to add kerberos, \c" \ 391 >> ${CLEANUP_FILE} 392 echo "please examine/update any new entries" \ 393 >> ${CLEANUP_FILE} 394 rm -f /tmp/pamconf.$$ 395 fi 396 397 # 398 # notify pam_ldap users to manually intervene and examine/update their pam.conf 399 # due to the change in pam_ldap functionalty. 400 # 401 grep '^[^#].*pam_ldap.so' $dest > /dev/null 2>&1 402 if [ $? = 0 ] ; then 403 echo "${dest} please examine/update the pam_ldap configuration \c" \ 404 >> ${CLEANUP_FILE} 405 echo "because its functionality has changed, \c" \ 406 >> ${CLEANUP_FILE} 407 echo "refer to pam_ldap(5) documentation for more information" \ 408 >> ${CLEANUP_FILE} 409 fi 410 411 fi 412 done 413 # 414 rm -rf $PAM_TMP 415 exit 0 416
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.