From 0fa0c2f66eb62768034945e0dd6ee6071af1de98 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 11 Mar 2018 18:07:21 -0500
Subject: [PATCH] roles/system-auth: Configure PAM system authentication

The *system-auth* role deploys PAM configuration for system-wide user
authentication. It is specifically focused on Active Directory
authentication using Samba/Winbind.
---
 roles/system-auth/defaults/main.yml          |  2 +
 roles/system-auth/tasks/main.yml             | 43 ++++++++++++++++++++
 roles/system-auth/templates/password-auth.j2 | 40 ++++++++++++++++++
 roles/system-auth/templates/system-auth.j2   |  5 +++
 roles/system-auth/vars/RedHat.yml            |  7 ++++
 5 files changed, 97 insertions(+)
 create mode 100644 roles/system-auth/defaults/main.yml
 create mode 100644 roles/system-auth/tasks/main.yml
 create mode 100644 roles/system-auth/templates/password-auth.j2
 create mode 100644 roles/system-auth/templates/system-auth.j2
 create mode 100644 roles/system-auth/vars/RedHat.yml

diff --git a/roles/system-auth/defaults/main.yml b/roles/system-auth/defaults/main.yml
new file mode 100644
index 0000000..9d452b1
--- /dev/null
+++ b/roles/system-auth/defaults/main.yml
@@ -0,0 +1,2 @@
+pam_mkhomedir: false
+pam_winbind: false
diff --git a/roles/system-auth/tasks/main.yml b/roles/system-auth/tasks/main.yml
new file mode 100644
index 0000000..a94ceae
--- /dev/null
+++ b/roles/system-auth/tasks/main.yml
@@ -0,0 +1,43 @@
+- name: load distribution-specific variables
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_distribution }}.yml'
+  - '{{ ansible_os_family }}.yml'
+  - defaults.yml
+
+- name: ensure authconfig is not installed
+  package:
+    name=authconfig
+    state=absent
+- name: ensure authconfig PAM configuration is reset
+  command:
+    mv /etc/pam.d/{{ item }}-ac /etc/pam.d/{{ item }}
+    removes=/etc/pam.d/{{ item }}-ac
+  with_items:
+  - fingerprint-auth
+  - password-auth
+  - postlogin
+  - smartcard-auth
+  - system-auth
+
+- name: ensure mkhomedir package is installed
+  package:
+    name={{ mkhomedir_pkg }}
+  when: pam_mkhomedir
+- name: ensure oddjobd starts at boot
+  service:
+    name=oddjobd
+    enabled=true
+  when: pam_mkhomedir and pam_oddjob_mkhomedir
+- name: ensure oddjobd is running
+  service:
+    name=oddjobd
+    state=started
+  when: pam_mkhomedir and pam_oddjob_mkhomedir
+
+- name: ensure pam configuration is set
+  template:
+    src={{ item.template }}
+    dest=/etc/pam.d/{{ item.name }}
+    mode=0644
+  with_items: '{{ pam_system_auth_conf }}'
diff --git a/roles/system-auth/templates/password-auth.j2 b/roles/system-auth/templates/password-auth.j2
new file mode 100644
index 0000000..3032e1a
--- /dev/null
+++ b/roles/system-auth/templates/password-auth.j2
@@ -0,0 +1,40 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        required      pam_faildelay.so delay=2000000
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
+{% if pam_winbind %}
+auth        sufficient    pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_first_pass
+{% endif %}
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
+{% if pam_winbind %}
+account     [default=bad success=ok user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
+{% endif %}
+account     required      pam_permit.so
+
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+{% if pam_winbind %}
+password    sufficient    pam_winbind.so krb5_auth krb5_ccache_type=KEYRING use_authtok
+{% endif %}
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+-session     optional      pam_systemd.so
+{% if pam_mkhomedir %}
+{% if pam_oddjob_mkhomedir %}
+session     optional      pam_oddjob_mkhomedir.so umask=0077
+{% endif %}
+{% endif %}
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+{% if pam_winbind %}
+session     optional      pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
+{% endif %}
diff --git a/roles/system-auth/templates/system-auth.j2 b/roles/system-auth/templates/system-auth.j2
new file mode 100644
index 0000000..1b507f6
--- /dev/null
+++ b/roles/system-auth/templates/system-auth.j2
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth		include	password-auth
+account		include	password-auth
+password	include	password-auth
+session		include	password-auth
diff --git a/roles/system-auth/vars/RedHat.yml b/roles/system-auth/vars/RedHat.yml
new file mode 100644
index 0000000..1e7d089
--- /dev/null
+++ b/roles/system-auth/vars/RedHat.yml
@@ -0,0 +1,7 @@
+mkhomedir_pkg: oddjob-mkhomedir
+pam_oddjob_mkhomedir: true
+pam_system_auth_conf:
+- name: password-auth
+  template: password-auth.j2
+- name: system-auth
+  template: system-auth.j2