* Sun Sep 22 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-9.sme

- remove reference to deprecated rssh [SME: 12670] - template /etc/pam.d/sshd to remove motd [SME: 12740]
2024-09-22 22:43:22 -04:00
parent beb0afe727
commit 84bf8e5c22
11 changed files with 80 additions and 81 deletions
--- a/root/etc/e-smith/db/accounts/migrate/50rsshRemoval
+++ b/root/etc/e-smith/db/accounts/migrate/50rsshRemoval
@@ -0,0 +1,15 @@
+{
+    # Remove AllowRSSH propertie
+    # Reset Shell property if /usr/bin/rssh
+
+    foreach my $account ($DB->get_all)
+    {
+    if (defined $account->prop('Shell') && ($account->prop('Shell') eq "/usr/bin/rssh") )
+        {
+        $account->delete_prop('Shell');
+        }
+    next unless (defined $account->prop('AllowRSSH'));
+    $account->delete_prop('AllowRSSH');
+    }
+}
+
--- a/root/etc/e-smith/templates/etc/pam.d/sshd/20auth
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/20auth
@@ -0,0 +1,3 @@
+#%PAM-1.0
+auth       substack     password-auth
+auth       include      postlogin
--- a/root/etc/e-smith/templates/etc/pam.d/sshd/30account
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/30account
@@ -0,0 +1,3 @@
+account    required     pam_sepermit.so
+account    required     pam_nologin.so
+account    include      password-auth
--- a/root/etc/e-smith/templates/etc/pam.d/sshd/40password
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/40password
@@ -0,0 +1 @@
+password   include      password-auth
--- a/root/etc/e-smith/templates/etc/pam.d/sshd/50session
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/50session
@@ -0,0 +1,11 @@
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open env_params
+session    required     pam_namespace.so
+session    optional     pam_keyinit.so force revoke
+#we use the sshd_config file to call motd
+#session    optional     pam_motd.so
+session    include      password-auth
+session    include      postlogin
--- a/root/etc/e-smith/templates/etc/pam.d/sshd/template-begin
+++ b/root/etc/e-smith/templates/etc/pam.d/sshd/template-begin
--- a/root/etc/e-smith/templates/etc/rssh.conf/10logfacility
+++ b/root/etc/e-smith/templates/etc/rssh.conf/10logfacility
@@ -1 +0,0 @@
-logfacility = LOG_USER 
--- a/root/etc/e-smith/templates/etc/rssh.conf/10umask
+++ b/root/etc/e-smith/templates/etc/rssh.conf/10umask
@@ -1 +0,0 @@
-umask = 022
--- a/root/etc/e-smith/templates/etc/rssh.conf/40users
+++ b/root/etc/e-smith/templates/etc/rssh.conf/40users
@@ -1,22 +0,0 @@
-{
-    use esmith::AccountsDB;
-
-    my $adb = esmith::AccountsDB->open_ro or die "Couldn't open AccountsDB\n";
-
-    $OUT = '';
-
-    for my $user ( $adb->users )
-    {
-	my %props = $user->props;
-	$props{AllowRSSH} ||= 'unknown';
-
-	next unless ($props{PasswordSet} eq 'yes');
-
-	next if ($props{AllowRSSH} eq 'no');
-
-	next unless ($props{AllowRSSH} eq 'yes' or
-		$props{VPNClientAccess} eq 'yes');
-
-	$OUT .= "user = " . $user->key . ":022:11111:" . "\n";
-    }
-}