59 lines
2.4 KiB
Diff
59 lines
2.4 KiB
Diff
From e5e0631b4568821e63cf676c425ed13873e98b0a Mon Sep 17 00:00:00 2001
|
|
From: Scott Little <scott.little@windriver.com>
|
|
Date: Mon, 2 Oct 2017 15:32:15 -0400
|
|
Subject: [PATCH 2/7] WRS: sshd-pam-use-common-includes.patch
|
|
|
|
---
|
|
SOURCES/sshd.pam | 38 +++++++++++++++++++++-----------------
|
|
1 file changed, 21 insertions(+), 17 deletions(-)
|
|
|
|
diff --git a/SOURCES/sshd.pam b/SOURCES/sshd.pam
|
|
index 0f5c061..72303eb 100644
|
|
--- a/SOURCES/sshd.pam
|
|
+++ b/SOURCES/sshd.pam
|
|
@@ -1,20 +1,24 @@
|
|
#%PAM-1.0
|
|
-auth required pam_sepermit.so
|
|
-auth substack password-auth
|
|
-auth include postlogin
|
|
-# Used with polkit to reauthorize users in remote sessions
|
|
--auth optional pam_reauthorize.so prepare
|
|
+
|
|
+auth include common-auth
|
|
account required pam_nologin.so
|
|
-account include password-auth
|
|
-password include password-auth
|
|
-# pam_selinux.so close should be the first session rule
|
|
-session required pam_selinux.so close
|
|
-session required pam_loginuid.so
|
|
-# pam_selinux.so open should only be followed by sessions to be executed in the user context
|
|
-session required pam_selinux.so open env_params
|
|
-session required pam_namespace.so
|
|
+
|
|
+# SELinux needs to be the first session rule. This ensures that any
|
|
+# lingering context has been cleared. Without out this it is possible
|
|
+# that a module could execute code in the wrong domain.
|
|
+# When the module is present, "required" would be sufficient (When SELinux
|
|
+# is disabled, this returns success.)
|
|
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
|
+
|
|
+account include common-account
|
|
+password include common-password
|
|
session optional pam_keyinit.so force revoke
|
|
-session include password-auth
|
|
-session include postlogin
|
|
-# Used with polkit to reauthorize users in remote sessions
|
|
--session optional pam_reauthorize.so prepare
|
|
+session include common-session
|
|
+session required pam_loginuid.so
|
|
+
|
|
+# SELinux needs to intervene at login time to ensure that the process
|
|
+# starts in the proper default security context. Only sessions which are
|
|
+# intended to run in the user's context should be run after this.
|
|
+# When the module is present, "required" would be sufficient (When SELinux
|
|
+# is disabled, this returns success.)
|
|
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
|
--
|
|
1.9.1
|
|
|