authselect icon indicating copy to clipboard operation
authselect copied to clipboard
verified publisher icon authselect

Consider creating ansible roles

Open jhrozek opened this issue 8 years ago • 7 comments

Ansible is a very widely used configuration management tool. It would help the adoption of authselect if we had an ansible role. Eventually it should be upstreamed, but a role living in some contrib/ directory would be a good start.

jhrozek avatar Aug 16 '17 19:08 jhrozek

Considering how this will work with Ansible seems a very good idea. The workflow needs to at least allow for:

  • Build the base host (e.g. from VM template or PXE boot).
  • Run Ansible Playbook to get the config specifics in place.
  • Join possible authentication realms (typically kerberos and LDAP based).

Ideally all three steps can be automated (e.g. for workstations, servers and VMs in a large organisation).

carwyn avatar Mar 23 '18 18:03 carwyn

an ansible role would be nice. i'm currently using "copy" to deploy a custom profile directory, then running "command" to select it - or for simpler use cases, a command to enable/disable features in "current", its all a bit icky, but no worse than shelling out to authconfig or running "lineinfile" on pam.d files!

slightly off-topic, but i wouldn't have to create a custom profile if authselect handled half the options pam supports - would be nice to be able to configure remember/deny/unlock_time/audit/retry etc.

sej7278 avatar Nov 25 '18 23:11 sej7278

Ansible role is definitely planned. Would you mind sharing your playbook here in the mean time?

Also tell me more about your use cases and maybe we can figure something out.

pbrezina avatar Nov 26 '18 09:11 pbrezina

Can't really share it in total, but my modifications to password-auth (etc.) from rhel8beta1 are:

4c4
< auth        required                                     pam_faillock.so preauth silent deny=3 audit unlock_time=3600
---
> auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
7c7
< auth        sufficient                                   pam_unix.so try_first_pass
---
> auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
10c10
< auth        required                                     pam_faillock.so authfail deny=3 unlock_time=3600
---
> auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
14c14
< account     required                                     pam_faillock.so
---
> account     required                                     pam_faillock.so                                        {include if "with-faillock"}
21,22c21,22
< password    requisite                                    pam_pwquality.so try_first_pass local_users_only minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 retry=3
< password    sufficient                                   pam_unix.so sha512 shadow try_first_pass use_authtok
---
> password    requisite                                    pam_pwquality.so try_first_pass local_users_only
> password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
25d24
< password    required                                     pam_pwhistory.so remember=12 use_authtok retry=3

pam_pwquality.so can be configured in /etc/security/pwquality.conf.d/10-authconfig-pwquality.conf but i prefer just putting it in my custom profile. i hardcoded failok and nullok rather than provide an option, and added pam_pwhistory.so

Then my playbook segment is:

- name: authselect profile
  copy:
    src: files/my_pam
    dest: /etc/authselect/custom/
    owner: root
    group: root
    mode: 0644
    directory_mode: 0750

- name: authselect enable
  command: authselect select custom/my_pam -q
  changed_when: False

Having to use changed_when: False is a pain, I guess it always returns true even though no changes have actually been made?

Roles for authselect current -r and authselect check would be useful too.

sej7278 avatar Nov 26 '18 10:11 sej7278

@sej7278 In my opinion, the best thing would be for pam_faillock to support a configuration file as for example pam_pwquality does. I asked its maintainer and he already have a ticket and plans for it. Why do you prefer to have pwquality setting in pam instead of config file? (it may be better to open another issue for this if you want to continue discussion)

Thanks for the snippet.

pbrezina avatar Nov 30 '18 12:11 pbrezina

@sej7278 This will solve your problem with status report.

- name: 'Select authselect profile custom/my_pam'
  shell: |
    authselect current | grep custom/my_pam
    if [ $? -eq 0 ]; then
      echo "Profile is already selected. Nothing to do."
      exit 255
    fi
    
    authselect select custom/my_pam --force
  register: result
  failed_when: "result.rc != 255 and result.rc != 0"
  changed_when: "result.rc == 0"

pbrezina avatar Nov 30 '18 12:11 pbrezina

@pbrezina i guess i liked pwquality to be in the pam file instead of the config as i had to have faillock/history in the pam file. if they were all external files i'd switch to that maybe; but its getting a bit messy with one main and 3+ includes.

i'll think about the status report, its a bit too much shell for my liking at first glance; thanks.

sej7278 avatar Nov 30 '18 16:11 sej7278