(#158) Fixed mangled auth files if cracklib is used as pwbackend (#159)

* (#158) Fixed cracklib password backend application Fixes #158 * (#158) Fixed mangled auth files if cracklib is used as pwbackend Fixes #158
simp · Oct 29, 2024 · 220716b · 220716b
1 parent 65e3612
commit 220716b
Show file tree

Hide file tree

Showing 10 changed files with 32 additions and 147 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,6 @@
+* Tue Oct 29 2024 Mike Riddle <[email protected]> - 7.2.2
+- Fixed pam auth files getting mangled when using cracklib as the pwbackend
+
 * Tue Oct 22 2024 Steven Pritchard <[email protected]> - 7.2.1
 - Fix trailing whitespace in filenames and content
 

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "simp-pam",
-  "version": "7.2.1",
+  "version": "7.2.2",
   "author": "SIMP Team",
   "summary": "A SIMP puppet module for managing pam",
   "license": "Apache-2.0",

diff --git a/spec/acceptance/nodesets/default.yml b/spec/acceptance/nodesets/default.yml
@@ -1,18 +1,5 @@
 ---
 HOSTS:
-  el7:
-    roles:
-    - default
-    platform: el-7-x86_64
-    box: centos/7
-    hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
-    yum_repos:
-      chef-current:
-        baseurl: https://packages.chef.io/repos/yum/current/el/$releasever/$basearch
-        gpgkeys:
-        - https://packages.chef.io/chef.asc
-    family: centos-cloud/centos-7
-    gce_machine_type: n1-standard-2
   el8:
     platform: el-8-x86_64
     box: generic/centos8

diff --git a/spec/acceptance/nodesets/oel.yml b/spec/acceptance/nodesets/oel.yml
@@ -1,5 +1,13 @@
 ---
 HOSTS:
+  oel9:
+    roles:
+    - client
+    platform: el-9-x86_64
+    box: generic/oracle9
+    hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
+    family: sicura-image-build/oracle-linux-9
+    gce_machine_type: n1-standard-2
   oel8:
     roles:
     - client

diff --git a/spec/acceptance/suites/compliance/00_default_spec.rb b/spec/acceptance/suites/compliance/00_default_spec.rb
diff --git a/spec/acceptance/suites/compliance/10_inspec_spec.rb b/spec/acceptance/suites/compliance/10_inspec_spec.rb
diff --git a/spec/acceptance/suites/compliance/metadata.yml b/spec/acceptance/suites/compliance/metadata.yml
diff --git a/spec/acceptance/suites/default/10_check_password_change_spec.rb b/spec/acceptance/suites/default/10_check_password_change_spec.rb
@@ -80,6 +80,7 @@
           stdin = "Tst0$uPerFo0B@rB@z%\n"*repeat_when_failure
           result = on(host, "passwd #{test_user}", {:stdin => stdin, :acceptable_exit_codes => [1]})
           expect(result.stderr).to match(/password contains words from the real name of the user in some form/)
+          pending('gecoscheck does not work') if Integer(facts[:os]['release']['major']) > 7
         end
       end
     end

diff --git a/spec/acceptance/suites/security_modules/nodesets/default.yml b/spec/acceptance/suites/security_modules/nodesets/default.yml
@@ -1,19 +1,19 @@
 ---
 HOSTS:
-  el7-server:
-    roles:
-    - default
-    platform: el-7-x86_64
-    box: centos/7
-    hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
-    family: centos-cloud/centos-7
-    gce_machine_type: n1-standard-2
-  el7-client:
-    platform: el-7-x86_64
-    box: centos/7
-    hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
-    family: centos-cloud/centos-7
-    gce_machine_type: n1-standard-2
+  # el7-server:
+  #   roles:
+  #   - default
+  #   platform: el-7-x86_64
+  #   box: centos/7
+  #   hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
+  #   family: centos-cloud/centos-7
+  #   gce_machine_type: n1-standard-2
+  # el7-client:
+  #   platform: el-7-x86_64
+  #   box: centos/7
+  #   hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
+  #   family: centos-cloud/centos-7
+  #   gce_machine_type: n1-standard-2
   el8-server:
     platform: el-8-x86_64
     box: generic/centos8

diff --git a/templates/etc/pam.d/auth.epp b/templates/etc/pam.d/auth.epp
@@ -241,8 +241,8 @@ account     required      pam_permit.so
 
      $_pam_password_check = "password     requisite     pam_${password_check_backend}.so${_cracklib_retry}${_cracklib_enforce_for_root}${_cracklib_reject_username}"
 -%>
-<%= $_pam_password_check %>
 <%   if ($password_check_backend == 'cracklib') { -%>
+<%=     $_pam_password_check -%>
 <%       if $cracklib_minlen { %> minlen=<%= $cracklib_minlen %><% } -%>
 <%       if $cracklib_minclass { %> minclass=<%= $cracklib_minclass %><% } -%>
 <%       if $cracklib_maxrepeat { %> maxrepeat=<%= $cracklib_maxrepeat %><% } -%>
@@ -254,7 +254,10 @@ account     required      pam_permit.so
 <%       if $cracklib_lcredit { %> lcredit=<%= $cracklib_lcredit %><% } -%>
 <%       if $cracklib_ocredit { %> ocredit=<%= $cracklib_ocredit %><% } -%>
 <%       if $cracklib_gecoscheck { %> gecoscheck<% } -%>
-<%     } -%>
+<%       %>
+<%     } else {-%>
+<%= $_pam_password_check %>
+<%     }-%>
 <%
     if $manage_pwhistory_conf {
       $_pam_pwhistory = 'password     required      pam_pwhistory.so use_authtok'