(#162) root_unlock_time won't be included if even_deny_root is false (#…

…163)

Also added the nullok parameter back to the module for completeness

Fixes #162
Fixes #124

CHANGELOG

@@ -1,3 +1,8 @@
+* Mon Nov 04 2024 Mike Riddle <[email protected]> - 7.3.0
+- "root_unlock_time" will no longer be included in faillock.conf if "even_deny_root" is set to false
+- Added nullok back as a parameter for completeness, however, users are warned not to use it unless
+  they fully understand the implication of having users without passwords
+
 * Tue Oct 29 2024 Mike Riddle <[email protected]> - 7.2.2
 - Fixed pam auth files getting mangled when using cracklib as the pwbackend
 

manifests/auth.pp

@@ -29,6 +29,7 @@
 # @param cracklib_minclass
 # @param cracklib_minlen
 # @param cracklib_retry
+# @param nullok
 # @param oath
 # @param oath_window
 # @param deny
@@ -79,6 +80,7 @@
   Optional[Integer[0]]            $cracklib_minclass         = $pam::cracklib_minclass,
   Optional[Integer[0]]            $cracklib_minlen           = $pam::cracklib_minlen,
   Integer[0]                      $cracklib_retry            = $pam::cracklib_retry,
+  Boolean                         $nullok                    = $pam::nullok,
   Integer[0]                      $deny                      = $pam::deny,
   Boolean                         $faillock                  = $pam::faillock,
   Boolean                         $manage_faillock_conf      = $pam::manage_faillock_conf,
@@ -201,6 +203,7 @@
           cracklib_minclass         => $cracklib_minclass,
           cracklib_minlen           => $cracklib_minlen,
           cracklib_retry            => $_cracklib_retry,
+          nullok                    => $nullok,
           deny                      => $deny,
           faillock                  => $faillock,
           faillock_log_dir          => $faillock_log_dir,

manifests/init.pp

@@ -121,6 +121,11 @@
 #   performed using the cracklib library. This option will be ignored
 #   unless the OS major version is higher than 7.
 #
+# @param nullok
+#   If true, blank passwords will be allowed for users. DO NOT set this to true
+#   unless you and your organization are willing to accept the risks of having
+#   accounts with blank passwords.
+#
 # @param rm_pwquality_conf_d
 #   Remove the /etc/security/pwquality.conf.d directory and all contents.
 #
@@ -345,6 +350,7 @@
   Optional[Array[String[1],1]]    $cracklib_badwords         = undef,
   Optional[StdLib::Absolutepath]  $cracklib_dictpath         = undef,
   Integer[0]                      $dictcheck                 = 1,
+  Boolean                         $nullok                    = false,
   Boolean                         $rm_pwquality_conf_d       = true,
   Boolean                         $oath                      = simplib::lookup('simp_options::oath', { 'default_value' => false }),
   Integer[0]                      $oath_window               = 1,

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "simp-pam",
-  "version": "7.2.2",
+  "version": "7.3.0",
   "author": "SIMP Team",
   "summary": "A SIMP puppet module for managing pam",
   "license": "Apache-2.0",

spec/classes/config_spec.rb

@@ -83,6 +83,19 @@
     EOM
   }
 
+  let(:no_even_deny_root_faillock_conf){
+    <<~EOM
+    # This file is generated by Puppet
+    # Any changes made to it will be overwritten.
+    #
+    audit
+    silent
+    deny=5
+    fail_interval=900
+    unlock_time=900
+    EOM
+  }
+
   let(:all_params_faillock_conf){
     <<~EOM
     # This file is generated by Puppet
@@ -436,6 +449,18 @@
         end
       end
 
+      context 'with managing faillock.conf with even_deny_root set to false' do
+        let(:params){{ :manage_faillock_conf => true, :even_deny_root => false }}
+
+        it {is_expected.to compile.with_all_deps}
+        if (os_facts[:os][:family] == 'RedHat' and os_facts[:os][:release][:major] <= '7') or
+          (os_facts[:os][:name] == "Amazon" and os_facts[:os][:release][:major] <= '2022')
+          it {is_expected.to_not contain_file('/etc/security/faillock.conf')}
+        else
+          it {is_expected.to contain_file('/etc/security/faillock.conf').with_content( no_even_deny_root_faillock_conf )}
+        end
+      end
+
       context 'with managing faillock.conf with all non-default parameters' do
         let(:params){{
           :manage_faillock_conf => true,

spec/defines/auth_spec.rb

@@ -343,6 +343,26 @@ def get_expected(filename)
             it_should_behave_like "a pam.d config file generator"
             it { is_expected.to contain_file(filename).with_content(file_content) }
         end
+
+        context 'Generate file with when nullok == true' do
+          let(:params){{
+            :nullok => true,
+          }}
+            let(:pw_backend) { 'pwquality' }
+            let(:title){ 'system' }
+            let(:filename){ "/etc/pam.d/system-auth" }
+            let(:el_version){
+              if Integer(os_facts[:os][:release][:major]) <= 7
+                'el7'
+              else
+                'el8'
+              end
+            }
+            let(:file_content) { get_expected("#{pw_backend}-system-#{el_version}-auth_nullok") }
+
+            it_should_behave_like "a pam.d config file generator"
+            it { is_expected.to contain_file(filename).with_content(file_content) }
+        end
       end
     end
   end

spec/expected/auth_spec/pwquality-system-el7-auth_nullok

@@ -0,0 +1,41 @@
+#%PAM-1.0
+# This file managed by Puppet
+# User changes will be lost!
+
+# SIMP defined auth content
+auth     optional      pam_faildelay.so
+auth     required      pam_env.so
+auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60
+auth     [success=1 default=ignore] pam_unix.so try_first_pass
+auth     [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60
+auth     sufficient    pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60
+auth     requisite     pam_succeed_if.so uid >= 1000 quiet
+auth     required      pam_deny.so
+
+account     required      pam_faillock.so
+account     required      pam_unix.so broken_shadow
+account     [success=2 default=ignore] pam_succeed_if.so service = crond quiet
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
+account     requisite     pam_access.so listsep=, nodefgroup
+account     required      pam_permit.so
+
+password     requisite     pam_pwquality.so retry=3 enforce_for_root reject_username
+password     required      pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root
+password     sufficient    pam_unix.so nullok sha512 rounds=10000 shadow try_first_pass use_authtok
+password     required      pam_deny.so
+
+session      optional      pam_keyinit.so revoke
+session      required      pam_limits.so
+-session     optional      pam_systemd.so
+session      sufficient    pam_succeed_if.so service = gdm-launch-environment quiet
+session      sufficient    pam_succeed_if.so service in crond quiet use_uid
+# Check if session has a tty before running pam_tty_audit
+session      [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet
+# auditd disabled: pam_tty_audit set to optional so that all logins do not fail
+session      optional      pam_tty_audit.so disable=* enable=root
+session      optional      pam_env.so readenv=1 envfile=/etc/locale.conf
+session      sufficient    pam_succeed_if.so user = root quiet
+session      requisite     pam_access.so listsep=, nodefgroup
+session      required      pam_unix.so
+session      optional      pam_oddjob_mkhomedir.so silent
+session      required      pam_lastlog.so showfailed

spec/expected/auth_spec/pwquality-system-el8-auth_nullok

@@ -0,0 +1,41 @@
+#%PAM-1.0
+# This file managed by Puppet
+# User changes will be lost!
+
+# SIMP defined auth content
+auth     optional      pam_faildelay.so
+auth     required      pam_env.so
+auth     required      pam_faillock.so preauth silent deny=5 audit unlock_time=900 fail_interval=900 even_deny_root root_unlock_time=60
+auth     [success=1 default=ignore] pam_unix.so try_first_pass
+auth     [default=die] pam_faillock.so authfail deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60
+auth     sufficient    pam_faillock.so authsucc deny=5 audit unlock_time=900 even_deny_root root_unlock_time=60
+auth     requisite     pam_succeed_if.so uid >= 1000 quiet
+auth     required      pam_deny.so
+
+account     required      pam_faillock.so
+account     required      pam_unix.so broken_shadow
+account     [success=2 default=ignore] pam_succeed_if.so service = crond quiet
+account     sufficient    pam_succeed_if.so uid < 1000 quiet
+account     requisite     pam_access.so listsep=, nodefgroup
+account     required      pam_permit.so
+
+password     requisite     pam_pwquality.so
+password     required      pam_pwhistory.so use_authtok remember=24 retry=1 file=/etc/security/opasswd enforce_for_root
+password     sufficient    pam_unix.so nullok sha512 rounds=10000 shadow try_first_pass use_authtok
+password     required      pam_deny.so
+
+session      optional      pam_keyinit.so revoke
+session      required      pam_limits.so
+-session     optional      pam_systemd.so
+session      sufficient    pam_succeed_if.so service = gdm-launch-environment quiet
+session      sufficient    pam_succeed_if.so service in crond quiet use_uid
+# Check if session has a tty before running pam_tty_audit
+session      [default=ignore success=1] pam_succeed_if.so tty !~ ?* quiet
+# auditd disabled: pam_tty_audit set to optional so that all logins do not fail
+session      optional      pam_tty_audit.so disable=* enable=root
+session      optional      pam_env.so readenv=1 envfile=/etc/locale.conf
+session      sufficient    pam_succeed_if.so user = root quiet
+session      requisite     pam_access.so listsep=, nodefgroup
+session      required      pam_unix.so
+session      optional      pam_oddjob_mkhomedir.so silent
+session      required      pam_lastlog.so showfailed

templates/etc/pam.d/auth.epp

@@ -17,6 +17,7 @@
   Optional[Integer[0]]           $cracklib_minclass,
   Optional[Integer[0]]           $cracklib_minlen,
   Variant[Boolean, Integer[0]]   $cracklib_retry,
+  Boolean                        $nullok,
   Integer[0]                     $deny,
   Boolean                        $faillock,
   Boolean                        $manage_faillock_conf,
@@ -277,7 +278,14 @@ account     required      pam_permit.so
       $_pam_pwhistory = "password     required      pam_pwhistory.so use_authtok remember=${remember} retry=${remember_retry} file=${remember_file}${_remember_debug}${_remember_for_root}"
 -%>
 <%  } -%>
-<%   $_pam_unix = "password     sufficient    pam_unix.so ${hash_algorithm} rounds=${rounds} shadow try_first_pass use_authtok" -%>
+<%
+     if $nullok {
+      $_nullok = 'nullok '
+     } else {
+      $_nullok = ''
+     }
+-%>
+<%   $_pam_unix = "password     sufficient    pam_unix.so ${_nullok}${hash_algorithm} rounds=${rounds} shadow try_first_pass use_authtok" -%>
 <%   if $sssd { -%>
 <%= $_pam_pwhistory %>
 <%= $_pam_unix %>

templates/etc/security/faillock.conf.epp

@@ -45,7 +45,7 @@ unlock_time=<%= $unlock_time %>
 <% if $even_deny_root  { -%>
 even_deny_root
 <% } -%>
-<% if $root_unlock_time  { -%>
+<% if $root_unlock_time and $even_deny_root { -%>
 root_unlock_time=<%= $root_unlock_time %>
 <% } -%>
 <% if $admin_group  { -%>