Andreas Hamacher · Andreas Hamacher · 297998bb · 297998bb · 297998bb
3 changed files
--- a/roles/pam_sshd/tasks/main.yml
+++ b/roles/pam_sshd/tasks/main.yml
@@ -8,11 +8,12 @@
  template: src=loginnodes_sshd.j2 dest=/etc/pam.d/sshd
  become: true
  become_user: root
+when ostgroup = loginnodes and ubuntu  # this is intended to break !
 #  when: computenodepam is undefined or not computenodepam


-#- name: "Copy computenode password sshd pam config"
-##  template: src=computenodes_sshd.j2 dest=/etc/pam.d/sshd
-#  become: true
-#  become_user: root
-#  when: computenodepam is defined and computenodepam
+- name: "Copy computenode password sshd pam config"
+  template: src=computenodes_sshd.j2 dest=/etc/pam.d/sshd
+  become: true
+  become_user: root
+  when: computenodepam is defined and computenodepam
--- a/roles/pam_sshd/templates/loginnodes_sshd_centos.j2
+++ b/roles/pam_sshd/templates/loginnodes_sshd_centos.j2
+#%PAM-1.0
+auth	   required	pam_sepermit.so
+auth       substack     password-auth
+auth       include      postlogin
+# Used with polkit to reauthorize users in remote sessions
+-auth      optional     pam_reauthorize.so prepare
+account    sufficient   pam_access.so
+account    required     pam_nologin.so
+account    include      password-auth
+password   include      password-auth
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open env_params
+session    required     pam_namespace.so
+session    optional     pam_keyinit.so force revoke
+session    include      password-auth
+session    include      postlogin
+# Used with polkit to reauthorize users in remote sessions
+-session   optional     pam_reauthorize.so prepare
--- a/roles/pam_sshd/templates/loginnodes_sshd_ubuntu.j2
+++ b/roles/pam_sshd/templates/loginnodes_sshd_ubuntu.j2
+#%PAM-1.0
+auth	   required	pam_sepermit.so
+auth       substack     password-auth
+auth       include      postlogin
+# Used with polkit to reauthorize users in remote sessions
+-auth      optional     pam_reauthorize.so prepare
+account    sufficient   pam_access.so
+account    required     pam_nologin.so
+account    include      password-auth
+password   include      password-auth
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open env_params
+session    required     pam_namespace.so
+session    optional     pam_keyinit.so force revoke
+# Used with polkit to reauthorize users in remote sessions
+-session   optional     pam_reauthorize.so prepare