diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh index 4c2c430a011..a3398cfbbbc 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_arg_missing.fail.sh @@ -1,7 +1,8 @@ #!/bin/bash # platform = multi_platform_ubuntu -cat << EOF > /usr/share/pam-configs/unix +config_file=/usr/share/pam-configs/tmpunix +cat << EOF > "$config_file" Name: Unix authentication Default: yes Priority: 256 @@ -28,3 +29,4 @@ Password-Initial: EOF DEBIAN_FRONTEND=noninteractive pam-auth-update +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh index 9c3c606b024..34ceea23b01 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh @@ -2,22 +2,34 @@ # platform = multi_platform_ubuntu # variables = var_password_pam_unix_remember=5 -config_file=/usr/share/pam-configs/cac_unix +config_file=/usr/share/pam-configs/tmpunix remember_cnt=5 -{{{ bash_pam_unix_enable() }}} -sed -i -E '/^Password:/,/^[^[:space:]]/ { - /pam_unix\.so/ { - s/\s*remember=[^[:space:]]*//g - s/$/ remember='"$remember_cnt"'/g - } -}' "$config_file" - -sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ { - /pam_unix\.so/ { - s/\s*remember=[^[:space:]]*//g - s/$/ remember='"$remember_cnt"'/g - } -}' "$config_file" +cat << EOF > "$config_file" +Name: Unix authentication +Default: yes +Priority: 256 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt remember=$remember_cnt +Password-Initial: + [success=end default=ignore] pam_unix.so obscure yescrypt remember=$remember_cnt +EOF DEBIAN_FRONTEND=noninteractive pam-auth-update +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh index 4295c4dc27e..50d807e2471 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_wrong_value.fail.sh @@ -2,7 +2,7 @@ # platform = multi_platform_ubuntu # variables = var_password_pam_unix_remember=5 -config_file=/usr/share/pam-configs/unix +config_file=/usr/share/pam-configs/tmpunix remember_cnt=3 cat << EOF > "$config_file" @@ -32,3 +32,4 @@ Password-Initial: EOF DEBIAN_FRONTEND=noninteractive pam-auth-update +rm $config_file diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh index 60e5a07a877..12ebca41877 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/commented_value.fail.sh @@ -3,7 +3,8 @@ # variables = var_password_hashing_algorithm_pam=sha512 # remediation = none -cat << EOF > /usr/share/pam-configs/unix +config_file=/usr/share/pam-configs/tmpunix +cat << EOF > "$config_file" Name: Unix authentication Default: yes Priority: 256 @@ -29,3 +30,4 @@ Password-Initial: [success=end default=ignore] pam_unix.so obscure # sha512 EOF DEBIAN_FRONTEND=noninteractive pam-auth-update +rm "$config_file" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh index 67ca0ca7615..2f3bdadc0fa 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/correct.pass.sh @@ -3,7 +3,8 @@ # variables = var_password_hashing_algorithm_pam=sha512 {{% if 'ubuntu' in product %}} -cat << EOF > /usr/share/pam-configs/unix +config_file=/usr/share/pam-configs/tmpunix +cat << EOF > "$config_file" Name: Unix authentication Default: yes Priority: 256 @@ -29,6 +30,7 @@ Password-Initial: [success=end default=ignore] pam_unix.so obscure sha512 EOF DEBIAN_FRONTEND=noninteractive pam-auth-update +rm "$config_file" {{% else %}} pam_file="/etc/pam.d/system-auth" diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh index 3787dd5bbd9..bc314099b7e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/missing.fail.sh @@ -3,7 +3,8 @@ # variables = var_password_hashing_algorithm_pam=sha512 {{% if 'ubuntu' in product %}} -cat << EOF > /usr/share/pam-configs/unix +config_file=/usr/share/pam-configs/tmpunix +cat << EOF > "$config_file" Name: Unix authentication Default: yes Priority: 256 @@ -29,6 +30,7 @@ Password-Initial: [success=end default=ignore] pam_unix.so obscure EOF DEBIAN_FRONTEND=noninteractive pam-auth-update +rm "$config_file" {{% else %}} sed -i --follow-symlinks '/^password.*sufficient.*pam_unix\.so/ s/sha512//g' "/etc/pam.d/system-auth" {{% endif %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh index f9856a6c500..383848c4c87 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/tests/wrong_value_concat.fail.sh @@ -2,7 +2,8 @@ # platform = multi_platform_ubuntu # variables = var_password_hashing_algorithm_pam=sha512 -cat << EOF > /usr/share/pam-configs/unix +config_file=/usr/share/pam-configs/tmpunix +cat << EOF > "$config_file" Name: Unix authentication Default: yes Priority: 256 @@ -28,3 +29,4 @@ Password-Initial: [success=end default=ignore] pam_unix.so obscure sha5122 EOF DEBIAN_FRONTEND=noninteractive pam-auth-update +rm "$config_file" diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index f31eafeedfd..591dc2043d1 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -911,7 +911,7 @@ conf_path="/usr/share/pam-configs/" if [ ! -f "$conf_path"/"$conf_name" ]; then if [ -f "$conf_path"/unix ]; then - if grep -q $(md5sum "$conf_path"/unix | cut -d ' ' -f 1) /var/lib/dpkg/info/libpam-runtime.md5sums;then + if grep -q "$(md5sum "$conf_path"/unix | cut -d ' ' -f 1)" /var/lib/dpkg/info/libpam-runtime.md5sums;then cp "$conf_path/unix" "$conf_path/"$conf_name"" sed '/Default: yes/a Priority: 257\ Conflicts: unix' "$conf_path"/"$conf_name"