Skip to content

Commit 1c5c4c3

Browse files
guimardguimard
committed
debconf
1 parent 62a7474 commit 1c5c4c3

5 files changed

Lines changed: 372 additions & 0 deletions

File tree

debian/config

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
#!/bin/sh
2+
set -e
3+
4+
. /usr/share/debconf/confmodule
5+
6+
# Ask for PAM mode (medium priority)
7+
db_input medium libpam-llng/pam-mode || true
8+
db_go || true
9+
10+
db_get libpam-llng/pam-mode
11+
MODE="$RET"
12+
13+
# If a mode is selected, ask for LLNG parameters
14+
if [ "$MODE" != "none" ]; then
15+
db_input high libpam-llng/portal-url || true
16+
db_input medium libpam-llng/client-id || true
17+
db_input high libpam-llng/client-secret || true
18+
db_input low libpam-llng/server-group || true
19+
db_input medium libpam-llng/configure-sudo || true
20+
db_go || true
21+
22+
# If sudo is enabled, ask for sudo server group
23+
db_get libpam-llng/configure-sudo
24+
if [ "$RET" = "true" ]; then
25+
db_input low libpam-llng/sudo-server-group || true
26+
db_go || true
27+
fi
28+
fi
29+
30+
exit 0

debian/control

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ Depends: ${misc:Depends}
1919
, ${shlibs:Depends}
2020
, curl
2121
, jq
22+
, debconf (>= 0.5) | debconf-2.0
2223
Description: PAM module for LemonLDAP::NG authentication
2324
This PAM module enables Linux servers to authenticate users via
2425
LemonLDAP::NG, supporting both token-based authentication and

debian/postinst

Lines changed: 208 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,208 @@
1+
#!/bin/sh
2+
set -e
3+
4+
. /usr/share/debconf/confmodule
5+
6+
CONF_FILE="/etc/security/pam_llng.conf"
7+
BACKUP_DIR="/var/backups/libpam-llng"
8+
PAM_SSHD="/etc/pam.d/sshd"
9+
PAM_SUDO="/etc/pam.d/sudo"
10+
11+
# Backup a PAM file if not already backed up
12+
backup_pam_file() {
13+
file="$1"
14+
name="$2"
15+
if [ -f "$file" ] && [ ! -f "$BACKUP_DIR/${name}.orig" ]; then
16+
mkdir -p "$BACKUP_DIR"
17+
cp -a "$file" "$BACKUP_DIR/${name}.orig"
18+
fi
19+
}
20+
21+
# Generate PAM configuration for sshd
22+
generate_pam_sshd() {
23+
mode="$1"
24+
server_group="$2"
25+
cat << EOF
26+
# /etc/pam.d/sshd - Configured by libpam-llng
27+
# Mode: $mode
28+
# Server group: $server_group
29+
#
30+
EOF
31+
case "$mode" in
32+
mode-a)
33+
cat << EOF
34+
# AUTHENTICATION: Only LLNG tokens accepted
35+
auth sufficient pam_llng.so server_group=$server_group
36+
auth required pam_deny.so
37+
EOF
38+
;;
39+
mode-b|mode-d)
40+
cat << EOF
41+
# AUTHENTICATION: LLNG token OR Unix password
42+
auth sufficient pam_llng.so server_group=$server_group
43+
auth sufficient pam_unix.so nullok try_first_pass
44+
auth required pam_deny.so
45+
EOF
46+
;;
47+
mode-c)
48+
cat << 'EOF'
49+
# AUTHENTICATION: SSH keys only (handled by sshd, not PAM)
50+
auth required pam_permit.so
51+
EOF
52+
;;
53+
esac
54+
cat << EOF
55+
56+
# AUTHORIZATION: LLNG checks if user can access this server
57+
account required pam_llng.so server_group=$server_group
58+
account required pam_unix.so
59+
60+
# SESSION
61+
session required pam_unix.so
62+
EOF
63+
}
64+
65+
# Generate PAM configuration for sudo
66+
generate_pam_sudo() {
67+
mode="$1"
68+
server_group="$2"
69+
cat << EOF
70+
# /etc/pam.d/sudo - Configured by libpam-llng
71+
# Mode: $mode
72+
# Server group: $server_group
73+
#
74+
EOF
75+
case "$mode" in
76+
mode-a)
77+
cat << EOF
78+
# AUTHENTICATION: Only LLNG tokens accepted
79+
auth sufficient pam_llng.so server_group=$server_group
80+
auth required pam_deny.so
81+
EOF
82+
;;
83+
mode-b|mode-d)
84+
cat << EOF
85+
# AUTHENTICATION: LLNG token OR Unix password
86+
auth sufficient pam_llng.so server_group=$server_group
87+
auth sufficient pam_unix.so nullok try_first_pass
88+
auth required pam_deny.so
89+
EOF
90+
;;
91+
mode-c)
92+
cat << 'EOF'
93+
# AUTHENTICATION: Permit (for SSH key scenarios)
94+
auth required pam_permit.so
95+
EOF
96+
;;
97+
esac
98+
cat << EOF
99+
100+
# AUTHORIZATION
101+
account required pam_llng.so server_group=$server_group
102+
account required pam_unix.so
103+
104+
# SESSION
105+
session required pam_unix.so
106+
EOF
107+
}
108+
109+
# Generate pam_llng.conf
110+
generate_llng_conf() {
111+
portal_url="$1"
112+
client_id="$2"
113+
client_secret="$3"
114+
server_group="$4"
115+
116+
cat << EOF
117+
# /etc/security/pam_llng.conf
118+
# Configured by libpam-llng debconf
119+
# Run 'dpkg-reconfigure libpam-llng' to modify
120+
121+
# LemonLDAP::NG portal URL
122+
portal_url = $portal_url
123+
124+
# OIDC client credentials
125+
client_id = $client_id
126+
client_secret = $client_secret
127+
128+
# Server authentication
129+
server_token_file = /etc/security/pam_llng.token
130+
server_group = $server_group
131+
132+
# HTTP settings
133+
timeout = 10
134+
verify_ssl = true
135+
136+
# Cache settings
137+
cache_enabled = true
138+
cache_dir = /var/cache/pam_llng
139+
cache_ttl = 300
140+
141+
# Logging: error, warn, info, debug
142+
log_level = warn
143+
EOF
144+
}
145+
146+
case "$1" in
147+
configure)
148+
db_get libpam-llng/pam-mode
149+
MODE="$RET"
150+
151+
if [ "$MODE" != "none" ] && [ -n "$MODE" ]; then
152+
# Get debconf values
153+
db_get libpam-llng/portal-url
154+
PORTAL_URL="$RET"
155+
db_get libpam-llng/client-id
156+
CLIENT_ID="$RET"
157+
db_get libpam-llng/client-secret
158+
CLIENT_SECRET="$RET"
159+
db_get libpam-llng/server-group
160+
SERVER_GROUP="$RET"
161+
db_get libpam-llng/configure-sudo
162+
CONFIGURE_SUDO="$RET"
163+
db_get libpam-llng/sudo-server-group
164+
SUDO_SERVER_GROUP="$RET"
165+
166+
# Use main server group for sudo if not specified
167+
if [ -z "$SUDO_SERVER_GROUP" ]; then
168+
SUDO_SERVER_GROUP="$SERVER_GROUP"
169+
fi
170+
171+
# Generate pam_llng.conf if portal URL is provided
172+
if [ -n "$PORTAL_URL" ]; then
173+
generate_llng_conf "$PORTAL_URL" "$CLIENT_ID" "$CLIENT_SECRET" "$SERVER_GROUP" > "$CONF_FILE"
174+
chmod 600 "$CONF_FILE"
175+
chown root:root "$CONF_FILE"
176+
fi
177+
178+
# Backup and configure sshd
179+
backup_pam_file "$PAM_SSHD" "sshd"
180+
generate_pam_sshd "$MODE" "$SERVER_GROUP" > "$PAM_SSHD"
181+
182+
# Configure sudo if requested
183+
if [ "$CONFIGURE_SUDO" = "true" ]; then
184+
backup_pam_file "$PAM_SUDO" "sudo"
185+
generate_pam_sudo "$MODE" "$SUDO_SERVER_GROUP" > "$PAM_SUDO"
186+
fi
187+
188+
# Create cache directory
189+
mkdir -p /var/cache/pam_llng
190+
chmod 700 /var/cache/pam_llng
191+
192+
# Clear secret from debconf database for security
193+
db_set libpam-llng/client-secret ""
194+
fi
195+
;;
196+
197+
abort-upgrade|abort-remove|abort-deconfigure)
198+
;;
199+
200+
*)
201+
echo "postinst called with unknown argument '$1'" >&2
202+
exit 1
203+
;;
204+
esac
205+
206+
#DEBHELPER#
207+
208+
exit 0

debian/postrm

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
#!/bin/sh
2+
set -e
3+
4+
CONF_FILE="/etc/security/pam_llng.conf"
5+
BACKUP_DIR="/var/backups/libpam-llng"
6+
PAM_SSHD="/etc/pam.d/sshd"
7+
PAM_SUDO="/etc/pam.d/sudo"
8+
TOKEN_FILE="/etc/security/pam_llng.token"
9+
CACHE_DIR="/var/cache/pam_llng"
10+
11+
case "$1" in
12+
purge)
13+
# Restore original PAM files from backups
14+
if [ -f "$BACKUP_DIR/sshd.orig" ]; then
15+
cp -a "$BACKUP_DIR/sshd.orig" "$PAM_SSHD"
16+
fi
17+
if [ -f "$BACKUP_DIR/sudo.orig" ]; then
18+
cp -a "$BACKUP_DIR/sudo.orig" "$PAM_SUDO"
19+
fi
20+
21+
# Remove backup directory
22+
rm -rf "$BACKUP_DIR"
23+
24+
# Remove configuration files
25+
rm -f "$CONF_FILE"
26+
rm -f "$TOKEN_FILE"
27+
28+
# Remove cache directory
29+
rm -rf "$CACHE_DIR"
30+
31+
# Purge debconf data
32+
if [ -e /usr/share/debconf/confmodule ]; then
33+
. /usr/share/debconf/confmodule
34+
db_purge
35+
fi
36+
;;
37+
38+
remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
39+
;;
40+
41+
*)
42+
echo "postrm called with unknown argument '$1'" >&2
43+
exit 1
44+
;;
45+
esac
46+
47+
#DEBHELPER#
48+
49+
exit 0

debian/templates

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
Template: libpam-llng/pam-mode
2+
Type: select
3+
Choices: none, mode-a, mode-b, mode-c, mode-d
4+
Choices-fr.UTF-8: aucun, mode-a, mode-b, mode-c, mode-d
5+
Default: none
6+
_Description: PAM authentication mode for LemonLDAP::NG:
7+
Choose how to configure PAM authentication:
8+
.
9+
* none: Do not configure PAM automatically
10+
* mode-a: LLNG token only (strictest)
11+
* mode-b: LLNG token OR Unix password (fallback)
12+
* mode-c: SSH key with LLNG authorization only
13+
* mode-d: All methods (SSH keys, LLNG tokens, Unix passwords)
14+
.
15+
All modes require LLNG authorization to access this server.
16+
_Description-fr.UTF-8: Mode d'authentification PAM pour LemonLDAP::NG :
17+
Choisissez comment configurer l'authentification PAM :
18+
.
19+
* aucun : Ne pas configurer PAM automatiquement
20+
* mode-a : Token LLNG uniquement (le plus strict)
21+
* mode-b : Token LLNG OU mot de passe Unix (fallback)
22+
* mode-c : Clé SSH avec autorisation LLNG uniquement
23+
* mode-d : Toutes les méthodes (clés SSH, tokens LLNG, mots de passe Unix)
24+
.
25+
Tous les modes requièrent une autorisation LLNG pour accéder à ce serveur.
26+
27+
Template: libpam-llng/portal-url
28+
Type: string
29+
Default:
30+
_Description: LemonLDAP::NG portal URL:
31+
Enter the URL of your LemonLDAP::NG portal (e.g., https://auth.example.com).
32+
_Description-fr.UTF-8: URL du portail LemonLDAP::NG :
33+
Entrez l'URL de votre portail LemonLDAP::NG (ex: https://auth.example.com).
34+
35+
Template: libpam-llng/client-id
36+
Type: string
37+
Default: pam-access
38+
_Description: OIDC client ID:
39+
Enter the OIDC client ID configured in LemonLDAP::NG for PAM access.
40+
_Description-fr.UTF-8: Identifiant client OIDC :
41+
Entrez l'identifiant client OIDC configuré dans LemonLDAP::NG pour l'accès PAM.
42+
43+
Template: libpam-llng/client-secret
44+
Type: password
45+
_Description: OIDC client secret:
46+
Enter the client secret for the OIDC client.
47+
_Description-fr.UTF-8: Secret client OIDC :
48+
Entrez le secret du client OIDC.
49+
50+
Template: libpam-llng/server-group
51+
Type: string
52+
Default: default
53+
_Description: Server group name:
54+
Enter the server group name for authorization rules.
55+
This must match a group defined in LLNG's pamAccessServerGroups.
56+
_Description-fr.UTF-8: Nom du groupe de serveurs :
57+
Entrez le nom du groupe de serveurs pour les règles d'autorisation.
58+
Ce nom doit correspondre à un groupe défini dans pamAccessServerGroups de LLNG.
59+
60+
Template: libpam-llng/configure-sudo
61+
Type: boolean
62+
Default: false
63+
_Description: Also configure PAM for sudo?
64+
Do you want to configure /etc/pam.d/sudo with LLNG authentication?
65+
.
66+
If unsure, select No. You can configure sudo manually later.
67+
_Description-fr.UTF-8: Configurer aussi PAM pour sudo ?
68+
Voulez-vous configurer /etc/pam.d/sudo avec l'authentification LLNG ?
69+
.
70+
En cas de doute, sélectionnez Non. Vous pourrez configurer sudo manuellement plus tard.
71+
72+
Template: libpam-llng/sudo-server-group
73+
Type: string
74+
Default:
75+
_Description: Server group name for sudo:
76+
Enter the server group name for sudo authorization rules.
77+
.
78+
This allows different authorization rules for SSH access and sudo usage.
79+
Leave empty to use the same group as SSH.
80+
_Description-fr.UTF-8: Nom du groupe de serveurs pour sudo :
81+
Entrez le nom du groupe de serveurs pour les règles d'autorisation sudo.
82+
.
83+
Cela permet d'avoir des règles d'autorisation différentes pour l'accès SSH et l'utilisation de sudo.
84+
Laissez vide pour utiliser le même groupe que SSH.

0 commit comments

Comments
 (0)