diff --git a/cmd/agent_local/package/linux/postinst.sh b/cmd/agent_local/package/linux/_deb/postinst.sh similarity index 100% rename from cmd/agent_local/package/linux/postinst.sh rename to cmd/agent_local/package/linux/_deb/postinst.sh diff --git a/cmd/agent_local/package/linux/_rpm/post.sh b/cmd/agent_local/package/linux/_rpm/post.sh new file mode 100644 index 00000000..df87d97a --- /dev/null +++ b/cmd/agent_local/package/linux/_rpm/post.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +set -euo pipefail + +systemctl enable 'ak-agent.service' + +systemctl restart 'ak-agent.service' + +exit 0 diff --git a/cmd/agent_local/package/linux/nfpm.yaml b/cmd/agent_local/package/linux/nfpm.yaml index 76771afb..2be922fe 100644 --- a/cmd/agent_local/package/linux/nfpm.yaml +++ b/cmd/agent_local/package/linux/nfpm.yaml @@ -9,8 +9,6 @@ vendor: "Authentik Security Inc." homepage: "https://goauthentik.io" maintainer: "Authentik Security Inc." license: "MIT" -scripts: - postinstall: ./package/linux/postinst.sh contents: - src: ../../bin/agent_local/ak-agent dst: /usr/bin/ak-agent @@ -18,3 +16,10 @@ contents: dst: /etc/systemd/user/ak-agent.service - src: ./package/linux/usr/share/polkit-1/actions/io.goauthentik.platform.policy dst: /usr/share/polkit-1/actions/io.goauthentik.platform.policy +overrides: + deb: + scripts: + postinstall: ./package/linux/_deb/postinst.sh + rpm: + scripts: + postinstall: ./package/linux/_rpm/post.sh diff --git a/cmd/agent_system/package/linux/postinst.sh b/cmd/agent_system/package/linux/_deb/postinst.sh similarity index 100% rename from cmd/agent_system/package/linux/postinst.sh rename to cmd/agent_system/package/linux/_deb/postinst.sh diff --git a/cmd/agent_system/package/linux/_rpm/post.sh b/cmd/agent_system/package/linux/_rpm/post.sh new file mode 100644 index 00000000..132da957 --- /dev/null +++ b/cmd/agent_system/package/linux/_rpm/post.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +set -euo pipefail + +systemctl enable 'ak-sysd.service' + +if [ $1 -eq 1 ] ; then + # creating _ak-agent group if he isn't already there + if ! getent group _ak-agent >/dev/null; then + addgroup --system --force-badname _ak-agent + fi +fi + +systemctl restart 'ak-sysd.service' + +exit 0 diff --git a/cmd/agent_system/package/linux/nfpm.yaml b/cmd/agent_system/package/linux/nfpm.yaml index 9828c7b4..66b132d7 100644 --- a/cmd/agent_system/package/linux/nfpm.yaml +++ b/cmd/agent_system/package/linux/nfpm.yaml @@ -9,8 +9,6 @@ vendor: "Authentik Security Inc." homepage: "https://goauthentik.io" maintainer: "Authentik Security Inc." license: "MIT" -scripts: - postinstall: ./package/linux/postinst.sh contents: - src: ../../bin/agent_system/ak-sysd dst: /usr/bin/ak-sysd @@ -35,3 +33,10 @@ contents: dst: /etc/opt/edge/native-messaging-hosts/io.goauthentik.platform.json - src: ./package/linux/browser-host-firefox.json dst: /usr/lib/mozilla/native-messaging-hosts/io.goauthentik.platform.json +overrides: + deb: + scripts: + postinstall: ./package/linux/_deb/postinst.sh + rpm: + scripts: + postinstall: ./package/linux/_rpm/post.sh diff --git a/nss/debian/postinst.sh b/nss/_deb/postinst.sh similarity index 98% rename from nss/debian/postinst.sh rename to nss/_deb/postinst.sh index 550089b6..846b7c8a 100755 --- a/nss/debian/postinst.sh +++ b/nss/_deb/postinst.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash #DEBHELPER# -set -eu +set -euo pipefail mkdir -p /var/log/authentik diff --git a/nss/_rpm/post.sh b/nss/_rpm/post.sh new file mode 100755 index 00000000..5bb69c04 --- /dev/null +++ b/nss/_rpm/post.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +set -euo pipefail + +mkdir -p /var/log/authentik diff --git a/nss/nfpm.yaml b/nss/nfpm.yaml index f7a058de..7c47b1d8 100644 --- a/nss/nfpm.yaml +++ b/nss/nfpm.yaml @@ -28,4 +28,7 @@ contents: overrides: deb: scripts: - postinstall: ./debian/postinst.sh + postinstall: ./_deb/postinst.sh + rpm: + scripts: + postinstall: ./_rpm/post.sh diff --git a/pam/debian/pam_config b/pam/_deb/pam_config similarity index 100% rename from pam/debian/pam_config rename to pam/_deb/pam_config diff --git a/pam/debian/postinst.sh b/pam/_deb/postinst.sh similarity index 97% rename from pam/debian/postinst.sh rename to pam/_deb/postinst.sh index 0af5bd30..3be98c30 100755 --- a/pam/debian/postinst.sh +++ b/pam/_deb/postinst.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -set -eu +set -euo pipefail function sshd_notice { if ! grep -q '^KbdInteractiveAuthentication.*yes' /etc/ssh/sshd_config; then diff --git a/pam/debian/prerm.sh b/pam/_deb/prerm.sh similarity index 86% rename from pam/debian/prerm.sh rename to pam/_deb/prerm.sh index 9284c829..a3a90118 100755 --- a/pam/debian/prerm.sh +++ b/pam/_deb/prerm.sh @@ -1,6 +1,5 @@ #!/usr/bin/env bash - -set -eu +set -euo pipefail if [ "$1" = remove ]; then pam-auth-update --package --remove authentik diff --git a/pam/_rpm/authselect/README b/pam/_rpm/authselect/README new file mode 100644 index 00000000..5b3c286b --- /dev/null +++ b/pam/_rpm/authselect/README @@ -0,0 +1,5 @@ +Enable authentik for system authentication +================ + +Selecting this profile will enable local files as the source of identity +and authentication providers. diff --git a/pam/_rpm/authselect/REQUIREMENTS b/pam/_rpm/authselect/REQUIREMENTS new file mode 100644 index 00000000..e69de29b diff --git a/pam/_rpm/authselect/dconf-db b/pam/_rpm/authselect/dconf-db new file mode 100644 index 00000000..bd32b281 --- /dev/null +++ b/pam/_rpm/authselect/dconf-db @@ -0,0 +1,3 @@ +[org/gnome/login-screen] +enable-smartcard-authentication=false +enable-fingerprint-authentication={if "with-fingerprint":true|false} diff --git a/pam/_rpm/authselect/dconf-locks b/pam/_rpm/authselect/dconf-locks new file mode 100644 index 00000000..8a36fa95 --- /dev/null +++ b/pam/_rpm/authselect/dconf-locks @@ -0,0 +1,2 @@ +/org/gnome/login-screen/enable-smartcard-authentication +/org/gnome/login-screen/enable-fingerprint-authentication diff --git a/pam/_rpm/authselect/fingerprint-auth b/pam/_rpm/authselect/fingerprint-auth new file mode 100644 index 00000000..7374032c --- /dev/null +++ b/pam/_rpm/authselect/fingerprint-auth @@ -0,0 +1,24 @@ +auth required pam_debug.so auth=authinfo_unavail {exclude if "with-fingerprint"} +{continue if "with-fingerprint"} +auth required pam_env.so +auth required pam_faillock.so preauth silent {include if "with-faillock"} +auth [success=done default=bad] pam_fprintd.so +auth required pam_faillock.so authfail {include if "with-faillock"} +auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} +auth required pam_deny.so + +account required pam_access.so {include if "with-pamaccess"} +account required pam_faillock.so {include if "with-faillock"} +account required pam_unix.so +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +-session optional pam_systemd.so +session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} diff --git a/pam/_rpm/authselect/nsswitch.conf b/pam/_rpm/authselect/nsswitch.conf new file mode 100644 index 00000000..1afa4590 --- /dev/null +++ b/pam/_rpm/authselect/nsswitch.conf @@ -0,0 +1,16 @@ +# In order of likelihood of use to accelerate lookup. +passwd: files {if "with-altfiles":altfiles }systemd authentik +shadow: files systemd authentik +group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd authentik +hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns +services: files +netgroup: files +automount: files + +aliases: files +ethers: files +gshadow: files systemd +networks: files dns +protocols: files +publickey: files +rpc: files diff --git a/pam/_rpm/authselect/password-auth b/pam/_rpm/authselect/password-auth new file mode 100644 index 00000000..81b0e0ac --- /dev/null +++ b/pam/_rpm/authselect/password-auth @@ -0,0 +1,34 @@ +auth [success=2 default=ignore] pam_authentik.so +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth required pam_faillock.so preauth silent {include if "with-faillock"} +auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} +auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} +auth sufficient pam_unix.so {if not "without-nullok":nullok} +auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} +auth required pam_faillock.so authfail {include if "with-faillock"} +auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} +auth required pam_deny.so + +account required pam_access.so {include if "with-pamaccess"} +account required pam_faillock.so {include if "with-faillock"} +account sufficient pam_systemd_home.so {include if "with-systemd-homed"} +account required pam_unix.so + +password sufficient pam_systemd_home.so {include if "with-systemd-homed"} +password requisite pam_pwquality.so +password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} +password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok +password required pam_deny.so + +session required pam_authentik.so +session optional pam_keyinit.so revoke +session required pam_limits.so +session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +session optional pam_systemd_home.so {include if "with-systemd-homed"} +-session optional pam_systemd.so +session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} diff --git a/pam/_rpm/authselect/postlogin b/pam/_rpm/authselect/postlogin new file mode 100644 index 00000000..319a7d09 --- /dev/null +++ b/pam/_rpm/authselect/postlogin @@ -0,0 +1,8 @@ +auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + +password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + +session optional pam_umask.so silent +session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +session [default=1] pam_lastlog2.so {if "with-silent-lastlog":silent} +session optional pam_lastlog2.so silent diff --git a/pam/_rpm/authselect/smartcard-auth b/pam/_rpm/authselect/smartcard-auth new file mode 100644 index 00000000..5fc13165 --- /dev/null +++ b/pam/_rpm/authselect/smartcard-auth @@ -0,0 +1 @@ +auth required pam_debug.so auth=authinfo_unavail diff --git a/pam/_rpm/authselect/system-auth b/pam/_rpm/authselect/system-auth new file mode 100644 index 00000000..64b8db7b --- /dev/null +++ b/pam/_rpm/authselect/system-auth @@ -0,0 +1,35 @@ +auth [success=2 default=ignore] pam_authentik.so +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth required pam_faillock.so preauth silent {include if "with-faillock"} +auth sufficient pam_fprintd.so {include if "with-fingerprint"} +auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} +auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} +auth sufficient pam_unix.so {if not "without-nullok":nullok} +auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} +auth required pam_faillock.so authfail {include if "with-faillock"} +auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} +auth required pam_deny.so + +account required pam_access.so {include if "with-pamaccess"} +account required pam_faillock.so {include if "with-faillock"} +account sufficient pam_systemd_home.so {include if "with-systemd-homed"} +account required pam_unix.so + +password sufficient pam_systemd_home.so {include if "with-systemd-homed"} +password requisite pam_pwquality.so +password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} +password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok +password required pam_deny.so + +session required pam_authentik.so +session optional pam_keyinit.so revoke +session required pam_limits.so +session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +session optional pam_systemd_home.so {include if "with-systemd-homed"} +-session optional pam_systemd.so +session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} diff --git a/pam/_rpm/post.sh b/pam/_rpm/post.sh new file mode 100755 index 00000000..cc84ab27 --- /dev/null +++ b/pam/_rpm/post.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash +set -euo pipefail + +function sshd_notice { + if ! grep -q '^KbdInteractiveAuthentication.*yes' /etc/ssh/sshd_config; then + cat <