From c0403466fbd04bc71465e629ea3d325f4c0135b1 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 31 Dec 2025 12:25:38 +0100 Subject: [PATCH 1/5] start adding rpm scripts --- .../package/linux/{ => _deb}/postinst.sh | 0 cmd/agent_local/package/linux/_rpm/post.sh | 8 ++++++++ cmd/agent_local/package/linux/nfpm.yaml | 9 +++++++-- .../package/linux/{ => _deb}/postinst.sh | 0 cmd/agent_system/package/linux/_rpm/post.sh | 15 +++++++++++++++ cmd/agent_system/package/linux/nfpm.yaml | 9 +++++++-- 6 files changed, 37 insertions(+), 4 deletions(-) rename cmd/agent_local/package/linux/{ => _deb}/postinst.sh (100%) create mode 100644 cmd/agent_local/package/linux/_rpm/post.sh rename cmd/agent_system/package/linux/{ => _deb}/postinst.sh (100%) create mode 100644 cmd/agent_system/package/linux/_rpm/post.sh diff --git a/cmd/agent_local/package/linux/postinst.sh b/cmd/agent_local/package/linux/_deb/postinst.sh similarity index 100% rename from cmd/agent_local/package/linux/postinst.sh rename to cmd/agent_local/package/linux/_deb/postinst.sh diff --git a/cmd/agent_local/package/linux/_rpm/post.sh b/cmd/agent_local/package/linux/_rpm/post.sh new file mode 100644 index 00000000..df87d97a --- /dev/null +++ b/cmd/agent_local/package/linux/_rpm/post.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +set -euo pipefail + +systemctl enable 'ak-agent.service' + +systemctl restart 'ak-agent.service' + +exit 0 diff --git a/cmd/agent_local/package/linux/nfpm.yaml b/cmd/agent_local/package/linux/nfpm.yaml index 76771afb..2be922fe 100644 --- a/cmd/agent_local/package/linux/nfpm.yaml +++ b/cmd/agent_local/package/linux/nfpm.yaml @@ -9,8 +9,6 @@ vendor: "Authentik Security Inc." homepage: "https://goauthentik.io" maintainer: "Authentik Security Inc." license: "MIT" -scripts: - postinstall: ./package/linux/postinst.sh contents: - src: ../../bin/agent_local/ak-agent dst: /usr/bin/ak-agent @@ -18,3 +16,10 @@ contents: dst: /etc/systemd/user/ak-agent.service - src: ./package/linux/usr/share/polkit-1/actions/io.goauthentik.platform.policy dst: /usr/share/polkit-1/actions/io.goauthentik.platform.policy +overrides: + deb: + scripts: + postinstall: ./package/linux/_deb/postinst.sh + rpm: + scripts: + postinstall: ./package/linux/_rpm/post.sh diff --git a/cmd/agent_system/package/linux/postinst.sh b/cmd/agent_system/package/linux/_deb/postinst.sh similarity index 100% rename from cmd/agent_system/package/linux/postinst.sh rename to cmd/agent_system/package/linux/_deb/postinst.sh diff --git a/cmd/agent_system/package/linux/_rpm/post.sh b/cmd/agent_system/package/linux/_rpm/post.sh new file mode 100644 index 00000000..132da957 --- /dev/null +++ b/cmd/agent_system/package/linux/_rpm/post.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +set -euo pipefail + +systemctl enable 'ak-sysd.service' + +if [ $1 -eq 1 ] ; then + # creating _ak-agent group if he isn't already there + if ! getent group _ak-agent >/dev/null; then + addgroup --system --force-badname _ak-agent + fi +fi + +systemctl restart 'ak-sysd.service' + +exit 0 diff --git a/cmd/agent_system/package/linux/nfpm.yaml b/cmd/agent_system/package/linux/nfpm.yaml index 9828c7b4..66b132d7 100644 --- a/cmd/agent_system/package/linux/nfpm.yaml +++ b/cmd/agent_system/package/linux/nfpm.yaml @@ -9,8 +9,6 @@ vendor: "Authentik Security Inc." homepage: "https://goauthentik.io" maintainer: "Authentik Security Inc." license: "MIT" -scripts: - postinstall: ./package/linux/postinst.sh contents: - src: ../../bin/agent_system/ak-sysd dst: /usr/bin/ak-sysd @@ -35,3 +33,10 @@ contents: dst: /etc/opt/edge/native-messaging-hosts/io.goauthentik.platform.json - src: ./package/linux/browser-host-firefox.json dst: /usr/lib/mozilla/native-messaging-hosts/io.goauthentik.platform.json +overrides: + deb: + scripts: + postinstall: ./package/linux/_deb/postinst.sh + rpm: + scripts: + postinstall: ./package/linux/_rpm/post.sh From 27313cca848bdca6f997f286acef12b02a26dcf4 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 31 Dec 2025 13:02:16 +0100 Subject: [PATCH 2/5] add nss --- nss/{debian => _deb}/postinst.sh | 2 +- nss/_rpm/post.sh | 34 ++++++++++++++++++++++++++++++++ nss/nfpm.yaml | 5 ++++- 3 files changed, 39 insertions(+), 2 deletions(-) rename nss/{debian => _deb}/postinst.sh (98%) create mode 100755 nss/_rpm/post.sh diff --git a/nss/debian/postinst.sh b/nss/_deb/postinst.sh similarity index 98% rename from nss/debian/postinst.sh rename to nss/_deb/postinst.sh index 550089b6..846b7c8a 100755 --- a/nss/debian/postinst.sh +++ b/nss/_deb/postinst.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash #DEBHELPER# -set -eu +set -euo pipefail mkdir -p /var/log/authentik diff --git a/nss/_rpm/post.sh b/nss/_rpm/post.sh new file mode 100755 index 00000000..e98645ee --- /dev/null +++ b/nss/_rpm/post.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +set -euo pipefail + +mkdir -p /var/log/authentik + +# This code was taken from authd, which got it from libnss-sss, which got it from libnss-myhostname, which got it from nss-mdns: + +log() { + echo "$*" +} + +# try to insert authentik entries to the passwd, group and shadow +# lines in /etc/nsswitch.conf to automatically enable libnss-authentik +# support; do not change the configuration if the lines already +# reference some authentik lookups +insert_nss_entry() { + log "Checking NSS setup..." + # abort if /etc/nsswitch.conf does not exist + if ! [ -e /etc/nsswitch.conf ]; then + log "Could not find /etc/nsswitch.conf." + return + fi + # append 'authentik' to the end of the line if it's not found already + sed -i --regexp-extended ' + /^(passwd|group|shadow):/ { + /\bauthentik\b/! s/$/ authentik/ + } + ' /etc/nsswitch.conf +} + + +if [ $1 -eq 1 ] ; then + insert_nss_entry +fi diff --git a/nss/nfpm.yaml b/nss/nfpm.yaml index f7a058de..7c47b1d8 100644 --- a/nss/nfpm.yaml +++ b/nss/nfpm.yaml @@ -28,4 +28,7 @@ contents: overrides: deb: scripts: - postinstall: ./debian/postinst.sh + postinstall: ./_deb/postinst.sh + rpm: + scripts: + postinstall: ./_rpm/post.sh From 21802f76899eb4988a932c540527415d1e0c8263 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 31 Dec 2025 13:02:26 +0100 Subject: [PATCH 3/5] init authselect --- pam/{debian => _deb}/pam_config | 0 pam/{debian => _deb}/postinst.sh | 2 +- pam/{debian => _deb}/prerm.sh | 3 +- pam/_rpm/authselect/README | 80 ++++++++++++++++++++++++++++ pam/_rpm/authselect/REQUIREMENTS | 21 ++++++++ pam/_rpm/authselect/dconf-db | 3 ++ pam/_rpm/authselect/dconf-locks | 2 + pam/_rpm/authselect/fingerprint-auth | 24 +++++++++ pam/_rpm/authselect/nsswitch.conf | 16 ++++++ pam/_rpm/authselect/password-auth | 32 +++++++++++ pam/_rpm/authselect/postlogin | 8 +++ pam/_rpm/authselect/smartcard-auth | 1 + pam/_rpm/authselect/system-auth | 33 ++++++++++++ pam/_rpm/pam_config | 11 ++++ pam/_rpm/post.sh | 25 +++++++++ pam/_rpm/preun.sh | 6 +++ pam/nfpm.yaml | 8 ++- 17 files changed, 270 insertions(+), 5 deletions(-) rename pam/{debian => _deb}/pam_config (100%) rename pam/{debian => _deb}/postinst.sh (97%) rename pam/{debian => _deb}/prerm.sh (86%) create mode 100644 pam/_rpm/authselect/README create mode 100644 pam/_rpm/authselect/REQUIREMENTS create mode 100644 pam/_rpm/authselect/dconf-db create mode 100644 pam/_rpm/authselect/dconf-locks create mode 100644 pam/_rpm/authselect/fingerprint-auth create mode 100644 pam/_rpm/authselect/nsswitch.conf create mode 100644 pam/_rpm/authselect/password-auth create mode 100644 pam/_rpm/authselect/postlogin create mode 100644 pam/_rpm/authselect/smartcard-auth create mode 100644 pam/_rpm/authselect/system-auth create mode 100644 pam/_rpm/pam_config create mode 100755 pam/_rpm/post.sh create mode 100755 pam/_rpm/preun.sh diff --git a/pam/debian/pam_config b/pam/_deb/pam_config similarity index 100% rename from pam/debian/pam_config rename to pam/_deb/pam_config diff --git a/pam/debian/postinst.sh b/pam/_deb/postinst.sh similarity index 97% rename from pam/debian/postinst.sh rename to pam/_deb/postinst.sh index 0af5bd30..3be98c30 100755 --- a/pam/debian/postinst.sh +++ b/pam/_deb/postinst.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -set -eu +set -euo pipefail function sshd_notice { if ! grep -q '^KbdInteractiveAuthentication.*yes' /etc/ssh/sshd_config; then diff --git a/pam/debian/prerm.sh b/pam/_deb/prerm.sh similarity index 86% rename from pam/debian/prerm.sh rename to pam/_deb/prerm.sh index 9284c829..a3a90118 100755 --- a/pam/debian/prerm.sh +++ b/pam/_deb/prerm.sh @@ -1,6 +1,5 @@ #!/usr/bin/env bash - -set -eu +set -euo pipefail if [ "$1" = remove ]; then pam-auth-update --package --remove authentik diff --git a/pam/_rpm/authselect/README b/pam/_rpm/authselect/README new file mode 100644 index 00000000..5108590d --- /dev/null +++ b/pam/_rpm/authselect/README @@ -0,0 +1,80 @@ +Local users only +================ + +Selecting this profile will enable local files as the source of identity +and authentication providers. + +AVAILABLE OPTIONAL FEATURES +--------------------------- + +with-faillock:: + Enable account locking in case of too many consecutive + authentication failures. + +with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +with-ecryptfs:: + Enable automatic per-user ecryptfs. + +with-fingerprint:: + Enable authentication with fingerprint reader through *pam_fprintd*. + +with-pam-gnome-keyring:: + Enable pam-gnome-keyring support. + +with-pam-u2f:: + Enable authentication via u2f dongle through *pam_u2f*. + +with-pam-u2f-2fa:: + Enable 2nd factor authentication via u2f dongle through *pam_u2f*. + +without-pam-u2f-nouserok:: + Module argument nouserok is omitted if also with-pam-u2f-2fa is used. + *WARNING*: Omitting nouserok argument means that users without pam-u2f + authentication configured will not be able to log in *INCLUDING* root. + Make sure you are able to log in before losing root privileges. + +with-silent-lastlog:: + Do not produce pam_lastlog message during login. + +without-lastlog-showfailed:: + Do not print number of failed login attempts during login. + +with-pamaccess:: + Check access.conf during account authorization. + +with-pwhistory:: + Enable pam_pwhistory module for local users. + +with-altfiles:: + Use nss_altfiles for passwd and group nsswitch databases. + +with-mdns4:: + Enable multicast DNS over IPv4. + +with-mdns6:: + Enable multicast DNS over IPv6. + +with-systemd-homed:: + If set, pam_systemd_homed is enabled for all pam operations. + +with-libvirt:: + Enable connecting to libvirt VMs using the hostname configured in the + guest OS or, as a fallback, their name. + +without-nullok:: + Do not add nullok parameter to pam_unix. + +EXAMPLES +-------- + +* Enable local profile + + authselect select local + +SEE ALSO +-------- +* man passwd(5) +* man group(5) diff --git a/pam/_rpm/authselect/REQUIREMENTS b/pam/_rpm/authselect/REQUIREMENTS new file mode 100644 index 00000000..5ad084bc --- /dev/null +++ b/pam/_rpm/authselect/REQUIREMENTS @@ -0,0 +1,21 @@ +- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"} + is present and oddjobd service is enabled and active {include if "with-mkhomedir"} + - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} + {include if "with-altfiles"} +- with-altfiles is selected, make sure nss_altfiles module is present {include if "with-altfiles"} + {include if "with-libvirt"} +- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"} + {include if "with-systemd-homed"} +- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"} + - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"} + {include if "with-pam-gnome-keyring"} +- with-pam-gnome-keyring is selected, make sure the pam_gnome_keyring module {include if "with-pam-gnome-keyring"} + is present. {include if "with-pam-gnome-keyring"} + {include if "with-fingerprint"} +- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"} + {include if "with-pam-u2f"} +- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"} + - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"} + {include if "with-pam-u2f-2fa"} +- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"} + - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"} diff --git a/pam/_rpm/authselect/dconf-db b/pam/_rpm/authselect/dconf-db new file mode 100644 index 00000000..bd32b281 --- /dev/null +++ b/pam/_rpm/authselect/dconf-db @@ -0,0 +1,3 @@ +[org/gnome/login-screen] +enable-smartcard-authentication=false +enable-fingerprint-authentication={if "with-fingerprint":true|false} diff --git a/pam/_rpm/authselect/dconf-locks b/pam/_rpm/authselect/dconf-locks new file mode 100644 index 00000000..8a36fa95 --- /dev/null +++ b/pam/_rpm/authselect/dconf-locks @@ -0,0 +1,2 @@ +/org/gnome/login-screen/enable-smartcard-authentication +/org/gnome/login-screen/enable-fingerprint-authentication diff --git a/pam/_rpm/authselect/fingerprint-auth b/pam/_rpm/authselect/fingerprint-auth new file mode 100644 index 00000000..7374032c --- /dev/null +++ b/pam/_rpm/authselect/fingerprint-auth @@ -0,0 +1,24 @@ +auth required pam_debug.so auth=authinfo_unavail {exclude if "with-fingerprint"} +{continue if "with-fingerprint"} +auth required pam_env.so +auth required pam_faillock.so preauth silent {include if "with-faillock"} +auth [success=done default=bad] pam_fprintd.so +auth required pam_faillock.so authfail {include if "with-faillock"} +auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} +auth required pam_deny.so + +account required pam_access.so {include if "with-pamaccess"} +account required pam_faillock.so {include if "with-faillock"} +account required pam_unix.so +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +-session optional pam_systemd.so +session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} diff --git a/pam/_rpm/authselect/nsswitch.conf b/pam/_rpm/authselect/nsswitch.conf new file mode 100644 index 00000000..b21d36c6 --- /dev/null +++ b/pam/_rpm/authselect/nsswitch.conf @@ -0,0 +1,16 @@ +# In order of likelihood of use to accelerate lookup. +passwd: files {if "with-altfiles":altfiles }systemd +shadow: files systemd +group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd +hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns +services: files +netgroup: files +automount: files + +aliases: files +ethers: files +gshadow: files systemd +networks: files dns +protocols: files +publickey: files +rpc: files diff --git a/pam/_rpm/authselect/password-auth b/pam/_rpm/authselect/password-auth new file mode 100644 index 00000000..13e10d93 --- /dev/null +++ b/pam/_rpm/authselect/password-auth @@ -0,0 +1,32 @@ +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth required pam_faillock.so preauth silent {include if "with-faillock"} +auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} +auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} +auth sufficient pam_unix.so {if not "without-nullok":nullok} +auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} +auth required pam_faillock.so authfail {include if "with-faillock"} +auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} +auth required pam_deny.so + +account required pam_access.so {include if "with-pamaccess"} +account required pam_faillock.so {include if "with-faillock"} +account sufficient pam_systemd_home.so {include if "with-systemd-homed"} +account required pam_unix.so + +password sufficient pam_systemd_home.so {include if "with-systemd-homed"} +password requisite pam_pwquality.so +password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} +password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +session optional pam_systemd_home.so {include if "with-systemd-homed"} +-session optional pam_systemd.so +session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} diff --git a/pam/_rpm/authselect/postlogin b/pam/_rpm/authselect/postlogin new file mode 100644 index 00000000..319a7d09 --- /dev/null +++ b/pam/_rpm/authselect/postlogin @@ -0,0 +1,8 @@ +auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + +password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + +session optional pam_umask.so silent +session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +session [default=1] pam_lastlog2.so {if "with-silent-lastlog":silent} +session optional pam_lastlog2.so silent diff --git a/pam/_rpm/authselect/smartcard-auth b/pam/_rpm/authselect/smartcard-auth new file mode 100644 index 00000000..5fc13165 --- /dev/null +++ b/pam/_rpm/authselect/smartcard-auth @@ -0,0 +1 @@ +auth required pam_debug.so auth=authinfo_unavail diff --git a/pam/_rpm/authselect/system-auth b/pam/_rpm/authselect/system-auth new file mode 100644 index 00000000..7f3c56ad --- /dev/null +++ b/pam/_rpm/authselect/system-auth @@ -0,0 +1,33 @@ +auth required pam_env.so +auth required pam_faildelay.so delay=2000000 +auth required pam_faillock.so preauth silent {include if "with-faillock"} +auth sufficient pam_fprintd.so {include if "with-fingerprint"} +auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} +auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} +auth sufficient pam_unix.so {if not "without-nullok":nullok} +auth sufficient pam_systemd_home.so {include if "with-systemd-homed"} +auth required pam_faillock.so authfail {include if "with-faillock"} +auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} +auth required pam_deny.so + +account required pam_access.so {include if "with-pamaccess"} +account required pam_faillock.so {include if "with-faillock"} +account sufficient pam_systemd_home.so {include if "with-systemd-homed"} +account required pam_unix.so + +password sufficient pam_systemd_home.so {include if "with-systemd-homed"} +password requisite pam_pwquality.so +password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} +password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} +password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +session optional pam_systemd_home.so {include if "with-systemd-homed"} +-session optional pam_systemd.so +session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so +session optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} diff --git a/pam/_rpm/pam_config b/pam/_rpm/pam_config new file mode 100644 index 00000000..286df3b9 --- /dev/null +++ b/pam/_rpm/pam_config @@ -0,0 +1,11 @@ +Name: authentik Authentication +Default: yes +Priority: 512 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_authentik.so +Auth-Initial: + [success=end default=ignore] pam_authentik.so +Session-Type: Additional +Session: + required pam_authentik.so diff --git a/pam/_rpm/post.sh b/pam/_rpm/post.sh new file mode 100755 index 00000000..cc84ab27 --- /dev/null +++ b/pam/_rpm/post.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash +set -euo pipefail + +function sshd_notice { + if ! grep -q '^KbdInteractiveAuthentication.*yes' /etc/ssh/sshd_config; then + cat < Date: Wed, 31 Dec 2025 13:09:17 +0100 Subject: [PATCH 4/5] update authselect --- nss/_rpm/post.sh | 30 ------------ pam/_rpm/authselect/README | 77 +------------------------------ pam/_rpm/authselect/REQUIREMENTS | 21 --------- pam/_rpm/authselect/nsswitch.conf | 6 +-- pam/_rpm/authselect/password-auth | 2 + pam/_rpm/authselect/system-auth | 2 + pam/_rpm/pam_config | 11 ----- pam/nfpm.yaml | 3 ++ 8 files changed, 11 insertions(+), 141 deletions(-) delete mode 100644 pam/_rpm/pam_config diff --git a/nss/_rpm/post.sh b/nss/_rpm/post.sh index e98645ee..5bb69c04 100755 --- a/nss/_rpm/post.sh +++ b/nss/_rpm/post.sh @@ -2,33 +2,3 @@ set -euo pipefail mkdir -p /var/log/authentik - -# This code was taken from authd, which got it from libnss-sss, which got it from libnss-myhostname, which got it from nss-mdns: - -log() { - echo "$*" -} - -# try to insert authentik entries to the passwd, group and shadow -# lines in /etc/nsswitch.conf to automatically enable libnss-authentik -# support; do not change the configuration if the lines already -# reference some authentik lookups -insert_nss_entry() { - log "Checking NSS setup..." - # abort if /etc/nsswitch.conf does not exist - if ! [ -e /etc/nsswitch.conf ]; then - log "Could not find /etc/nsswitch.conf." - return - fi - # append 'authentik' to the end of the line if it's not found already - sed -i --regexp-extended ' - /^(passwd|group|shadow):/ { - /\bauthentik\b/! s/$/ authentik/ - } - ' /etc/nsswitch.conf -} - - -if [ $1 -eq 1 ] ; then - insert_nss_entry -fi diff --git a/pam/_rpm/authselect/README b/pam/_rpm/authselect/README index 5108590d..5b3c286b 100644 --- a/pam/_rpm/authselect/README +++ b/pam/_rpm/authselect/README @@ -1,80 +1,5 @@ -Local users only +Enable authentik for system authentication ================ Selecting this profile will enable local files as the source of identity and authentication providers. - -AVAILABLE OPTIONAL FEATURES ---------------------------- - -with-faillock:: - Enable account locking in case of too many consecutive - authentication failures. - -with-mkhomedir:: - Enable automatic creation of home directories for users on their - first login. - -with-ecryptfs:: - Enable automatic per-user ecryptfs. - -with-fingerprint:: - Enable authentication with fingerprint reader through *pam_fprintd*. - -with-pam-gnome-keyring:: - Enable pam-gnome-keyring support. - -with-pam-u2f:: - Enable authentication via u2f dongle through *pam_u2f*. - -with-pam-u2f-2fa:: - Enable 2nd factor authentication via u2f dongle through *pam_u2f*. - -without-pam-u2f-nouserok:: - Module argument nouserok is omitted if also with-pam-u2f-2fa is used. - *WARNING*: Omitting nouserok argument means that users without pam-u2f - authentication configured will not be able to log in *INCLUDING* root. - Make sure you are able to log in before losing root privileges. - -with-silent-lastlog:: - Do not produce pam_lastlog message during login. - -without-lastlog-showfailed:: - Do not print number of failed login attempts during login. - -with-pamaccess:: - Check access.conf during account authorization. - -with-pwhistory:: - Enable pam_pwhistory module for local users. - -with-altfiles:: - Use nss_altfiles for passwd and group nsswitch databases. - -with-mdns4:: - Enable multicast DNS over IPv4. - -with-mdns6:: - Enable multicast DNS over IPv6. - -with-systemd-homed:: - If set, pam_systemd_homed is enabled for all pam operations. - -with-libvirt:: - Enable connecting to libvirt VMs using the hostname configured in the - guest OS or, as a fallback, their name. - -without-nullok:: - Do not add nullok parameter to pam_unix. - -EXAMPLES --------- - -* Enable local profile - - authselect select local - -SEE ALSO --------- -* man passwd(5) -* man group(5) diff --git a/pam/_rpm/authselect/REQUIREMENTS b/pam/_rpm/authselect/REQUIREMENTS index 5ad084bc..e69de29b 100644 --- a/pam/_rpm/authselect/REQUIREMENTS +++ b/pam/_rpm/authselect/REQUIREMENTS @@ -1,21 +0,0 @@ -- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"} - is present and oddjobd service is enabled and active {include if "with-mkhomedir"} - - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} - {include if "with-altfiles"} -- with-altfiles is selected, make sure nss_altfiles module is present {include if "with-altfiles"} - {include if "with-libvirt"} -- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"} - {include if "with-systemd-homed"} -- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"} - - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"} - {include if "with-pam-gnome-keyring"} -- with-pam-gnome-keyring is selected, make sure the pam_gnome_keyring module {include if "with-pam-gnome-keyring"} - is present. {include if "with-pam-gnome-keyring"} - {include if "with-fingerprint"} -- with-fingerprint is selected, make sure fprintd service is configured and enabled {include if "with-fingerprint"} - {include if "with-pam-u2f"} -- with-pam-u2f is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f"} - - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f"} - {include if "with-pam-u2f-2fa"} -- with-pam-u2f-2fa is selected, make sure that the pam u2f module is installed {include if "with-pam-u2f-2fa"} - - users can then configure keys using the pamu2fcfg tool {include if "with-pam-u2f-2fa"} diff --git a/pam/_rpm/authselect/nsswitch.conf b/pam/_rpm/authselect/nsswitch.conf index b21d36c6..1afa4590 100644 --- a/pam/_rpm/authselect/nsswitch.conf +++ b/pam/_rpm/authselect/nsswitch.conf @@ -1,7 +1,7 @@ # In order of likelihood of use to accelerate lookup. -passwd: files {if "with-altfiles":altfiles }systemd -shadow: files systemd -group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd +passwd: files {if "with-altfiles":altfiles }systemd authentik +shadow: files systemd authentik +group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd authentik hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns services: files netgroup: files diff --git a/pam/_rpm/authselect/password-auth b/pam/_rpm/authselect/password-auth index 13e10d93..81b0e0ac 100644 --- a/pam/_rpm/authselect/password-auth +++ b/pam/_rpm/authselect/password-auth @@ -1,3 +1,4 @@ +auth [success=2 default=ignore] pam_authentik.so auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent {include if "with-faillock"} @@ -21,6 +22,7 @@ password requisite pam_pwhistory.so use_au password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok password required pam_deny.so +session required pam_authentik.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} diff --git a/pam/_rpm/authselect/system-auth b/pam/_rpm/authselect/system-auth index 7f3c56ad..64b8db7b 100644 --- a/pam/_rpm/authselect/system-auth +++ b/pam/_rpm/authselect/system-auth @@ -1,3 +1,4 @@ +auth [success=2 default=ignore] pam_authentik.so auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent {include if "with-faillock"} @@ -22,6 +23,7 @@ password requisite pam_pwhistory.so use_au password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok password required pam_deny.so +session required pam_authentik.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} diff --git a/pam/_rpm/pam_config b/pam/_rpm/pam_config deleted file mode 100644 index 286df3b9..00000000 --- a/pam/_rpm/pam_config +++ /dev/null @@ -1,11 +0,0 @@ -Name: authentik Authentication -Default: yes -Priority: 512 -Auth-Type: Primary -Auth: - [success=end default=ignore] pam_authentik.so -Auth-Initial: - [success=end default=ignore] pam_authentik.so -Session-Type: Additional -Session: - required pam_authentik.so diff --git a/pam/nfpm.yaml b/pam/nfpm.yaml index 567548bb..7f6c605b 100644 --- a/pam/nfpm.yaml +++ b/pam/nfpm.yaml @@ -32,6 +32,9 @@ contents: file_info: mode: 0644 packager: rpm + - src: "./_rpm/authselect" + dst: /usr/share/authselect/vendor/authentik + packager: rpm overrides: deb: scripts: From 04cc44cb59f68f258ff46b583c3886205ef5ab41 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 31 Dec 2025 14:12:37 +0100 Subject: [PATCH 5/5] fix deb build --- pam/nfpm.yaml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/pam/nfpm.yaml b/pam/nfpm.yaml index 7f6c605b..c544bc55 100644 --- a/pam/nfpm.yaml +++ b/pam/nfpm.yaml @@ -21,17 +21,18 @@ contents: file_info: mode: 0644 packager: deb - - src: "../pam/debian/pam_config" - dst: "/usr/share/pam-configs/authentik" - file_info: - mode: 0644 - packager: deb - type: config - src: "../cache/pam/release/libauthentik_pam.so" dst: "/usr/lib64/security/pam_authentik.so" file_info: mode: 0644 packager: rpm + # Config + - src: "./_deb/pam_config" + dst: "/usr/share/pam-configs/authentik" + file_info: + mode: 0644 + packager: deb + type: config - src: "./_rpm/authselect" dst: /usr/share/authselect/vendor/authentik packager: rpm