Categories
SysOps

How to specify the exact list of enabled PAM profiles

Specify the exact list of enabled PAM profiles using a simple workaround.

You can use pam-auth-update utility interactively.

You can also enable a specific profile in a non-interactive way. This is enough in most cases.

$ pam-auth-update --enable pwquality

But how to specify the exact list of enabled PAM profiles in a non-interactive way? You cannot use debconf database this time as your changes will be overwritten. The workaround to this issue is simple but requires an additional helper shell script. Beware. You can easily lose access to the server.

List available PAM configuration templates.

$ awk -F:  '$1=="Name" {print FILENAME ":" $2 }' /usr/share/pam-configs/* | column -t -s":"
/usr/share/pam-configs/mkhomedir   Create home directory on login
/usr/share/pam-configs/pwquality   Pwquality password strength checking
/usr/share/pam-configs/sss         SSS authentication
/usr/share/pam-configs/systemd     Register user sessions in the systemd control group hierarchy
/usr/share/pam-configs/unix        Unix authentication

Create a helper shell script.

$ cat << EOS | tee /tmp/pam_helper.sh
#!/bin/sh
# List pam modules to enable
# Parameters:
#  PAM modules ("Pwquality password strength checking, SSS authentication")   
#  filename    (/tmp/filemPZshk)
if [ -n "\$1" ] && [ -f "\$2" ]; then
  cat << EOF | tee \$2
# PAM profiles to enable:
libpam-runtime/profiles="\$1"
EOF
fi
EOS
#!/bin/sh
# List pam modules to enable
# Parameters:
#   PAM modules ("Pwquality password strength checking, SSS authentication")   
#   filename    (/tmp/filemPZshk)
if [ -n "$1" ] && [ -f "$2" ]; then
  cat <<EOF | tee $2
# PAM profiles to enable:
libpam-runtime/profiles="$1"
EOF
fi

Use this helper shell script as an editor to pass a list of enabled PAM profiles.

$ sudo \
  EDITOR='bash /tmp/pam_helper.sh "Create home directory on login, SSS authentication, Register user sessions in the systemd control group hierarchy, Unix authentication"' \
  DEBIAN_FRONTEND=editor \
  pam-auth-update

Done.