open-vm-tools: add distribution specific pam config files

Add distribution specific pam config files for Debian/Ubuntu,
SuSE and Redhat/Fedora/CentOS.  Install a generic file by default,
with comments to KB article.  The distribution files are intended
to be used by OS vendors in their open-vm-tools packages.

diff --git a/open-vm-tools/pam/debian b/open-vm-tools/pam/debian
new file mode 100644 (file)
index 0000000..f7937c6
--- /dev/null
+++ b/open-vm-tools/pam/debian
@@ -0,0 +1,7 @@
+# PAM configuration for vmtoolsd
+
+@include common-auth
+
+account     required    pam_shells.so
+@include common-account
+

diff --git a/open-vm-tools/scripts/linux/pam.d/vmtoolsd b/open-vm-tools/pam/generic
similarity index 63%
rename from open-vm-tools/scripts/linux/pam.d/vmtoolsd
rename to open-vm-tools/pam/generic
index 1c860ac110ca3097f93dde390ad9396ce958f619..2e06dcb08e3acaf282914d80be9ab7ba2627419c 100644 (file)
--- a/open-vm-tools/scripts/linux/pam.d/vmtoolsd
+++ b/open-vm-tools/pam/generic
@@ -1,4 +1,6 @@
-#%PAM-1.0
+# This is a generic pam config file for open-vm-tools
+# See https://kb.vmware.com/s/article/78251 for advice to use
+# common authentication mechanisms.
 auth       required         pam_shells.so
 auth       sufficient       pam_unix.so shadow
 auth       required         pam_unix_auth.so shadow

diff --git a/open-vm-tools/pam/redhat b/open-vm-tools/pam/redhat
new file mode 100644 (file)
index 0000000..f2115b8
--- /dev/null
+++ b/open-vm-tools/pam/redhat
@@ -0,0 +1,6 @@
+auth       required     pam_shells.so
+auth       substack     password-auth
+auth       include      postlogin
+account    required     pam_nologin.so
+account    include      password-auth
+

diff --git a/open-vm-tools/pam/suse b/open-vm-tools/pam/suse
new file mode 100644 (file)
index 0000000..5b0c3c8
--- /dev/null
+++ b/open-vm-tools/pam/suse
@@ -0,0 +1,6 @@
+auth     required       pam_shells.so
+auth     requisite      pam_nologin.so
+auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]    pam_securetty.so
+auth     include        common-auth
+account  include        common-account
+

diff --git a/open-vm-tools/services/vmtoolsd/Makefile.am b/open-vm-tools/services/vmtoolsd/Makefile.am
index e0d1a5b0006ed13be88b523dd53654399f43192d..c2ac93a011be49c8f72a60315de526e5070d154d 100644 (file)
--- a/open-vm-tools/services/vmtoolsd/Makefile.am
+++ b/open-vm-tools/services/vmtoolsd/Makefile.am
@@ -1,5 +1,5 @@
 ################################################################################
-### Copyright (C) 2009-2019 VMware, Inc.  All rights reserved.
+### Copyright (C) 2009-2020 VMware, Inc.  All rights reserved.
 ###
 ### This program is free software; you can redistribute it and/or modify
 ### it under the terms of version 2 of the GNU General Public License as
@@ -16,8 +16,6 @@
 ################################################################################
 
 bin_PROGRAMS = vmtoolsd
-pamdir = $(PAM_PREFIX)/pam.d
-
 
 vmtoolsd_CPPFLAGS =
 vmtoolsd_CPPFLAGS += @VMTOOLS_CPPFLAGS@
@@ -73,19 +71,16 @@ else
    vmtoolsd_LINK = $(LINK)
 endif
 
-# PAM support is currently only available for Linux, so HAVE_PAM is only
-# defined for that OS.
-if HAVE_PAM
-pam_SCRIPTS = $(top_srcdir)/scripts/linux/pam.d/vmtoolsd
-endif HAVE_PAM
-
 # Message catalogs.
 install-data-hook:
        @INSTVMSG@ vmtoolsd $(srcdir)/l10n $(DESTDIR)$(datadir)
 
 install-exec-hook:
        $(INSTALL) -d $(DESTDIR)/etc/vmware-tools
+       $(INSTALL) -d $(DESTDIR)/$(PAM_PREFIX)/pam.d/
+       $(INSTALL) $(top_srcdir)/pam/generic $(DESTDIR)/$(PAM_PREFIX)/pam.d/vmtoolsd
 
 uninstall-hook:
+       rm -f $(DESTDIR)/$(PAM_PREFIX)/pam.d/vmtoolsd
        rm -rf $(DESTDIR)/etc/vmware-tools