[Kim] vyos#2554 update to pam config

debian/vyos-1x.preinst

@@ -24,9 +24,11 @@ dpkg-divert --package vyos-1x --divert /config/freeipa/etc/sssd/sssd.conf --add
 dpkg-divert --package vyos-1x --divert /config/freeipa/etc/telegraf/telegraf.conf --add --rename /etc/telegraf/telegraf.conf
 dpkg-divert --package vyos-1x --divert /config/freeipa/root/.k5login --add --rename /root/.k5login
 
-# override pam-configs
-pam-auth-update --package --remove sss ldap unix
-dpkg-divert --package vyos-1x --add --rename /usr/share/pam-configs/ldap
-dpkg-divert --package vyos-1x --add --rename /usr/share/pam-configs/sss
-dpkg-divert --package vyos-1x --add --rename /usr/share/pam-configs/unix
-pam-auth-update --package --enable unix sss
+# override pam config
+mkdir /usr/share/pam-configs.distrib
+dpkg-divert --package vyos-1x --divert /usr/share/pam-configs.distrib/ldap --add --rename /usr/share/pam-configs/ldap
+dpkg-divert --package vyos-1x --divert /usr/share/pam-configs.distrib/sss --add --rename /usr/share/pam-configs/sss
+dpkg-divert --package vyos-1x --divert /usr/share/pam-configs.distrib/unix --add --rename /usr/share/pam-configs/unix
+rm /etc/pam.d/common-account /etc/pam.d/common-auth /etc/pam.d/common-password /etc/pam.d/common-session /etc/pam.d/common-session-noninteractive
+pam-auth-update --package --remove ldap radius
+dpkg-divert --package vyos-1x --add --rename /etc/pam.d/sudo

src/etc/pam.d/common-account-ldaps

@@ -0,0 +1,12 @@
+# here are the per-package modules (the "Primary" block)
+account [success=ok default=1]    pam_localuser.so 
+account [success=1 new_authtok_reqd=done default=ignore]      pam_unix.so 
+# here's the fallback if no module succeeds
+account requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]        pam_ldap.so minimum_uid=1000
+# end of pam-auth-update config

src/etc/pam.d/common-auth-ldaps

@@ -0,0 +1,12 @@
+# here are the per-package modules (the "Primary" block)
+auth    [success=ok default=1]    pam_localuser.so 
+auth    [success=2 default=ignore]    pam_unix.so nullok
+auth    [success=1 default=ignore]    pam_ldap.so minimum_uid=1000 use_first_pass
+# here's the fallback if no module succeeds
+auth    requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth    required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+auth    optional                        pam_cap.so 

src/etc/pam.d/common-session-noninteractive-ldaps

@@ -0,0 +1,13 @@
+# here are the per-package modules (the "Primary" block)
+session [default=1]                     pam_permit.so
+# here's the fallback if no module succeeds
+session requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
+session required        pam_unix.so 
+session [success=ok default=ignore]     pam_ldap.so minimum_uid=1000
+# end of pam-auth-update config