Skip to content

Commit

Permalink
password change on logout, closes #32
Browse files Browse the repository at this point in the history
  • Loading branch information
@schorschii
schorschii committed Oct 15, 2024
1 parent d64d359 commit ca1b5d8
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 1 deletion.
6 changes: 6 additions & 0 deletions laps-runner/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,12 @@ Important:

You can call the runner with the `-f` parameter to force updating the password directly after installation. You should do this to check if the runner is working properly.

### Automatically Rotate Password After Logout
If LAPS4LINUX should automatically change the password after logout, you need to add the following line into your PAM config. The exact config file depends on your Linux distribution, e.g. `/etc/pam.d/common-session` on Ubuntu.
```
session optional pam_exec.so quiet /usr/sbin/laps-runner --pam
```

### Hostnames Longer Than 15 Characters
Computer objects in the Microsoft Active Directory can not be longer than 15 characters. If you join a computer with a longer hostname, it will be registered with a different "short name". You have to enter this short name in the config file (setting `hostname`) in order to make the Kerberos authentication work. You can find out the short name by inspecting your keytab: `sudo klist -k /etc/krb5.keytab`.

Expand Down
13 changes: 12 additions & 1 deletion laps-runner/laps_runner/laps_runner.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,7 @@ def main():
# parse arguments
parser = argparse.ArgumentParser(epilog=__copyright__+' '+__author__+' - https://georg-sieber.de')
parser.add_argument('-f', '--force', action='store_true', help='Force updating password, even if it is not expired')
parser.add_argument('-p', '--pam', action='store_true', help='PAM mode - update password if configured user has logged out, even if it is not expired')
parser.add_argument('-c', '--config', default=runner.cfgPath, help='Path to config file ['+str(runner.cfgPath)+']')
args = parser.parse_args()
if args.config: runner.cfgPath = args.config
Expand All @@ -333,6 +334,17 @@ def main():
elif args.force:
print('Updating password (forced update)...')
runner.updatePassword()
elif args.pam:
if 'PAM_TYPE' not in os.environ or 'PAM_USER' not in os.environ:
raise Exception('PAM_TYPE or PAM_USER missing!')
if os.environ['PAM_TYPE'] != 'close_session':
runner.logger.debug(__title__+': PAM_TYPE is not close_session, exiting.')
sys.exit(0)
if os.environ['PAM_USER'] != runner.cfgUsername:
runner.logger.debug(__title__+': PAM_USER does not match the configured user, exiting.')
sys.exit(0)
print('Updating password (forced update by PAM logout)...')
runner.updatePassword()
else:
print('Password will expire in '+str(runner.tmpExpiryDate)+', no need to update.')

Expand All @@ -345,4 +357,3 @@ def main():

if __name__ == '__main__':
main()

0 comments on commit ca1b5d8

Please sign in to comment.