add grace period

schorschii · Nov 28, 2024 · 2ed0368 · 2ed0368
1 parent 6201193
commit 2ed0368
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/laps-runner/README.md b/laps-runner/README.md
@@ -75,6 +75,8 @@ Use `Session-Interactive-Only: no` if you like to rotate the password on sudo us
 
 Then, run `pam-auth-update` to automatically generate the files under `/etc/pam.d/` with the necessary line for LAPS.
 
+If you want the runner to wait a certain time after logout until the password should be changed, set `pam-grace-period` in the runner config to the desired number of seconds, e.g. 300 for 5 minutes.
+
 ### Hostnames Longer Than 15 Characters
 Computer objects in the Microsoft Active Directory can not be longer than 15 characters. If you join a computer with a longer hostname, it will be registered with a different "short name". You have to enter this short name in the config file (setting `hostname`) in order to make the Kerberos authentication work. You can find out the short name by inspecting your keytab: `sudo klist -k /etc/krb5.keytab`.
 

diff --git a/laps-runner/laps-runner.json.example b/laps-runner/laps-runner.json.example
@@ -36,5 +36,7 @@
     "password-change-user": "root",
     "password-days-valid": 30,
     "password-length": 15,
-    "password-alphabet": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+    "password-alphabet": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789",
+
+    "pam-grace-period": 0
 }
diff --git a/laps-runner/laps_runner/laps_runner.py b/laps-runner/laps_runner/laps_runner.py
@@ -11,6 +11,7 @@
 from dns import resolver, rdatatype
 from shutil import which
 from pid import PidFile, PidFileAlreadyLockedError, PidFileAlreadyRunningError
+import time
 import struct
 import ssl
 import ldap3
@@ -44,6 +45,7 @@ class LapsRunner():
 	cfgHostname         = None
 	cfgUsername         = 'root' # the user, whose password should be changed
 	cfgDaysValid        = 30 # how long the new password should be valid
+	cfgPamGracePeriod   = 0  # timeout in seconds to wait before changing the password after logout (PAM mode)
 	cfgLength           = 15 # the generated password length
 	cfgAlphabet         = string.ascii_letters+string.digits+string.punctuation # allowed chars for the new password
 
@@ -310,6 +312,7 @@ def LoadSettings(self):
 			self.cfgLdapAttributePasswordHistory = str(cfgJson.get('ldap-attribute-password-history', self.cfgLdapAttributePasswordHistory))
 			self.cfgLdapAttributePasswordExpiry = str(cfgJson.get('ldap-attribute-password-expiry', self.cfgLdapAttributePasswordExpiry))
 			self.cfgHostname = cfgJson.get('hostname', self.cfgHostname)
+			self.cfgPamGracePeriod = cfgJson.get('pam-grace-period', self.cfgPamGracePeriod)
 
 def main():
 	runner = LapsRunner()
@@ -348,6 +351,9 @@ def main():
 				if os.environ['PAM_USER'] != runner.cfgUsername:
 					runner.logger.debug(__title__+': PAM_USER does not match the configured user, exiting.')
 					sys.exit(0)
+				if runner.cfgPamGracePeriod:
+					runner.logger.debug(__title__+': PAM timeout - waiting '+str(runner.cfgPamGracePeriod)+' seconds...')
+					time.sleep(runner.cfgPamGracePeriod)
 				print('Updating password (forced update by PAM logout)...')
 				runner.updatePassword()