From 2ed03685208a205b722dbeab9355342c6fd0ece2 Mon Sep 17 00:00:00 2001 From: Georg Sieber Date: Thu, 28 Nov 2024 20:37:15 +0100 Subject: [PATCH] add grace period --- laps-runner/README.md | 2 ++ laps-runner/laps-runner.json.example | 4 +++- laps-runner/laps_runner/laps_runner.py | 6 ++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/laps-runner/README.md b/laps-runner/README.md index 215ff63..cfbf96a 100644 --- a/laps-runner/README.md +++ b/laps-runner/README.md @@ -75,6 +75,8 @@ Use `Session-Interactive-Only: no` if you like to rotate the password on sudo us Then, run `pam-auth-update` to automatically generate the files under `/etc/pam.d/` with the necessary line for LAPS. +If you want the runner to wait a certain time after logout until the password should be changed, set `pam-grace-period` in the runner config to the desired number of seconds, e.g. 300 for 5 minutes. + ### Hostnames Longer Than 15 Characters Computer objects in the Microsoft Active Directory can not be longer than 15 characters. If you join a computer with a longer hostname, it will be registered with a different "short name". You have to enter this short name in the config file (setting `hostname`) in order to make the Kerberos authentication work. You can find out the short name by inspecting your keytab: `sudo klist -k /etc/krb5.keytab`. diff --git a/laps-runner/laps-runner.json.example b/laps-runner/laps-runner.json.example index dcfd18b..d91aafa 100644 --- a/laps-runner/laps-runner.json.example +++ b/laps-runner/laps-runner.json.example @@ -36,5 +36,7 @@ "password-change-user": "root", "password-days-valid": 30, "password-length": 15, - "password-alphabet": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" + "password-alphabet": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", + + "pam-grace-period": 0 } diff --git a/laps-runner/laps_runner/laps_runner.py b/laps-runner/laps_runner/laps_runner.py index a0cb325..968a6cb 100755 --- a/laps-runner/laps_runner/laps_runner.py +++ b/laps-runner/laps_runner/laps_runner.py @@ -11,6 +11,7 @@ from dns import resolver, rdatatype from shutil import which from pid import PidFile, PidFileAlreadyLockedError, PidFileAlreadyRunningError +import time import struct import ssl import ldap3 @@ -44,6 +45,7 @@ class LapsRunner(): cfgHostname = None cfgUsername = 'root' # the user, whose password should be changed cfgDaysValid = 30 # how long the new password should be valid + cfgPamGracePeriod = 0 # timeout in seconds to wait before changing the password after logout (PAM mode) cfgLength = 15 # the generated password length cfgAlphabet = string.ascii_letters+string.digits+string.punctuation # allowed chars for the new password @@ -310,6 +312,7 @@ def LoadSettings(self): self.cfgLdapAttributePasswordHistory = str(cfgJson.get('ldap-attribute-password-history', self.cfgLdapAttributePasswordHistory)) self.cfgLdapAttributePasswordExpiry = str(cfgJson.get('ldap-attribute-password-expiry', self.cfgLdapAttributePasswordExpiry)) self.cfgHostname = cfgJson.get('hostname', self.cfgHostname) + self.cfgPamGracePeriod = cfgJson.get('pam-grace-period', self.cfgPamGracePeriod) def main(): runner = LapsRunner() @@ -348,6 +351,9 @@ def main(): if os.environ['PAM_USER'] != runner.cfgUsername: runner.logger.debug(__title__+': PAM_USER does not match the configured user, exiting.') sys.exit(0) + if runner.cfgPamGracePeriod: + runner.logger.debug(__title__+': PAM timeout - waiting '+str(runner.cfgPamGracePeriod)+' seconds...') + time.sleep(runner.cfgPamGracePeriod) print('Updating password (forced update by PAM logout)...') runner.updatePassword()