197 lines
13 KiB
Diff
197 lines
13 KiB
Diff
|
From 325b2f075e57c8495aa040542265fbcbf0f6ff64 Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||
|
Date: Tue, 18 Sep 2018 14:04:46 +0200
|
||
|
Subject: [PATCH 13/16] profiles: add without-nullok
|
||
|
|
||
|
Resolves:
|
||
|
https://github.com/pbrezina/authselect/issues/94
|
||
|
---
|
||
|
profiles/nis/README | 3 +++
|
||
|
profiles/nis/password-auth | 4 ++--
|
||
|
profiles/nis/system-auth | 4 ++--
|
||
|
profiles/sssd/README | 3 +++
|
||
|
profiles/sssd/password-auth | 4 ++--
|
||
|
profiles/sssd/system-auth | 4 ++--
|
||
|
profiles/winbind/README | 3 +++
|
||
|
profiles/winbind/password-auth | 4 ++--
|
||
|
profiles/winbind/system-auth | 4 ++--
|
||
|
9 files changed, 21 insertions(+), 12 deletions(-)
|
||
|
|
||
|
diff --git a/profiles/nis/README b/profiles/nis/README
|
||
|
index b4ffb8b56d8f9930ee5b70f34d0ba7a2dc35dae0..34789b1e7643f0df082d40e0e87cb3d0823bba56 100644
|
||
|
--- a/profiles/nis/README
|
||
|
+++ b/profiles/nis/README
|
||
|
@@ -38,6 +38,9 @@ with-nispwquality::
|
||
|
for NIS users as well as local users during password change. Without this
|
||
|
option only local users passwords are checked.
|
||
|
|
||
|
+without-nullok::
|
||
|
+ Do not add nullok parameter to pam_unix.
|
||
|
+
|
||
|
EXAMPLES
|
||
|
--------
|
||
|
* Enable NIS with no additional modules
|
||
|
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
|
||
|
index 159da35740cfdf1396a8bc8a97c397919f056797..615544d16f7fc8551cb06a221825526f12cbfc64 100644
|
||
|
--- a/profiles/nis/password-auth
|
||
|
+++ b/profiles/nis/password-auth
|
||
|
@@ -1,7 +1,7 @@
|
||
|
auth required pam_env.so
|
||
|
auth required pam_faildelay.so delay=2000000
|
||
|
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
|
||
|
-auth sufficient pam_unix.so nullok try_first_pass
|
||
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||
|
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||
|
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
|
||
|
auth required pam_deny.so
|
||
|
@@ -14,7 +14,7 @@ account sufficient pam_succeed_if.so uid <
|
||
|
account required pam_permit.so
|
||
|
|
||
|
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
|
||
|
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
|
||
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
|
||
|
password required pam_deny.so
|
||
|
|
||
|
session optional pam_keyinit.so revoke
|
||
|
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
|
||
|
index 5f941f264b6adf2ca5cdc67685ed227ecc180ac7..a41828d8972537b1b24d0ff21cd52976fba6646d 100644
|
||
|
--- a/profiles/nis/system-auth
|
||
|
+++ b/profiles/nis/system-auth
|
||
|
@@ -2,7 +2,7 @@ auth required pam_env.so
|
||
|
auth required pam_faildelay.so delay=2000000
|
||
|
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
|
||
|
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
||
|
-auth sufficient pam_unix.so nullok try_first_pass
|
||
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||
|
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||
|
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
|
||
|
auth required pam_deny.so
|
||
|
@@ -15,7 +15,7 @@ account sufficient pam_succeed_if.so uid <
|
||
|
account required pam_permit.so
|
||
|
|
||
|
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
|
||
|
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
|
||
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
|
||
|
password required pam_deny.so
|
||
|
|
||
|
session optional pam_keyinit.so revoke
|
||
|
diff --git a/profiles/sssd/README b/profiles/sssd/README
|
||
|
index 34693ba3c02b1005c5cca889316ccc0958c94eef..a2fbf66323f4893391474de49f323c06123a2ebf 100644
|
||
|
--- a/profiles/sssd/README
|
||
|
+++ b/profiles/sssd/README
|
||
|
@@ -56,6 +56,9 @@ with-sudo::
|
||
|
with-pamaccess::
|
||
|
Check access.conf during account authorization.
|
||
|
|
||
|
+without-nullok::
|
||
|
+ Do not add nullok parameter to pam_unix.
|
||
|
+
|
||
|
EXAMPLES
|
||
|
--------
|
||
|
|
||
|
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
|
||
|
index 82082b03e3223010b5d3f3eff348b2e3882fcfc4..e35c8d6943b8289d8b65d7a47b2dad8143b6132b 100644
|
||
|
--- a/profiles/sssd/password-auth
|
||
|
+++ b/profiles/sssd/password-auth
|
||
|
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
|
||
|
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
|
||
|
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
||
|
auth [default=1 ignore=ignore success=ok] pam_localuser.so
|
||
|
-auth sufficient pam_unix.so nullok try_first_pass
|
||
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||
|
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||
|
auth sufficient pam_sss.so forward_pass
|
||
|
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
|
||
|
@@ -18,7 +18,7 @@ account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||
|
account required pam_permit.so
|
||
|
|
||
|
password requisite pam_pwquality.so try_first_pass local_users_only
|
||
|
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
|
||
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
||
|
password sufficient pam_sss.so use_authtok
|
||
|
password required pam_deny.so
|
||
|
|
||
|
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
|
||
|
index 00a360d034a363f9d29f1281a502e11939f00836..02922b16903372598052e36f3713ca5c3f4c8418 100644
|
||
|
--- a/profiles/sssd/system-auth
|
||
|
+++ b/profiles/sssd/system-auth
|
||
|
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
|
||
|
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
||
|
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
||
|
auth [default=1 ignore=ignore success=ok] pam_localuser.so
|
||
|
-auth sufficient pam_unix.so nullok try_first_pass
|
||
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||
|
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||
|
auth sufficient pam_sss.so forward_pass
|
||
|
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
|
||
|
@@ -19,7 +19,7 @@ account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||
|
account required pam_permit.so
|
||
|
|
||
|
password requisite pam_pwquality.so try_first_pass local_users_only
|
||
|
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
|
||
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
||
|
password sufficient pam_sss.so use_authtok
|
||
|
password required pam_deny.so
|
||
|
|
||
|
diff --git a/profiles/winbind/README b/profiles/winbind/README
|
||
|
index fe3f879f4e76ecc877053c63ed9b0da93a12afa8..a824c7e78954bafffa6500e45a6e826835fd2b58 100644
|
||
|
--- a/profiles/winbind/README
|
||
|
+++ b/profiles/winbind/README
|
||
|
@@ -48,6 +48,9 @@ with-silent-lastlog::
|
||
|
with-pamaccess::
|
||
|
Check access.conf during account authorization.
|
||
|
|
||
|
+without-nullok::
|
||
|
+ Do not add nullok parameter to pam_unix.
|
||
|
+
|
||
|
EXAMPLES
|
||
|
--------
|
||
|
* Enable winbind with no additional modules
|
||
|
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
|
||
|
index c7498f06f0ddaab4804444a213454b0ef56886e4..c984d817c537c48a358c644083a4f8979181dd1d 100644
|
||
|
--- a/profiles/winbind/password-auth
|
||
|
+++ b/profiles/winbind/password-auth
|
||
|
@@ -1,7 +1,7 @@
|
||
|
auth required pam_env.so
|
||
|
auth required pam_faildelay.so delay=2000000
|
||
|
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
|
||
|
-auth sufficient pam_unix.so nullok try_first_pass
|
||
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||
|
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||
|
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
|
||
|
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
|
||
|
@@ -16,7 +16,7 @@ account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "wit
|
||
|
account required pam_permit.so
|
||
|
|
||
|
password requisite pam_pwquality.so try_first_pass local_users_only
|
||
|
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
|
||
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
||
|
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
|
||
|
password required pam_deny.so
|
||
|
|
||
|
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
|
||
|
index 4d433ae6ec7782203f240ce66c6e6a7551bb42d6..33dc491c2125c7fe06d6475369f1654a900c7050 100644
|
||
|
--- a/profiles/winbind/system-auth
|
||
|
+++ b/profiles/winbind/system-auth
|
||
|
@@ -2,7 +2,7 @@ auth required pam_env.so
|
||
|
auth required pam_faildelay.so delay=2000000
|
||
|
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
|
||
|
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
||
|
-auth sufficient pam_unix.so nullok try_first_pass
|
||
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||
|
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||
|
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
|
||
|
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
|
||
|
@@ -17,7 +17,7 @@ account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "wit
|
||
|
account required pam_permit.so
|
||
|
|
||
|
password requisite pam_pwquality.so try_first_pass local_users_only
|
||
|
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
|
||
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
||
|
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
|
||
|
password required pam_deny.so
|
||
|
|
||
|
--
|
||
|
2.17.1
|
||
|
|