From 9b52842d6b4b6ae0ad1f36d3d731d7afc94338e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Thu, 29 Jun 2023 14:07:25 +0200 Subject: [PATCH 2/8] profiles: do not try to change password via sssd for local users Steps to reproduce: 1. Create local user and set passsword 2. Log in as the local user 3. Run passwd and provide wrong password as "Current password" "Current password" prompt should be printed only once. Resolves: https://github.com/authselect/authselect/issues/338 (cherry picked from commit c9cc4b23badeb5e2fe3a38fa5b0649b3d7b0a718) (cherry picked from commit 7fbb0454f2adfd8de44e17e1784eab79fce2232f) --- profiles/sssd/password-auth | 1 + profiles/sssd/system-auth | 1 + 2 files changed, 2 insertions(+) diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth index 5ea280a..7fe23f2 100644 --- a/profiles/sssd/password-auth +++ b/profiles/sssd/password-auth @@ -25,6 +25,7 @@ password requisite pam_pwquality.so local_ password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok +password [success=1 default=ignore] pam_localuser.so password sufficient pam_sss.so use_authtok password required pam_deny.so diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth index fd1e31c..ce2e266 100644 --- a/profiles/sssd/system-auth +++ b/profiles/sssd/system-auth @@ -32,6 +32,7 @@ password requisite pam_pwquality.so local_ password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"} password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok +password [success=1 default=ignore] pam_localuser.so password sufficient pam_sss.so use_authtok password required pam_deny.so -- 2.40.1