authselect/SOURCES/0002-profiles-do-not-try-to-change-password-via-sssd-for-.patch

From 9b52842d6b4b6ae0ad1f36d3d731d7afc94338e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 29 Jun 2023 14:07:25 +0200
Subject: [PATCH 2/8] profiles: do not try to change password via sssd for
 local users

Steps to reproduce:
1. Create local user and set passsword
2. Log in as the local user
3. Run passwd and provide wrong password as "Current password"

"Current password" prompt should be printed only once.

Resolves: https://github.com/authselect/authselect/issues/338
(cherry picked from commit c9cc4b23badeb5e2fe3a38fa5b0649b3d7b0a718)
(cherry picked from commit 7fbb0454f2adfd8de44e17e1784eab79fce2232f)
---
 profiles/sssd/password-auth | 1 +
 profiles/sssd/system-auth   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 5ea280a..7fe23f2 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -25,6 +25,7 @@ password    requisite                                    pam_pwquality.so local_
 password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
 password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
 password    sufficient                                   pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password    [success=1 default=ignore]                   pam_localuser.so
 password    sufficient                                   pam_sss.so use_authtok
 password    required                                     pam_deny.so
 
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index fd1e31c..ce2e266 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -32,6 +32,7 @@ password    requisite                                    pam_pwquality.so local_
 password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
 password    requisite                                    pam_pwhistory.so use_authtok                           {include if "with-pwhistory"}
 password    sufficient                                   pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password    [success=1 default=ignore]                   pam_localuser.so
 password    sufficient                                   pam_sss.so use_authtok
 password    required                                     pam_deny.so
 
-- 
2.40.1