247 lines
20 KiB
Diff
247 lines
20 KiB
Diff
From a8def58508ab4cc137700555a74e71de88ccb6bf Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
Date: Thu, 13 May 2021 10:42:13 +0200
|
|
Subject: [PATCH] profiles: try_first_pass has no effect on pam_unix and
|
|
pam_pwquality
|
|
|
|
Resolves:
|
|
https://github.com/authselect/authselect/issues/247
|
|
---
|
|
profiles/minimal/password-auth | 6 +++---
|
|
profiles/minimal/system-auth | 6 +++---
|
|
profiles/nis/password-auth | 6 +++---
|
|
profiles/nis/system-auth | 6 +++---
|
|
profiles/sssd/password-auth | 6 +++---
|
|
profiles/sssd/system-auth | 6 +++---
|
|
profiles/winbind/password-auth | 6 +++---
|
|
profiles/winbind/system-auth | 6 +++---
|
|
src/man/authselect-profiles.5.adoc | 6 +++---
|
|
9 files changed, 27 insertions(+), 27 deletions(-)
|
|
|
|
diff --git a/profiles/minimal/password-auth b/profiles/minimal/password-auth
|
|
index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644
|
|
--- a/profiles/minimal/password-auth
|
|
+++ b/profiles/minimal/password-auth
|
|
@@ -1,7 +1,7 @@
|
|
auth required pam_env.so
|
|
auth required pam_faildelay.so delay=2000000
|
|
auth required pam_faillock.so preauth silent {include if "with-faillock"}
|
|
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
|
auth required pam_faillock.so authfail {include if "with-faillock"}
|
|
auth required pam_deny.so
|
|
|
|
@@ -9,8 +9,8 @@ account required pam_access.so
|
|
account required pam_faillock.so {include if "with-faillock"}
|
|
account required pam_unix.so
|
|
|
|
-password requisite pam_pwquality.so try_first_pass
|
|
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
|
+password requisite pam_pwquality.so
|
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
|
|
password required pam_deny.so
|
|
|
|
session optional pam_keyinit.so revoke
|
|
diff --git a/profiles/minimal/system-auth b/profiles/minimal/system-auth
|
|
index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644
|
|
--- a/profiles/minimal/system-auth
|
|
+++ b/profiles/minimal/system-auth
|
|
@@ -1,7 +1,7 @@
|
|
auth required pam_env.so
|
|
auth required pam_faildelay.so delay=2000000
|
|
auth required pam_faillock.so preauth silent {include if "with-faillock"}
|
|
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
|
auth required pam_faillock.so authfail {include if "with-faillock"}
|
|
auth required pam_deny.so
|
|
|
|
@@ -9,8 +9,8 @@ account required pam_access.so
|
|
account required pam_faillock.so {include if "with-faillock"}
|
|
account required pam_unix.so
|
|
|
|
-password requisite pam_pwquality.so try_first_pass
|
|
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
|
+password requisite pam_pwquality.so
|
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
|
|
password required pam_deny.so
|
|
|
|
session optional pam_keyinit.so revoke
|
|
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
|
|
index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..fca075b3e8a289aef2055cc8bb8551540957e70f 100644
|
|
--- a/profiles/nis/password-auth
|
|
+++ b/profiles/nis/password-auth
|
|
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
|
|
auth required pam_faillock.so preauth silent {include if "with-faillock"}
|
|
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
|
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
|
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
|
auth required pam_faillock.so authfail {include if "with-faillock"}
|
|
auth required pam_deny.so
|
|
|
|
@@ -11,8 +11,8 @@ account required pam_access.so
|
|
account required pam_faillock.so {include if "with-faillock"}
|
|
account required pam_unix.so broken_shadow
|
|
|
|
-password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
|
|
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
|
|
+password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
|
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
|
|
password required pam_deny.so
|
|
|
|
session optional pam_keyinit.so revoke
|
|
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
|
|
index 057b31e074f29c46b492fa310a954e281631800e..c4a74b857f8759082973936bd7d4e5b8718680c4 100644
|
|
--- a/profiles/nis/system-auth
|
|
+++ b/profiles/nis/system-auth
|
|
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
|
|
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
|
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
|
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
|
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
|
auth required pam_faillock.so authfail {include if "with-faillock"}
|
|
auth required pam_deny.so
|
|
|
|
@@ -12,8 +12,8 @@ account required pam_access.so
|
|
account required pam_faillock.so {include if "with-faillock"}
|
|
account required pam_unix.so broken_shadow
|
|
|
|
-password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
|
|
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
|
|
+password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
|
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
|
|
password required pam_deny.so
|
|
|
|
session optional pam_keyinit.so revoke
|
|
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
|
|
index d6953428cca7d6518f63c3fdbaabc4746c35f91b..b75926205f233d65553caa5d33f1d06c1c77a32e 100644
|
|
--- a/profiles/sssd/password-auth
|
|
+++ b/profiles/sssd/password-auth
|
|
@@ -6,7 +6,7 @@ auth sufficient pam_u2f.so cue
|
|
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
|
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
|
auth [default=1 ignore=ignore success=ok] pam_localuser.so
|
|
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
|
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
|
auth sufficient pam_sss.so forward_pass
|
|
auth required pam_faillock.so authfail {include if "with-faillock"}
|
|
@@ -20,8 +20,8 @@ account sufficient pam_usertype.so issyste
|
|
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
|
account required pam_permit.so
|
|
|
|
-password requisite pam_pwquality.so try_first_pass local_users_only
|
|
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
|
+password requisite pam_pwquality.so local_users_only
|
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
|
|
password sufficient pam_sss.so use_authtok
|
|
password required pam_deny.so
|
|
|
|
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
|
|
index 58d51067feb36850fb11bbba73067495f88c0b9e..e4bdb2b40255c056257ba5569a0b5b21ebaeb261 100644
|
|
--- a/profiles/sssd/system-auth
|
|
+++ b/profiles/sssd/system-auth
|
|
@@ -11,7 +11,7 @@ auth [default=1 ignore=ignore success=ok] pam_usertype.so isregul
|
|
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
|
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
|
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
|
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
|
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
|
auth sufficient pam_sss.so forward_pass
|
|
auth required pam_faillock.so authfail {include if "with-faillock"}
|
|
@@ -25,8 +25,8 @@ account sufficient pam_usertype.so issyste
|
|
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
|
account required pam_permit.so
|
|
|
|
-password requisite pam_pwquality.so try_first_pass local_users_only
|
|
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
|
+password requisite pam_pwquality.so local_users_only
|
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
|
|
password sufficient pam_sss.so use_authtok
|
|
password required pam_deny.so
|
|
|
|
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
|
|
index bbeca057d49102889e3eeee040ea256dbd751eef..75e1e529944afa68fd06e4dd189d722fd80d9336 100644
|
|
--- a/profiles/winbind/password-auth
|
|
+++ b/profiles/winbind/password-auth
|
|
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
|
|
auth required pam_faillock.so preauth silent {include if "with-faillock"}
|
|
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
|
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
|
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
|
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
|
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
|
|
auth required pam_faillock.so authfail {include if "with-faillock"}
|
|
@@ -17,8 +17,8 @@ account sufficient pam_usertype.so issyste
|
|
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
|
|
account required pam_permit.so
|
|
|
|
-password requisite pam_pwquality.so try_first_pass local_users_only
|
|
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
|
+password requisite pam_pwquality.so local_users_only
|
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
|
|
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
|
|
password required pam_deny.so
|
|
|
|
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
|
|
index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..ae5262f2bb8c9ee8848c66eb00b15ff3d1fb8230 100644
|
|
--- a/profiles/winbind/system-auth
|
|
+++ b/profiles/winbind/system-auth
|
|
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
|
|
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
|
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
|
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
|
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
|
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
|
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
|
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
|
|
auth required pam_faillock.so authfail {include if "with-faillock"}
|
|
@@ -18,8 +18,8 @@ account sufficient pam_usertype.so issyste
|
|
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
|
|
account required pam_permit.so
|
|
|
|
-password requisite pam_pwquality.so try_first_pass local_users_only
|
|
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
|
+password requisite pam_pwquality.so local_users_only
|
|
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
|
|
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
|
|
password required pam_deny.so
|
|
|
|
diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc
|
|
index 0890b8b0acef811a639f6cd763b2d24f0c489881..4baa2800c766f59cf250cc5570c259f636a2305b 100644
|
|
--- a/src/man/authselect-profiles.5.adoc
|
|
+++ b/src/man/authselect-profiles.5.adoc
|
|
@@ -154,7 +154,7 @@ for pam_faillock.
|
|
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
|
|
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
|
auth [default=1 ignore=ignore success=ok] pam_localuser.so
|
|
- auth sufficient pam_unix.so nullok try_first_pass
|
|
+ auth sufficient pam_unix.so nullok
|
|
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
|
auth sufficient pam_sss.so forward_pass
|
|
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
|
|
@@ -172,7 +172,7 @@ to include both features but only "with-smartcard-required" is necessary.
|
|
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
|
|
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
|
auth [default=1 ignore=ignore success=ok] pam_localuser.so
|
|
- auth sufficient pam_unix.so nullok try_first_pass
|
|
+ auth sufficient pam_unix.so nullok
|
|
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
|
auth sufficient pam_sss.so forward_pass
|
|
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
|
|
@@ -193,7 +193,7 @@ previous example.
|
|
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
|
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
|
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
|
- auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
|
+ auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
|
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
|
auth sufficient pam_sss.so forward_pass
|
|
auth required pam_deny.so
|
|
--
|
|
2.20.1
|
|
|