From a8def58508ab4cc137700555a74e71de88ccb6bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 13 May 2021 10:42:13 +0200
Subject: [PATCH] profiles: try_first_pass has no effect on pam_unix and
pam_pwquality
Resolves:
https://github.com/authselect/authselect/issues/247
---
profiles/minimal/password-auth | 6 +++---
profiles/minimal/system-auth | 6 +++---
profiles/nis/password-auth | 6 +++---
profiles/nis/system-auth | 6 +++---
profiles/sssd/password-auth | 6 +++---
profiles/sssd/system-auth | 6 +++---
profiles/winbind/password-auth | 6 +++---
profiles/winbind/system-auth | 6 +++---
src/man/authselect-profiles.5.adoc | 6 +++---
9 files changed, 27 insertions(+), 27 deletions(-)
diff --git a/profiles/minimal/password-auth b/profiles/minimal/password-auth
index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644
--- a/profiles/minimal/password-auth
+++ b/profiles/minimal/password-auth
@@ -1,7 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent {include if "with-faillock"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
@@ -9,8 +9,8 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
-password requisite pam_pwquality.so try_first_pass
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/minimal/system-auth b/profiles/minimal/system-auth
index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644
--- a/profiles/minimal/system-auth
+++ b/profiles/minimal/system-auth
@@ -1,7 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent {include if "with-faillock"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
@@ -9,8 +9,8 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
-password requisite pam_pwquality.so try_first_pass
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..fca075b3e8a289aef2055cc8bb8551540957e70f 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
@@ -11,8 +11,8 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so broken_shadow
-password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 057b31e074f29c46b492fa310a954e281631800e..c4a74b857f8759082973936bd7d4e5b8718680c4 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
@@ -12,8 +12,8 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so broken_shadow
-password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index d6953428cca7d6518f63c3fdbaabc4746c35f91b..b75926205f233d65553caa5d33f1d06c1c77a32e 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -6,7 +6,7 @@ auth sufficient pam_u2f.so cue
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -20,8 +20,8 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so local_users_only
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 58d51067feb36850fb11bbba73067495f88c0b9e..e4bdb2b40255c056257ba5569a0b5b21ebaeb261 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -11,7 +11,7 @@ auth [default=1 ignore=ignore success=ok] pam_usertype.so isregul
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -25,8 +25,8 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so local_users_only
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index bbeca057d49102889e3eeee040ea256dbd751eef..75e1e529944afa68fd06e4dd189d722fd80d9336 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -17,8 +17,8 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so local_users_only
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..ae5262f2bb8c9ee8848c66eb00b15ff3d1fb8230 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -18,8 +18,8 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so local_users_only
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc
index 0890b8b0acef811a639f6cd763b2d24f0c489881..4baa2800c766f59cf250cc5570c259f636a2305b 100644
--- a/src/man/authselect-profiles.5.adoc
+++ b/src/man/authselect-profiles.5.adoc
@@ -154,7 +154,7 @@ for pam_faillock.
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
- auth sufficient pam_unix.so nullok try_first_pass
+ auth sufficient pam_unix.so nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -172,7 +172,7 @@ to include both features but only "with-smartcard-required" is necessary.
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
- auth sufficient pam_unix.so nullok try_first_pass
+ auth sufficient pam_unix.so nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -193,7 +193,7 @@ previous example.
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
- auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+ auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
--
2.20.1