From 325b2f075e57c8495aa040542265fbcbf0f6ff64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 18 Sep 2018 14:04:46 +0200
Subject: [PATCH 13/16] profiles: add without-nullok
Resolves:
https://github.com/pbrezina/authselect/issues/94
---
profiles/nis/README | 3 +++
profiles/nis/password-auth | 4 ++--
profiles/nis/system-auth | 4 ++--
profiles/sssd/README | 3 +++
profiles/sssd/password-auth | 4 ++--
profiles/sssd/system-auth | 4 ++--
profiles/winbind/README | 3 +++
profiles/winbind/password-auth | 4 ++--
profiles/winbind/system-auth | 4 ++--
9 files changed, 21 insertions(+), 12 deletions(-)
diff --git a/profiles/nis/README b/profiles/nis/README
index b4ffb8b56d8f9930ee5b70f34d0ba7a2dc35dae0..34789b1e7643f0df082d40e0e87cb3d0823bba56 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -38,6 +38,9 @@ with-nispwquality::
for NIS users as well as local users during password change. Without this
option only local users passwords are checked.
+without-nullok::
+ Do not add nullok parameter to pam_unix.
+
EXAMPLES
--------
* Enable NIS with no additional modules
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 159da35740cfdf1396a8bc8a97c397919f056797..615544d16f7fc8551cb06a221825526f12cbfc64 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -1,7 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
-auth sufficient pam_unix.so nullok try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
auth required pam_deny.so
@@ -14,7 +14,7 @@ account sufficient pam_succeed_if.so uid <
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 5f941f264b6adf2ca5cdc67685ed227ecc180ac7..a41828d8972537b1b24d0ff21cd52976fba6646d 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -2,7 +2,7 @@ auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
-auth sufficient pam_unix.so nullok try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
auth required pam_deny.so
@@ -15,7 +15,7 @@ account sufficient pam_succeed_if.so uid <
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/sssd/README b/profiles/sssd/README
index 34693ba3c02b1005c5cca889316ccc0958c94eef..a2fbf66323f4893391474de49f323c06123a2ebf 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -56,6 +56,9 @@ with-sudo::
with-pamaccess::
Check access.conf during account authorization.
+without-nullok::
+ Do not add nullok parameter to pam_unix.
+
EXAMPLES
--------
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 82082b03e3223010b5d3f3eff348b2e3882fcfc4..e35c8d6943b8289d8b65d7a47b2dad8143b6132b 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
-auth sufficient pam_unix.so nullok try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -18,7 +18,7 @@ account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 00a360d034a363f9d29f1281a502e11939f00836..02922b16903372598052e36f3713ca5c3f4c8418 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
-auth sufficient pam_unix.so nullok try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -19,7 +19,7 @@ account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/README b/profiles/winbind/README
index fe3f879f4e76ecc877053c63ed9b0da93a12afa8..a824c7e78954bafffa6500e45a6e826835fd2b58 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -48,6 +48,9 @@ with-silent-lastlog::
with-pamaccess::
Check access.conf during account authorization.
+without-nullok::
+ Do not add nullok parameter to pam_unix.
+
EXAMPLES
--------
* Enable winbind with no additional modules
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index c7498f06f0ddaab4804444a213454b0ef56886e4..c984d817c537c48a358c644083a4f8979181dd1d 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -1,7 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
-auth sufficient pam_unix.so nullok try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -16,7 +16,7 @@ account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "wit
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 4d433ae6ec7782203f240ce66c6e6a7551bb42d6..33dc491c2125c7fe06d6475369f1654a900c7050 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -2,7 +2,7 @@ auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
-auth sufficient pam_unix.so nullok try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -17,7 +17,7 @@ account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "wit
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
--
2.17.1