Blob Blame History Raw
From 325b2f075e57c8495aa040542265fbcbf0f6ff64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 18 Sep 2018 14:04:46 +0200
Subject: [PATCH 13/16] profiles: add without-nullok

Resolves:
https://github.com/pbrezina/authselect/issues/94
---
 profiles/nis/README            | 3 +++
 profiles/nis/password-auth     | 4 ++--
 profiles/nis/system-auth       | 4 ++--
 profiles/sssd/README           | 3 +++
 profiles/sssd/password-auth    | 4 ++--
 profiles/sssd/system-auth      | 4 ++--
 profiles/winbind/README        | 3 +++
 profiles/winbind/password-auth | 4 ++--
 profiles/winbind/system-auth   | 4 ++--
 9 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/profiles/nis/README b/profiles/nis/README
index b4ffb8b56d8f9930ee5b70f34d0ba7a2dc35dae0..34789b1e7643f0df082d40e0e87cb3d0823bba56 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -38,6 +38,9 @@ with-nispwquality::
     for NIS users as well as local users during password change. Without this
     option only local users passwords are checked.
 
+without-nullok::
+    Do not add nullok parameter to pam_unix.
+
 EXAMPLES
 --------
 * Enable NIS with no additional modules
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 159da35740cfdf1396a8bc8a97c397919f056797..615544d16f7fc8551cb06a221825526f12cbfc64 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -1,7 +1,7 @@
 auth        required                                     pam_env.so
 auth        required                                     pam_faildelay.so delay=2000000
 auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200   {include if "with-faillock"}
-auth        sufficient                                   pam_unix.so nullok try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
 auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
 auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200         {include if "with-faillock"}
 auth        required                                     pam_deny.so
@@ -14,7 +14,7 @@ account     sufficient                                   pam_succeed_if.so uid <
 account     required                                     pam_permit.so
 
 password    requisite                                    pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
 password    required                                     pam_deny.so
 
 session     optional                                     pam_keyinit.so revoke
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 5f941f264b6adf2ca5cdc67685ed227ecc180ac7..a41828d8972537b1b24d0ff21cd52976fba6646d 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -2,7 +2,7 @@ auth        required                                     pam_env.so
 auth        required                                     pam_faildelay.so delay=2000000
 auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
 auth        sufficient                                   pam_fprintd.so                                         {include if "with-fingerprint"}
-auth        sufficient                                   pam_unix.so nullok try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
 auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
 auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
 auth        required                                     pam_deny.so
@@ -15,7 +15,7 @@ account     sufficient                                   pam_succeed_if.so uid <
 account     required                                     pam_permit.so
 
 password    requisite                                    pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
 password    required                                     pam_deny.so
 
 session     optional                                     pam_keyinit.so revoke
diff --git a/profiles/sssd/README b/profiles/sssd/README
index 34693ba3c02b1005c5cca889316ccc0958c94eef..a2fbf66323f4893391474de49f323c06123a2ebf 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -56,6 +56,9 @@ with-sudo::
 with-pamaccess::
     Check access.conf during account authorization.
 
+without-nullok::
+    Do not add nullok parameter to pam_unix.
+
 EXAMPLES
 --------
 
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 82082b03e3223010b5d3f3eff348b2e3882fcfc4..e35c8d6943b8289d8b65d7a47b2dad8143b6132b 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -3,7 +3,7 @@ auth        required                                     pam_faildelay.so delay=
 auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
 auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
 auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
-auth        sufficient                                   pam_unix.so nullok try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
 auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
 auth        sufficient                                   pam_sss.so forward_pass
 auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
@@ -18,7 +18,7 @@ account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required                                     pam_permit.so
 
 password    requisite                                    pam_pwquality.so try_first_pass local_users_only
-password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
 password    sufficient                                   pam_sss.so use_authtok
 password    required                                     pam_deny.so
 
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 00a360d034a363f9d29f1281a502e11939f00836..02922b16903372598052e36f3713ca5c3f4c8418 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -4,7 +4,7 @@ auth        required                                     pam_faillock.so preauth
 auth        sufficient                                   pam_fprintd.so                                         {include if "with-fingerprint"}
 auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
 auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
-auth        sufficient                                   pam_unix.so nullok try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
 auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
 auth        sufficient                                   pam_sss.so forward_pass
 auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
@@ -19,7 +19,7 @@ account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required                                     pam_permit.so
 
 password    requisite                                    pam_pwquality.so try_first_pass local_users_only
-password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
 password    sufficient                                   pam_sss.so use_authtok
 password    required                                     pam_deny.so
 
diff --git a/profiles/winbind/README b/profiles/winbind/README
index fe3f879f4e76ecc877053c63ed9b0da93a12afa8..a824c7e78954bafffa6500e45a6e826835fd2b58 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -48,6 +48,9 @@ with-silent-lastlog::
 with-pamaccess::
     Check access.conf during account authorization.
 
+without-nullok::
+    Do not add nullok parameter to pam_unix.
+
 EXAMPLES
 --------
 * Enable winbind with no additional modules
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index c7498f06f0ddaab4804444a213454b0ef56886e4..c984d817c537c48a358c644083a4f8979181dd1d 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -1,7 +1,7 @@
 auth        required                                     pam_env.so
 auth        required                                     pam_faildelay.so delay=2000000
 auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200   {include if "with-faillock"}
-auth        sufficient                                   pam_unix.so nullok try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
 auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
 auth        sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
 auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200         {include if "with-faillock"}
@@ -16,7 +16,7 @@ account     [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "wit
 account     required                                     pam_permit.so
 
 password    requisite                                    pam_pwquality.so try_first_pass local_users_only
-password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
 password    sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
 password    required                                     pam_deny.so
 
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 4d433ae6ec7782203f240ce66c6e6a7551bb42d6..33dc491c2125c7fe06d6475369f1654a900c7050 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -2,7 +2,7 @@ auth        required                                     pam_env.so
 auth        required                                     pam_faildelay.so delay=2000000
 auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
 auth        sufficient                                   pam_fprintd.so                                         {include if "with-fingerprint"}
-auth        sufficient                                   pam_unix.so nullok try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
 auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
 auth        sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
 auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
@@ -17,7 +17,7 @@ account     [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "wit
 account     required                                     pam_permit.so
 
 password    requisite                                    pam_pwquality.so try_first_pass local_users_only
-password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
 password    sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
 password    required                                     pam_deny.so
 
-- 
2.17.1