From 325b2f075e57c8495aa040542265fbcbf0f6ff64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Tue, 18 Sep 2018 14:04:46 +0200 Subject: [PATCH 13/16] profiles: add without-nullok Resolves: https://github.com/pbrezina/authselect/issues/94 --- profiles/nis/README | 3 +++ profiles/nis/password-auth | 4 ++-- profiles/nis/system-auth | 4 ++-- profiles/sssd/README | 3 +++ profiles/sssd/password-auth | 4 ++-- profiles/sssd/system-auth | 4 ++-- profiles/winbind/README | 3 +++ profiles/winbind/password-auth | 4 ++-- profiles/winbind/system-auth | 4 ++-- 9 files changed, 21 insertions(+), 12 deletions(-) diff --git a/profiles/nis/README b/profiles/nis/README index b4ffb8b56d8f9930ee5b70f34d0ba7a2dc35dae0..34789b1e7643f0df082d40e0e87cb3d0823bba56 100644 --- a/profiles/nis/README +++ b/profiles/nis/README @@ -38,6 +38,9 @@ with-nispwquality:: for NIS users as well as local users during password change. Without this option only local users passwords are checked. +without-nullok:: + Do not add nullok parameter to pam_unix. + EXAMPLES -------- * Enable NIS with no additional modules diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth index 159da35740cfdf1396a8bc8a97c397919f056797..615544d16f7fc8551cb06a221825526f12cbfc64 100644 --- a/profiles/nis/password-auth +++ b/profiles/nis/password-auth @@ -1,7 +1,7 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} -auth sufficient pam_unix.so nullok try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"} auth required pam_deny.so @@ -14,7 +14,7 @@ account sufficient pam_succeed_if.so uid < account required pam_permit.so password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} -password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis password required pam_deny.so session optional pam_keyinit.so revoke diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth index 5f941f264b6adf2ca5cdc67685ed227ecc180ac7..a41828d8972537b1b24d0ff21cd52976fba6646d 100644 --- a/profiles/nis/system-auth +++ b/profiles/nis/system-auth @@ -2,7 +2,7 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} auth sufficient pam_fprintd.so {include if "with-fingerprint"} -auth sufficient pam_unix.so nullok try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"} auth required pam_deny.so @@ -15,7 +15,7 @@ account sufficient pam_succeed_if.so uid < account required pam_permit.so password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} -password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis password required pam_deny.so session optional pam_keyinit.so revoke diff --git a/profiles/sssd/README b/profiles/sssd/README index 34693ba3c02b1005c5cca889316ccc0958c94eef..a2fbf66323f4893391474de49f323c06123a2ebf 100644 --- a/profiles/sssd/README +++ b/profiles/sssd/README @@ -56,6 +56,9 @@ with-sudo:: with-pamaccess:: Check access.conf during account authorization. +without-nullok:: + Do not add nullok parameter to pam_unix. + EXAMPLES -------- diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth index 82082b03e3223010b5d3f3eff348b2e3882fcfc4..e35c8d6943b8289d8b65d7a47b2dad8143b6132b 100644 --- a/profiles/sssd/password-auth +++ b/profiles/sssd/password-auth @@ -3,7 +3,7 @@ auth required pam_faildelay.so delay= auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so -auth sufficient pam_unix.so nullok try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"} @@ -18,7 +18,7 @@ account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only -password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth index 00a360d034a363f9d29f1281a502e11939f00836..02922b16903372598052e36f3713ca5c3f4c8418 100644 --- a/profiles/sssd/system-auth +++ b/profiles/sssd/system-auth @@ -4,7 +4,7 @@ auth required pam_faillock.so preauth auth sufficient pam_fprintd.so {include if "with-fingerprint"} auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so -auth sufficient pam_unix.so nullok try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"} @@ -19,7 +19,7 @@ account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only -password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so diff --git a/profiles/winbind/README b/profiles/winbind/README index fe3f879f4e76ecc877053c63ed9b0da93a12afa8..a824c7e78954bafffa6500e45a6e826835fd2b58 100644 --- a/profiles/winbind/README +++ b/profiles/winbind/README @@ -48,6 +48,9 @@ with-silent-lastlog:: with-pamaccess:: Check access.conf during account authorization. +without-nullok:: + Do not add nullok parameter to pam_unix. + EXAMPLES -------- * Enable winbind with no additional modules diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth index c7498f06f0ddaab4804444a213454b0ef56886e4..c984d817c537c48a358c644083a4f8979181dd1d 100644 --- a/profiles/winbind/password-auth +++ b/profiles/winbind/password-auth @@ -1,7 +1,7 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} -auth sufficient pam_unix.so nullok try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"} @@ -16,7 +16,7 @@ account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "wit account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only -password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok password required pam_deny.so diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth index 4d433ae6ec7782203f240ce66c6e6a7551bb42d6..33dc491c2125c7fe06d6475369f1654a900c7050 100644 --- a/profiles/winbind/system-auth +++ b/profiles/winbind/system-auth @@ -2,7 +2,7 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} auth sufficient pam_fprintd.so {include if "with-fingerprint"} -auth sufficient pam_unix.so nullok try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"} @@ -17,7 +17,7 @@ account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "wit account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only -password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok password required pam_deny.so -- 2.17.1