From a8def58508ab4cc137700555a74e71de88ccb6bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Thu, 13 May 2021 10:42:13 +0200 Subject: [PATCH] profiles: try_first_pass has no effect on pam_unix and pam_pwquality Resolves: https://github.com/authselect/authselect/issues/247 --- profiles/minimal/password-auth | 6 +++--- profiles/minimal/system-auth | 6 +++--- profiles/nis/password-auth | 6 +++--- profiles/nis/system-auth | 6 +++--- profiles/sssd/password-auth | 6 +++--- profiles/sssd/system-auth | 6 +++--- profiles/winbind/password-auth | 6 +++--- profiles/winbind/system-auth | 6 +++--- src/man/authselect-profiles.5.adoc | 6 +++--- 9 files changed, 27 insertions(+), 27 deletions(-) diff --git a/profiles/minimal/password-auth b/profiles/minimal/password-auth index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644 --- a/profiles/minimal/password-auth +++ b/profiles/minimal/password-auth @@ -1,7 +1,7 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent {include if "with-faillock"} -auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} auth required pam_faillock.so authfail {include if "with-faillock"} auth required pam_deny.so @@ -9,8 +9,8 @@ account required pam_access.so account required pam_faillock.so {include if "with-faillock"} account required pam_unix.so -password requisite pam_pwquality.so try_first_pass -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password requisite pam_pwquality.so +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok password required pam_deny.so session optional pam_keyinit.so revoke diff --git a/profiles/minimal/system-auth b/profiles/minimal/system-auth index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644 --- a/profiles/minimal/system-auth +++ b/profiles/minimal/system-auth @@ -1,7 +1,7 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent {include if "with-faillock"} -auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} auth required pam_faillock.so authfail {include if "with-faillock"} auth required pam_deny.so @@ -9,8 +9,8 @@ account required pam_access.so account required pam_faillock.so {include if "with-faillock"} account required pam_unix.so -password requisite pam_pwquality.so try_first_pass -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password requisite pam_pwquality.so +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok password required pam_deny.so session optional pam_keyinit.so revoke diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..fca075b3e8a289aef2055cc8bb8551540957e70f 100644 --- a/profiles/nis/password-auth +++ b/profiles/nis/password-auth @@ -3,7 +3,7 @@ auth required pam_faildelay.so delay= auth required pam_faillock.so preauth silent {include if "with-faillock"} auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} -auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} auth required pam_faillock.so authfail {include if "with-faillock"} auth required pam_deny.so @@ -11,8 +11,8 @@ account required pam_access.so account required pam_faillock.so {include if "with-faillock"} account required pam_unix.so broken_shadow -password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis +password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only} +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis password required pam_deny.so session optional pam_keyinit.so revoke diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth index 057b31e074f29c46b492fa310a954e281631800e..c4a74b857f8759082973936bd7d4e5b8718680c4 100644 --- a/profiles/nis/system-auth +++ b/profiles/nis/system-auth @@ -4,7 +4,7 @@ auth required pam_faillock.so preauth auth sufficient pam_fprintd.so {include if "with-fingerprint"} auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} -auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} auth required pam_faillock.so authfail {include if "with-faillock"} auth required pam_deny.so @@ -12,8 +12,8 @@ account required pam_access.so account required pam_faillock.so {include if "with-faillock"} account required pam_unix.so broken_shadow -password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis +password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only} +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis password required pam_deny.so session optional pam_keyinit.so revoke diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth index d6953428cca7d6518f63c3fdbaabc4746c35f91b..b75926205f233d65553caa5d33f1d06c1c77a32e 100644 --- a/profiles/sssd/password-auth +++ b/profiles/sssd/password-auth @@ -6,7 +6,7 @@ auth sufficient pam_u2f.so cue auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so -auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail {include if "with-faillock"} @@ -20,8 +20,8 @@ account sufficient pam_usertype.so issyste account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so -password requisite pam_pwquality.so try_first_pass local_users_only -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password requisite pam_pwquality.so local_users_only +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth index 58d51067feb36850fb11bbba73067495f88c0b9e..e4bdb2b40255c056257ba5569a0b5b21ebaeb261 100644 --- a/profiles/sssd/system-auth +++ b/profiles/sssd/system-auth @@ -11,7 +11,7 @@ auth [default=1 ignore=ignore success=ok] pam_usertype.so isregul auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"} auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"} auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"} -auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail {include if "with-faillock"} @@ -25,8 +25,8 @@ account sufficient pam_usertype.so issyste account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so -password requisite pam_pwquality.so try_first_pass local_users_only -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password requisite pam_pwquality.so local_users_only +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth index bbeca057d49102889e3eeee040ea256dbd751eef..75e1e529944afa68fd06e4dd189d722fd80d9336 100644 --- a/profiles/winbind/password-auth +++ b/profiles/winbind/password-auth @@ -3,7 +3,7 @@ auth required pam_faildelay.so delay= auth required pam_faillock.so preauth silent {include if "with-faillock"} auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} -auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass auth required pam_faillock.so authfail {include if "with-faillock"} @@ -17,8 +17,8 @@ account sufficient pam_usertype.so issyste account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth} account required pam_permit.so -password requisite pam_pwquality.so try_first_pass local_users_only -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password requisite pam_pwquality.so local_users_only +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok password required pam_deny.so diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..ae5262f2bb8c9ee8848c66eb00b15ff3d1fb8230 100644 --- a/profiles/winbind/system-auth +++ b/profiles/winbind/system-auth @@ -4,7 +4,7 @@ auth required pam_faillock.so preauth auth sufficient pam_fprintd.so {include if "with-fingerprint"} auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} -auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass auth required pam_faillock.so authfail {include if "with-faillock"} @@ -18,8 +18,8 @@ account sufficient pam_usertype.so issyste account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth} account required pam_permit.so -password requisite pam_pwquality.so try_first_pass local_users_only -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password requisite pam_pwquality.so local_users_only +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok password required pam_deny.so diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc index 0890b8b0acef811a639f6cd763b2d24f0c489881..4baa2800c766f59cf250cc5570c259f636a2305b 100644 --- a/src/man/authselect-profiles.5.adoc +++ b/src/man/authselect-profiles.5.adoc @@ -154,7 +154,7 @@ for pam_faillock. auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so - auth sufficient pam_unix.so nullok try_first_pass + auth sufficient pam_unix.so nullok auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"} @@ -172,7 +172,7 @@ to include both features but only "with-smartcard-required" is necessary. auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so - auth sufficient pam_unix.so nullok try_first_pass + auth sufficient pam_unix.so nullok auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"} @@ -193,7 +193,7 @@ previous example. auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"} auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"} auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"} - auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass + auth sufficient pam_unix.so {if not "without-nullok":nullok} auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so -- 2.20.1