1 |
commit: 99919c4b2b59af27e7ad1daa6fbe8c614a8463c0 |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Oct 26 08:32:29 2020 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Oct 26 22:48:06 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/pambase.git/commit/?id=99919c4b |
7 |
|
8 |
templates/system-auth.tpl: skip pam_unix with krb5 |
9 |
|
10 |
Before this change, success on pam_krb5 would result in jumping |
11 |
one line (over pam_permit) back into pam_unix. |
12 |
|
13 |
Incidentally, we did the later stanza correctly. This was a regression |
14 |
from old pambase. |
15 |
|
16 |
Bug: https://bugs.gentoo.org/748405 |
17 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
18 |
|
19 |
templates/system-auth.tpl | 8 ++++---- |
20 |
1 file changed, 4 insertions(+), 4 deletions(-) |
21 |
|
22 |
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl |
23 |
index 8b61701..668303f 100644 |
24 |
--- a/templates/system-auth.tpl |
25 |
+++ b/templates/system-auth.tpl |
26 |
@@ -4,20 +4,20 @@ auth sufficient pam_ssh.so |
27 |
{% endif %} |
28 |
|
29 |
{% if krb5 %} |
30 |
-auth [success=1 default=ignore] pam_krb5.so {{ krb5_params }} |
31 |
+auth [success=4 default=ignore] pam_krb5.so {{ krb5_params }} |
32 |
{% endif %} |
33 |
|
34 |
-auth optional pam_permit.so |
35 |
auth requisite pam_faillock.so preauth |
36 |
auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass |
37 |
auth [default=die] pam_faillock.so authfail |
38 |
+auth optional pam_permit.so |
39 |
|
40 |
{% if krb5 %} |
41 |
-account [success=1 default=ignore] pam_krb5.so {{ krb5_params }} |
42 |
+account [success=2 default=ignore] pam_krb5.so {{ krb5_params }} |
43 |
{% endif %} |
44 |
account required pam_unix.so {{ debug|default('', true) }} |
45 |
-account optional pam_permit.so |
46 |
account required pam_faillock.so |
47 |
+account optional pam_permit.so |
48 |
|
49 |
{% if passwdqc %} |
50 |
password required pam_passwdqc.so config=/etc/security/passwdqc.conf |