update authselect

files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth

@@ -11,7 +11,7 @@ auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregul
 auth        [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {exclude if "with-smartcard"}
 auth        [default=2 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-smartcard"}
 auth        [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
-auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
 auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular                              {include if "with-gssapi"}
 auth        sufficient                                   pam_sss_gss.so                                         {include if "with-gssapi"}
 auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
@@ -28,10 +28,11 @@ account     sufficient                                   pam_usertype.so issyste
 account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required                                     pam_permit.so
 
-password    requisite                                    pam_pwquality.so local_users_only try_first_pass
+password    requisite                                    pam_pwquality.so local_users_only
 password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
 password    requisite                                    pam_pwhistory.so use_authtok remember=5                {include if "with-pwhistory"}
-password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
+password    [success=1 default=ignore]                   pam_localuser.so
 password    sufficient                                   pam_sss.so use_authtok
 password    required                                     pam_deny.so
 

files/etc/authselect/custom/sssd-rocky/RedHat-9-system-auth

@@ -28,10 +28,11 @@ account     sufficient                                   pam_usertype.so issyste
 account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required                                     pam_permit.so
 
-password    requisite                                    pam_pwquality.so local_users_only try_first_pass
+password    requisite                                    pam_pwquality.so local_users_only
 password    [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-pwhistory"}
 password    requisite                                    pam_pwhistory.so use_authtok remember=5                {include if "with-pwhistory"}
-password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok try_first_pass
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
+password    [success=1 default=ignore]                   pam_localuser.so
 password    sufficient                                   pam_sss.so use_authtok
 password    required                                     pam_deny.so