From c4349512e6a7e5276d206c324b6978d02189987e Mon Sep 17 00:00:00 2001 From: Louis Abel Date: Tue, 28 Nov 2023 15:50:54 -0700 Subject: [PATCH] update authselect --- .../etc/authselect/custom/sssd-rocky/RedHat-8-system-auth | 7 ++++--- .../etc/authselect/custom/sssd-rocky/RedHat-9-system-auth | 5 +++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth b/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth index 60c7b60..2190e75 100644 --- a/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth +++ b/files/etc/authselect/custom/sssd-rocky/RedHat-8-system-auth @@ -11,7 +11,7 @@ auth [default=1 ignore=ignore success=ok] pam_usertype.so isregul auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"} auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"} auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"} -auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass +auth sufficient pam_unix.so {if not "without-nullok":nullok} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"} auth sufficient pam_sss_gss.so {include if "with-gssapi"} auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular @@ -28,10 +28,11 @@ account sufficient pam_usertype.so issyste account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so -password requisite pam_pwquality.so local_users_only try_first_pass +password requisite pam_pwquality.so local_users_only password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} password requisite pam_pwhistory.so use_authtok remember=5 {include if "with-pwhistory"} -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok +password [success=1 default=ignore] pam_localuser.so password sufficient pam_sss.so use_authtok password required pam_deny.so diff --git a/files/etc/authselect/custom/sssd-rocky/RedHat-9-system-auth b/files/etc/authselect/custom/sssd-rocky/RedHat-9-system-auth index 2d6060e..2190e75 100644 --- a/files/etc/authselect/custom/sssd-rocky/RedHat-9-system-auth +++ b/files/etc/authselect/custom/sssd-rocky/RedHat-9-system-auth @@ -28,10 +28,11 @@ account sufficient pam_usertype.so issyste account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so -password requisite pam_pwquality.so local_users_only try_first_pass +password requisite pam_pwquality.so local_users_only password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"} password requisite pam_pwhistory.so use_authtok remember=5 {include if "with-pwhistory"} -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok try_first_pass +password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok +password [success=1 default=ignore] pam_localuser.so password sufficient pam_sss.so use_authtok password required pam_deny.so