update system-auth

This commit is contained in:
Louis Abel 2023-05-17 23:18:44 -07:00
parent 9bb45cd61b
commit ed3a56508d
Signed by: label
GPG key ID: 6735C0E1BD65D048
2 changed files with 11 additions and 9 deletions

View file

@ -1,7 +1,7 @@
{imply "with-smartcard" if "with-smartcard-required"} {imply "with-smartcard" if "with-smartcard-required"}
auth required pam_env.so auth required pam_env.so
auth required pam_faildelay.so delay=2000000 auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 {include if "with-faillock"} auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"} auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"} auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"} auth sufficient pam_fprintd.so {include if "with-fingerprint"}
@ -16,7 +16,7 @@ auth [default=1 ignore=ignore success=ok] pam_usertype.so isregul
auth sufficient pam_sss_gss.so {include if "with-gssapi"} auth sufficient pam_sss_gss.so {include if "with-gssapi"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"} auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so auth required pam_deny.so
@ -28,8 +28,9 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 retry=3 password requisite pam_pwquality.so local_users_only try_first_pass
password requisite pam_pwhistory.so use_authok remember=5 password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok remember=5 {include if "with-pwhistory"}
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok password sufficient pam_sss.so use_authtok
password required pam_deny.so password required pam_deny.so

View file

@ -1,7 +1,7 @@
{imply "with-smartcard" if "with-smartcard-required"} {imply "with-smartcard" if "with-smartcard-required"}
auth required pam_env.so auth required pam_env.so
auth required pam_faildelay.so delay=2000000 auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 {include if "with-faillock"} auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"} auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:kde:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"} auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"} auth sufficient pam_fprintd.so {include if "with-fingerprint"}
@ -16,7 +16,7 @@ auth [default=1 ignore=ignore success=ok] pam_usertype.so isregul
auth sufficient pam_sss_gss.so {include if "with-gssapi"} auth sufficient pam_sss_gss.so {include if "with-gssapi"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail audit deny=5 unlock_time=900 fail_interval=900 {include if "with-faillock"} auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"} auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so auth required pam_deny.so
@ -28,9 +28,10 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only minlen=14 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 retry=3 password requisite pam_pwquality.so local_users_only try_first_pass
password requisite pam_pwhistory.so use_authok remember=5 password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok password requisite pam_pwhistory.so use_authtok remember=5 {include if "with-pwhistory"}
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok try_first_pass
password sufficient pam_sss.so use_authtok password sufficient pam_sss.so use_authtok
password required pam_deny.so password required pam_deny.so