|
 |
ee2f06 |
diff -up authconfig-6.2.8/authinfo.py.sssd-prompting authconfig-6.2.8/authinfo.py
|
|
|
ee2f06 |
--- authconfig-6.2.8/authinfo.py.sssd-prompting 2015-07-03 11:09:29.329857063 +0200
|
|
|
ee2f06 |
+++ authconfig-6.2.8/authinfo.py 2015-07-03 11:52:58.462677742 +0200
|
|
|
ee2f06 |
@@ -132,6 +132,7 @@ LOGIC_FORCE_PKCS11_KRB5 = "[success=ok i
|
|
|
ee2f06 |
LOGIC_SKIPNEXT = "[success=1 default=ignore]"
|
|
|
ee2f06 |
LOGIC_SKIPNEXT3 = "[success=3 default=ignore]"
|
|
|
ee2f06 |
LOGIC_ALWAYS_SKIP = "[default=1]"
|
|
|
ee2f06 |
+LOGIC_SKIPNEXT_ON_FAILURE = "[default=1 success=ok]"
|
|
|
ee2f06 |
|
|
|
ee2f06 |
# Snip off line terminators and final whitespace from a passed-in string.
|
|
|
ee2f06 |
def snipString(s):
|
|
|
ee2f06 |
@@ -460,6 +461,8 @@ pam_modules[STANDARD] = [
|
|
|
ee2f06 |
"permit", []],
|
|
|
ee2f06 |
[False, AUTH, LOGIC_SUFFICIENT,
|
|
|
ee2f06 |
"fprintd", []],
|
|
|
ee2f06 |
+ [False, AUTH, LOGIC_SKIPNEXT_ON_FAILURE,
|
|
|
ee2f06 |
+ "localuser", []],
|
|
|
ee2f06 |
[True, AUTH, LOGIC_SUFFICIENT,
|
|
|
ee2f06 |
"unix", argv_unix_auth],
|
|
|
ee2f06 |
[False, AUTH, LOGIC_REQUISITE,
|
|
|
ee2f06 |
@@ -583,6 +586,8 @@ pam_modules[PASSWORD_ONLY] = [
|
|
|
ee2f06 |
"env", []],
|
|
|
ee2f06 |
[False, AUTH, LOGIC_REQUIRED,
|
|
|
ee2f06 |
"deny", []],
|
|
|
ee2f06 |
+ [False, AUTH, LOGIC_SKIPNEXT_ON_FAILURE,
|
|
|
ee2f06 |
+ "localuser", []],
|
|
|
ee2f06 |
[True, AUTH, LOGIC_SUFFICIENT,
|
|
|
ee2f06 |
"unix", argv_unix_auth],
|
|
|
ee2f06 |
[False, AUTH, LOGIC_REQUISITE,
|
|
|
ee2f06 |
@@ -3791,6 +3796,10 @@ class AuthInfo:
|
|
|
ee2f06 |
argv = module[ARGV][0:] # shallow copy
|
|
|
ee2f06 |
argv[1] = self.uidMin
|
|
|
ee2f06 |
args = " ".join(argv)
|
|
|
ee2f06 |
+ # do not continue to following modules if authentication fails
|
|
|
ee2f06 |
+ if name == "unix" and stack == "auth" and (self.enableSSSDAuth or
|
|
|
ee2f06 |
+ self.implicitSSSDAuth or self.enableIPAv2) and (not self.enableNIS):
|
|
|
ee2f06 |
+ logic = LOGIC_FORCE_PKCS11 # make it or break it logic
|
|
|
ee2f06 |
# use oddjob_mkhomedir if available
|
|
|
ee2f06 |
if name == "mkhomedir" and os.access("%s/pam_%s.so"
|
|
|
ee2f06 |
% (AUTH_MODULE_DIR, "oddjob_mkhomedir"), os.X_OK):
|
|
|
ee2f06 |
@@ -3818,6 +3827,8 @@ class AuthInfo:
|
|
|
ee2f06 |
args = self.mkhomedirArgs
|
|
|
ee2f06 |
if name == "systemd":
|
|
|
ee2f06 |
args = self.systemdArgs
|
|
|
ee2f06 |
+ if name == "sss" and stack == "auth" and not self.enableNIS:
|
|
|
ee2f06 |
+ args = "forward_pass"
|
|
|
ee2f06 |
if not args and module[ARGV]:
|
|
|
ee2f06 |
args = " ".join(module[ARGV])
|
|
|
ee2f06 |
if name == "winbind" and self.winbindOffline and stack != "password":
|
|
|
ee2f06 |
@@ -3922,7 +3933,9 @@ class AuthInfo:
|
|
|
ee2f06 |
(self.enablePasswdQC and module[NAME] == "passwdqc") or
|
|
|
ee2f06 |
(self.enableWinbindAuth and module[NAME] == "winbind") or
|
|
|
ee2f06 |
((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and module[NAME] == "sss") or
|
|
|
ee2f06 |
- (self.enableLocAuthorize and module[NAME] == "localuser") or
|
|
|
ee2f06 |
+ ((self.enableSSSDAuth or self.implicitSSSDAuth or self.enableIPAv2) and
|
|
|
ee2f06 |
+ (not self.enableNIS) and module[NAME] == "localuser" and module[STACK] == AUTH) or
|
|
|
ee2f06 |
+ (self.enableLocAuthorize and module[NAME] == "localuser" and module[STACK] == ACCOUNT) or
|
|
|
ee2f06 |
(self.enablePAMAccess and module[NAME] == "access") or
|
|
|
ee2f06 |
(self.enableMkHomeDir and module[NAME] == "mkhomedir") or
|
|
|
ee2f06 |
(not self.enableSysNetAuth and module[STACK] == AUTH and
|