Blob Blame History Raw
From a8def58508ab4cc137700555a74e71de88ccb6bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 13 May 2021 10:42:13 +0200
Subject: [PATCH] profiles: try_first_pass has no effect on pam_unix and
 pam_pwquality

Resolves:
https://github.com/authselect/authselect/issues/247
---
 profiles/minimal/password-auth     | 6 +++---
 profiles/minimal/system-auth       | 6 +++---
 profiles/nis/password-auth         | 6 +++---
 profiles/nis/system-auth           | 6 +++---
 profiles/sssd/password-auth        | 6 +++---
 profiles/sssd/system-auth          | 6 +++---
 profiles/winbind/password-auth     | 6 +++---
 profiles/winbind/system-auth       | 6 +++---
 src/man/authselect-profiles.5.adoc | 6 +++---
 9 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/profiles/minimal/password-auth b/profiles/minimal/password-auth
index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644
--- a/profiles/minimal/password-auth
+++ b/profiles/minimal/password-auth
@@ -1,7 +1,7 @@
 auth        required                                     pam_env.so
 auth        required                                     pam_faildelay.so delay=2000000
 auth        required                                     pam_faillock.so preauth silent                         {include if "with-faillock"}
-auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
 auth        required                                     pam_faillock.so authfail                               {include if "with-faillock"}
 auth        required                                     pam_deny.so
 
@@ -9,8 +9,8 @@ account     required                                     pam_access.so
 account     required                                     pam_faillock.so                                        {include if "with-faillock"}
 account     required                                     pam_unix.so
 
-password    requisite                                    pam_pwquality.so try_first_pass
-password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password    requisite                                    pam_pwquality.so
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
 password    required                                     pam_deny.so
 
 session     optional                                     pam_keyinit.so revoke
diff --git a/profiles/minimal/system-auth b/profiles/minimal/system-auth
index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644
--- a/profiles/minimal/system-auth
+++ b/profiles/minimal/system-auth
@@ -1,7 +1,7 @@
 auth        required                                     pam_env.so
 auth        required                                     pam_faildelay.so delay=2000000
 auth        required                                     pam_faillock.so preauth silent                         {include if "with-faillock"}
-auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
 auth        required                                     pam_faillock.so authfail                               {include if "with-faillock"}
 auth        required                                     pam_deny.so
 
@@ -9,8 +9,8 @@ account     required                                     pam_access.so
 account     required                                     pam_faillock.so                                        {include if "with-faillock"}
 account     required                                     pam_unix.so
 
-password    requisite                                    pam_pwquality.so try_first_pass
-password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password    requisite                                    pam_pwquality.so
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
 password    required                                     pam_deny.so
 
 session     optional                                     pam_keyinit.so revoke
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..fca075b3e8a289aef2055cc8bb8551540957e70f 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -3,7 +3,7 @@ auth        required                                     pam_faildelay.so delay=
 auth        required                                     pam_faillock.so preauth silent                           {include if "with-faillock"}
 auth        sufficient                                   pam_u2f.so cue                                           {include if "with-pam-u2f"}
 auth        required                                     pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
 auth        required                                     pam_faillock.so authfail                                 {include if "with-faillock"}
 auth        required                                     pam_deny.so
 
@@ -11,8 +11,8 @@ account     required                                     pam_access.so
 account     required                                     pam_faillock.so                                          {include if "with-faillock"}
 account     required                                     pam_unix.so broken_shadow
 
-password    requisite                                    pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password    requisite                                    pam_pwquality.so {if not "with-nispwquality":local_users_only}
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
 password    required                                     pam_deny.so
 
 session     optional                                     pam_keyinit.so revoke
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 057b31e074f29c46b492fa310a954e281631800e..c4a74b857f8759082973936bd7d4e5b8718680c4 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -4,7 +4,7 @@ auth        required                                     pam_faillock.so preauth
 auth        sufficient                                   pam_fprintd.so                                         {include if "with-fingerprint"}
 auth        sufficient                                   pam_u2f.so cue                                         {include if "with-pam-u2f"}
 auth        required                                     pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
 auth        required                                     pam_faillock.so authfail                               {include if "with-faillock"}
 auth        required                                     pam_deny.so
 
@@ -12,8 +12,8 @@ account     required                                     pam_access.so
 account     required                                     pam_faillock.so                                        {include if "with-faillock"}
 account     required                                     pam_unix.so broken_shadow
 
-password    requisite                                    pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password    requisite                                    pam_pwquality.so {if not "with-nispwquality":local_users_only}
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
 password    required                                     pam_deny.so
 
 session     optional                                     pam_keyinit.so revoke
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index d6953428cca7d6518f63c3fdbaabc4746c35f91b..b75926205f233d65553caa5d33f1d06c1c77a32e 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -6,7 +6,7 @@ auth        sufficient                                   pam_u2f.so cue
 auth        required                                     pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
 auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
 auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
-auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
 auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
 auth        sufficient                                   pam_sss.so forward_pass
 auth        required                                     pam_faillock.so authfail                               {include if "with-faillock"}
@@ -20,8 +20,8 @@ account     sufficient                                   pam_usertype.so issyste
 account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required                                     pam_permit.so
 
-password    requisite                                    pam_pwquality.so try_first_pass local_users_only
-password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password    requisite                                    pam_pwquality.so local_users_only
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
 password    sufficient                                   pam_sss.so use_authtok
 password    required                                     pam_deny.so
 
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 58d51067feb36850fb11bbba73067495f88c0b9e..e4bdb2b40255c056257ba5569a0b5b21ebaeb261 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -11,7 +11,7 @@ auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregul
 auth        [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {exclude if "with-smartcard"}
 auth        [default=2 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-smartcard"}
 auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth           {include if "with-smartcard"}
-auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
 auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
 auth        sufficient                                   pam_sss.so forward_pass
 auth        required                                     pam_faillock.so authfail                               {include if "with-faillock"}
@@ -25,8 +25,8 @@ account     sufficient                                   pam_usertype.so issyste
 account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required                                     pam_permit.so
 
-password    requisite                                    pam_pwquality.so try_first_pass local_users_only
-password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password    requisite                                    pam_pwquality.so local_users_only
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
 password    sufficient                                   pam_sss.so use_authtok
 password    required                                     pam_deny.so
 
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index bbeca057d49102889e3eeee040ea256dbd751eef..75e1e529944afa68fd06e4dd189d722fd80d9336 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -3,7 +3,7 @@ auth        required                                     pam_faildelay.so delay=
 auth        required                                     pam_faillock.so preauth silent                           {include if "with-faillock"}
 auth        sufficient                                   pam_u2f.so cue                                           {include if "with-pam-u2f"}
 auth        required                                     pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
 auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
 auth        sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
 auth        required                                     pam_faillock.so authfail                                 {include if "with-faillock"}
@@ -17,8 +17,8 @@ account     sufficient                                   pam_usertype.so issyste
 account     [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
 account     required                                     pam_permit.so
 
-password    requisite                                    pam_pwquality.so try_first_pass local_users_only
-password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password    requisite                                    pam_pwquality.so local_users_only
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
 password    sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
 password    required                                     pam_deny.so
 
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..ae5262f2bb8c9ee8848c66eb00b15ff3d1fb8230 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -4,7 +4,7 @@ auth        required                                     pam_faillock.so preauth
 auth        sufficient                                   pam_fprintd.so                                         {include if "with-fingerprint"}
 auth        sufficient                                   pam_u2f.so cue                                         {include if "with-pam-u2f"}
 auth        required                                     pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
 auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
 auth        sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
 auth        required                                     pam_faillock.so authfail                               {include if "with-faillock"}
@@ -18,8 +18,8 @@ account     sufficient                                   pam_usertype.so issyste
 account     [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
 account     required                                     pam_permit.so
 
-password    requisite                                    pam_pwquality.so try_first_pass local_users_only
-password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password    requisite                                    pam_pwquality.so local_users_only
+password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
 password    sufficient                                   pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
 password    required                                     pam_deny.so
 
diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc
index 0890b8b0acef811a639f6cd763b2d24f0c489881..4baa2800c766f59cf250cc5570c259f636a2305b 100644
--- a/src/man/authselect-profiles.5.adoc
+++ b/src/man/authselect-profiles.5.adoc
@@ -154,7 +154,7 @@ for pam_faillock.
   auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
   auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
   auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
-  auth        sufficient                                   pam_unix.so nullok try_first_pass
+  auth        sufficient                                   pam_unix.so nullok
   auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
   auth        sufficient                                   pam_sss.so forward_pass
   auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
@@ -172,7 +172,7 @@ to include both features but only "with-smartcard-required" is necessary.
   auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
   auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
   auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
-  auth        sufficient                                   pam_unix.so nullok try_first_pass
+  auth        sufficient                                   pam_unix.so nullok
   auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
   auth        sufficient                                   pam_sss.so forward_pass
   auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
@@ -193,7 +193,7 @@ previous example.
   auth        [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {exclude if "with-smartcard"}
   auth        [default=2 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-smartcard"}
   auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth           {include if "with-smartcard"}
-  auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
+  auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok}
   auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
   auth        sufficient                                   pam_sss.so forward_pass
   auth        required                                     pam_deny.so
-- 
2.20.1