commit: 99919c4b2b59af27e7ad1daa6fbe8c614a8463c0 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Mon Oct 26 08:32:29 2020 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Oct 26 22:48:06 2020 +0000 URL: https://gitweb.gentoo.org/proj/pambase.git/commit/?id=99919c4b
templates/system-auth.tpl: skip pam_unix with krb5 Before this change, success on pam_krb5 would result in jumping one line (over pam_permit) back into pam_unix. Incidentally, we did the later stanza correctly. This was a regression from old pambase. Bug: https://bugs.gentoo.org/748405 Signed-off-by: Sam James <sam <AT> gentoo.org> templates/system-auth.tpl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 8b61701..668303f 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -4,20 +4,20 @@ auth sufficient pam_ssh.so {% endif %} {% if krb5 %} -auth [success=1 default=ignore] pam_krb5.so {{ krb5_params }} +auth [success=4 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} -auth optional pam_permit.so auth requisite pam_faillock.so preauth auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth [default=die] pam_faillock.so authfail +auth optional pam_permit.so {% if krb5 %} -account [success=1 default=ignore] pam_krb5.so {{ krb5_params }} +account [success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} account required pam_unix.so {{ debug|default('', true) }} -account optional pam_permit.so account required pam_faillock.so +account optional pam_permit.so {% if passwdqc %} password required pam_passwdqc.so config=/etc/security/passwdqc.conf