1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-06 13:17:44 +03:00

man: don't suggest using pam_unix.so's use_authtok switch

Our dumbed down example PAM stacks do not contain cracklib/pwq modules,
hence using use_authtok on the pam_unix.so password change stack won't
work, because it has the effect that pam_unix.so never asks for a
password on its own, expecting the cracklib/pwq modules to have
queried/validated them beforehand.

I noticed this issue because of #30969: Debian's PAM setup suffers by
the same issue – even though they don't actually use our suggested PAM
fragments at all.

See: #30969
(cherry picked from commit 75f8b0fe70)
(cherry picked from commit e70b633455)
(cherry picked from commit 9eb38e720d)
This commit is contained in:
Lennart Poettering 2024-01-17 23:41:14 +01:00 committed by Luca Boccassi
parent 24e26cad23
commit d35acc05c4
3 changed files with 3 additions and 4 deletions

View File

@ -13,7 +13,7 @@ account sufficient pam_unix.so
account required pam_permit.so
-password sufficient pam_systemd_home.so
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow try_first_pass
password required pam_deny.so
-session optional pam_keyinit.so revoke

View File

@ -318,8 +318,7 @@ account sufficient pam_unix.so
account required pam_permit.so
-password sufficient pam_systemd_home.so
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow try_first_pass
password required pam_deny.so
-session optional pam_keyinit.so revoke

View File

@ -149,7 +149,7 @@ account sufficient pam_unix.so
account required pam_permit.so
<command>-password sufficient pam_systemd_home.so</command>
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow try_first_pass
password required pam_deny.so
-session optional pam_keyinit.so revoke