Our dumbed down example PAM stacks do not contain cracklib/pwq modules,
hence using use_authtok on the pam_unix.so password change stack won't
work, because it has the effect that pam_unix.so never asks for a
password on its own, expecting the cracklib/pwq modules to have
queried/validated them beforehand.
I noticed this issue because of #30969: Debian's PAM setup suffers by
the same issue – even though they don't actually use our suggested PAM
fragments at all.
See: #30969
account required pam_permit.so
-password sufficient pam_systemd_home.so
-password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
+password sufficient pam_unix.so sha512 shadow try_first_pass
password required pam_deny.so
-session optional pam_keyinit.so revoke
account required pam_permit.so
-password sufficient pam_systemd_home.so
-password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
-
+password sufficient pam_unix.so sha512 shadow try_first_pass
password required pam_deny.so
-session optional pam_keyinit.so revoke
account required pam_permit.so
<command>-password sufficient pam_systemd_home.so</command>
-password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
+password sufficient pam_unix.so sha512 shadow try_first_pass
password required pam_deny.so
-session optional pam_keyinit.so revoke
projects / thirdparty / systemd.git / commitdiff
