From: Lennart Poettering Date: Wed, 17 Jan 2024 22:41:14 +0000 (+0100) Subject: man: don't suggest using pam_unix.so's use_authtok switch X-Git-Tag: v256-rc1~1116 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=75f8b0fe70002176b505010d633d95628eb8c40a;p=thirdparty%2Fsystemd.git man: don't suggest using pam_unix.so's use_authtok switch Our dumbed down example PAM stacks do not contain cracklib/pwq modules, hence using use_authtok on the pam_unix.so password change stack won't work, because it has the effect that pam_unix.so never asks for a password on its own, expecting the cracklib/pwq modules to have queried/validated them beforehand. I noticed this issue because of #30969: Debian's PAM setup suffers by the same issue – even though they don't actually use our suggested PAM fragments at all. See: #30969 --- diff --git a/factory/etc/pam.d/system-auth b/factory/etc/pam.d/system-auth index c2d6240930f..cb4e5703616 100644 --- a/factory/etc/pam.d/system-auth +++ b/factory/etc/pam.d/system-auth @@ -13,7 +13,7 @@ account sufficient pam_unix.so account required pam_permit.so -password sufficient pam_systemd_home.so -password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok +password sufficient pam_unix.so sha512 shadow try_first_pass password required pam_deny.so -session optional pam_keyinit.so revoke diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml index 2c3bbec5d81..1a841df13bf 100644 --- a/man/pam_systemd.xml +++ b/man/pam_systemd.xml @@ -411,8 +411,7 @@ account sufficient pam_unix.so account required pam_permit.so -password sufficient pam_systemd_home.so -password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok - +password sufficient pam_unix.so sha512 shadow try_first_pass password required pam_deny.so -session optional pam_keyinit.so revoke diff --git a/man/pam_systemd_home.xml b/man/pam_systemd_home.xml index 10ac7d9838e..5bd48de4a60 100644 --- a/man/pam_systemd_home.xml +++ b/man/pam_systemd_home.xml @@ -158,7 +158,7 @@ account sufficient pam_unix.so account required pam_permit.so -password sufficient pam_systemd_home.so -password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok +password sufficient pam_unix.so sha512 shadow try_first_pass password required pam_deny.so -session optional pam_keyinit.so revoke