authconfig

#10 use also preauth phase of pam_faillock
Merged by tmraz. Opened by pbrezina.
pbrezina/authconfig faillock  into  master

Generated stack:

auth        required      pam_env.so
auth        requisite     pam_faillock.so preauth silent deny=4 unlock_time=1200
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_faillock.so authfail deny=4 unlock_time=1200
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

The pam_faillock preauth should be required as in the second example in the man page, not requisite.

rebased

Patch updated.

Pull-Request has been merged by tmraz

I added one small fix for reading the faillockArgs in a separate commit
Metadata
None
No Tags
Changes Summary 1
+8 -0
file changed
authinfo.py
Powered by Pagure 1.0.0
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.