Skip to content

Commit e1fbbdc

Browse files
committed
1 parent eaef74b commit e1fbbdc

9 files changed

Lines changed: 21 additions & 12 deletions

File tree

profiles/nis/README

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,9 @@ with-nispwquality::
3838
for NIS users as well as local users during password change. Without this
3939
option only local users passwords are checked.
4040

41+
without-nullok::
42+
Do not add nullok parameter to pam_unix.
43+
4144
EXAMPLES
4245
--------
4346
* Enable NIS with no additional modules

profiles/nis/password-auth

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
auth required pam_env.so
22
auth required pam_faildelay.so delay=2000000
33
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
4-
auth sufficient pam_unix.so nullok try_first_pass
4+
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
55
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
66
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
77
auth required pam_deny.so
@@ -14,7 +14,7 @@ account sufficient pam_succeed_if.so uid <
1414
account required pam_permit.so
1515

1616
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
17-
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
17+
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
1818
password required pam_deny.so
1919

2020
session optional pam_keyinit.so revoke

profiles/nis/system-auth

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ auth required pam_env.so
22
auth required pam_faildelay.so delay=2000000
33
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
44
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
5-
auth sufficient pam_unix.so nullok try_first_pass
5+
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
66
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
77
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
88
auth required pam_deny.so
@@ -15,7 +15,7 @@ account sufficient pam_succeed_if.so uid <
1515
account required pam_permit.so
1616

1717
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
18-
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok nis
18+
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
1919
password required pam_deny.so
2020

2121
session optional pam_keyinit.so revoke

profiles/sssd/README

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,9 @@ with-sudo::
5656
with-pamaccess::
5757
Check access.conf during account authorization.
5858

59+
without-nullok::
60+
Do not add nullok parameter to pam_unix.
61+
5962
EXAMPLES
6063
--------
6164

profiles/sssd/password-auth

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
33
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
44
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
55
auth [default=1 ignore=ignore success=ok] pam_localuser.so
6-
auth sufficient pam_unix.so nullok try_first_pass
6+
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
77
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
88
auth sufficient pam_sss.so forward_pass
99
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -18,7 +18,7 @@ account [default=bad success=ok user_unknown=ignore] pam_sss.so
1818
account required pam_permit.so
1919

2020
password requisite pam_pwquality.so try_first_pass local_users_only
21-
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
21+
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
2222
password sufficient pam_sss.so use_authtok
2323
password required pam_deny.so
2424

profiles/sssd/system-auth

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
44
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
55
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
66
auth [default=1 ignore=ignore success=ok] pam_localuser.so
7-
auth sufficient pam_unix.so nullok try_first_pass
7+
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
88
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
99
auth sufficient pam_sss.so forward_pass
1010
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -19,7 +19,7 @@ account [default=bad success=ok user_unknown=ignore] pam_sss.so
1919
account required pam_permit.so
2020

2121
password requisite pam_pwquality.so try_first_pass local_users_only
22-
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
22+
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
2323
password sufficient pam_sss.so use_authtok
2424
password required pam_deny.so
2525

profiles/winbind/README

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,9 @@ with-silent-lastlog::
4848
with-pamaccess::
4949
Check access.conf during account authorization.
5050

51+
without-nullok::
52+
Do not add nullok parameter to pam_unix.
53+
5154
EXAMPLES
5255
--------
5356
* Enable winbind with no additional modules

profiles/winbind/password-auth

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
auth required pam_env.so
22
auth required pam_faildelay.so delay=2000000
33
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
4-
auth sufficient pam_unix.so nullok try_first_pass
4+
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
55
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
66
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
77
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -16,7 +16,7 @@ account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "wit
1616
account required pam_permit.so
1717

1818
password requisite pam_pwquality.so try_first_pass local_users_only
19-
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
19+
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
2020
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
2121
password required pam_deny.so
2222

profiles/winbind/system-auth

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ auth required pam_env.so
22
auth required pam_faildelay.so delay=2000000
33
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
44
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
5-
auth sufficient pam_unix.so nullok try_first_pass
5+
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
66
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
77
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
88
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -17,7 +17,7 @@ account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "wit
1717
account required pam_permit.so
1818

1919
password requisite pam_pwquality.so try_first_pass local_users_only
20-
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
20+
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
2121
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
2222
password required pam_deny.so
2323

0 commit comments

Comments
 (0)