Lines 7-40
auth sufficient pam_ssh.so
Link Here
|
7 |
auth [success={{ 4 if homed else 3 }} default=ignore] pam_krb5.so {{ krb5_params }} |
7 |
auth [success={{ 4 if homed else 3 }} default=ignore] pam_krb5.so {{ krb5_params }} |
8 |
{% endif %} |
8 |
{% endif %} |
9 |
|
9 |
|
|
|
10 |
{% if sssd %} |
11 |
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular |
12 |
auth [default=3 ignore=ignore success=ok] pam_localuser.so |
13 |
{% endif %} |
14 |
|
10 |
auth requisite pam_faillock.so preauth |
15 |
auth requisite pam_faillock.so preauth |
|
|
16 |
|
11 |
{% if homed %} |
17 |
{% if homed %} |
12 |
auth [success=2 default=ignore] pam_systemd_home.so |
18 |
auth [success=2 default=ignore] pam_systemd_home.so |
13 |
{% endif %} |
19 |
{% endif %} |
|
|
20 |
|
21 |
{% if sssd %} |
22 |
auth sufficient pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} |
23 |
{% else %} |
14 |
auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass |
24 |
auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass |
|
|
25 |
{% endif %} |
15 |
auth [default=die] pam_faillock.so authfail |
26 |
auth [default=die] pam_faillock.so authfail |
16 |
|
27 |
{% if sssd %} |
|
|
28 |
auth sufficient pam_sss.so forward_pass {{ debug|default('', true) }} |
29 |
{% endif %} |
17 |
{% if caps %} |
30 |
{% if caps %} |
18 |
auth optional pam_cap.so |
31 |
auth optional pam_cap.so |
19 |
{% endif %} |
32 |
{% endif %} |
20 |
|
33 |
{% if sssd %} |
|
|
34 |
auth sufficient pam_deny.so |
35 |
{% endif %} |
21 |
{% if krb5 %} |
36 |
{% if krb5 %} |
22 |
account [success=2 default=ignore] pam_krb5.so {{ krb5_params }} |
37 |
account [success=2 default=ignore] pam_krb5.so {{ krb5_params }} |
23 |
{% endif %} |
38 |
{% endif %} |
24 |
|
39 |
|
25 |
{% if homed %} |
40 |
{% if homed %} |
26 |
account [success=1 default=ignore] pam_systemd_home.so |
41 |
account [success={{ 2 if sssd else 1 }} default=ignore] pam_systemd_home.so |
27 |
{% endif %} |
42 |
{% endif %} |
28 |
|
43 |
|
29 |
account required pam_unix.so {{ debug|default('', true) }} |
44 |
account required pam_unix.so {{ debug|default('', true) }} |
30 |
account required pam_faillock.so |
45 |
account required pam_faillock.so |
|
|
46 |
{% if sssd %} |
47 |
account sufficient pam_localuser.so |
48 |
account sufficient pam_usertype.so issystem |
49 |
account [default=bad success=ok user_unknown=ignore] pam_sss.so {{ debug|default('', true) }} |
50 |
account required pam_permit.so |
51 |
{% endif %} |
31 |
|
52 |
|
32 |
{% if passwdqc %} |
53 |
{% if passwdqc %} |
33 |
password required pam_passwdqc.so config=/etc/security/passwdqc.conf |
54 |
password required pam_passwdqc.so config=/etc/security/passwdqc.conf |
34 |
{% endif %} |
55 |
{% endif %} |
35 |
|
56 |
|
36 |
{% if pwquality %} |
57 |
{% if pwquality %} |
37 |
password required pam_pwquality.so |
58 |
password required pam_pwquality.so {{ local_users_only|default('', true ) }} |
38 |
{% endif %} |
59 |
{% endif %} |
39 |
|
60 |
|
40 |
{% if pwhistory %} |
61 |
{% if pwhistory %} |
Lines 50-58
password [success=1 default=ignore] pam_systemd_home.so
Link Here
|
50 |
{% endif %} |
71 |
{% endif %} |
51 |
|
72 |
|
52 |
{% if passwdqc or pwquality %} |
73 |
{% if passwdqc or pwquality %} |
53 |
password required pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} |
74 |
password {{ 'sufficient' if sssd else 'required' }} pam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} |
54 |
{% else %} |
75 |
{% else %} |
55 |
password required pam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} |
76 |
password {{ 'sufficient' if sssd else 'required' }} pam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} |
|
|
77 |
{% endif %} |
78 |
|
79 |
{% if sssd %} |
80 |
password sufficient pam_sss.so use_authtok |
81 |
password required pam_deny.so |
56 |
{% endif %} |
82 |
{% endif %} |
57 |
|
83 |
|
58 |
{% if pam_ssh %} |
84 |
{% if pam_ssh %} |