Closed anders-larsson closed 1 year ago
@anders-larsson This appears to assume SSSD is enabled which is not the default for minimal EL8 environment.
Example defaults from fresh container:
# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
That could indeed be the case. Thanks for pointing it out. Will close this as it does not seem to be relevant.
I suspect that #242 should be updated as well. I'll look into it.
Oh. Just realised this change included more changes than the sssd one. I'll check it tomorrow what is relevant in a minimal installation.
@anders-larsson @treydock is this ok to be closed or is the fix needed?
Well.. It seems to work anyway so maybe it's not worth the effort to make changes retroactively (even though they're more aligned with the defaults). Might cause problems for users I suspect.
Will close it.
Fixes incorrect PAM configuration for EL8 introduced by https://github.com/ghoneycutt/puppet-module-pam/commit/81560cd19cfda5091fb3036c6438bc3195fef3fb. Assumption was that the data in fixtures was correct, which was not the case.
After this change we're using the exact configuration after EL8 installation for system-auth and password-auth.