Created
April 23, 2019 21:01
-
-
Save Wildcarde/01ec6592c51268081ea6b442d1759431 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/pam.d/fingerprint-auth-ac b/pam.d/fingerprint-auth-ac | |
| index 162f0bb..e09996c 100644 | |
| --- a/pam.d/fingerprint-auth-ac | |
| +++ b/pam.d/fingerprint-auth-ac | |
| @@ -8,6 +8,7 @@ auth required pam_deny.so | |
| account required pam_unix.so | |
| account sufficient pam_localuser.so | |
| account sufficient pam_succeed_if.so uid < 1000 quiet | |
| +account [default=bad success=ok user_unknown=ignore] pam_sss.so | |
| account required pam_permit.so | |
| password required pam_deny.so | |
| @@ -15,5 +16,7 @@ password required pam_deny.so | |
| session optional pam_keyinit.so revoke | |
| session required pam_limits.so | |
| -session optional pam_systemd.so | |
| +session optional pam_oddjob_mkhomedir.so umask=0077 | |
| session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid | |
| session required pam_unix.so | |
| +session optional pam_sss.so | |
| diff --git a/pam.d/password-auth-ac b/pam.d/password-auth-ac | |
| index 4b80407..cf89f56 100644 | |
| --- a/pam.d/password-auth-ac | |
| +++ b/pam.d/password-auth-ac | |
| @@ -3,17 +3,22 @@ | |
| # User changes will be destroyed the next time authconfig is run. | |
| auth required pam_env.so | |
| auth required pam_faildelay.so delay=2000000 | |
| +auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet | |
| +auth [default=1 ignore=ignore success=ok] pam_localuser.so | |
| auth sufficient pam_unix.so nullok try_first_pass | |
| auth requisite pam_succeed_if.so uid >= 1000 quiet_success | |
| +auth sufficient pam_sss.so forward_pass | |
| auth required pam_deny.so | |
| account required pam_unix.so | |
| account sufficient pam_localuser.so | |
| account sufficient pam_succeed_if.so uid < 1000 quiet | |
| +account [default=bad success=ok user_unknown=ignore] pam_sss.so | |
| account required pam_permit.so | |
| password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= | |
| password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok | |
| +password sufficient pam_sss.so use_authtok | |
| password required pam_deny.so | |
| @@ -21,5 +26,7 @@ password required pam_deny.so | |
| session optional pam_keyinit.so revoke | |
| session required pam_limits.so | |
| -session optional pam_systemd.so | |
| +session optional pam_oddjob_mkhomedir.so umask=0077 | |
| session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid | |
| session required pam_unix.so | |
| +session optional pam_sss.so | |
| diff --git a/pam.d/smartcard-auth-ac b/pam.d/smartcard-auth-ac | |
| index 83b3c90..afe0dae 100644 | |
| --- a/pam.d/smartcard-auth-ac | |
| +++ b/pam.d/smartcard-auth-ac | |
| @@ -8,6 +8,7 @@ auth required pam_deny.so | |
| account required pam_unix.so | |
| account sufficient pam_localuser.so | |
| account sufficient pam_succeed_if.so uid < 1000 quiet | |
| +account [default=bad success=ok user_unknown=ignore] pam_sss.so | |
| account required pam_permit.so | |
| password required pam_pkcs11.so | |
| @@ -15,5 +16,7 @@ password required pam_pkcs11.so | |
| session optional pam_keyinit.so revoke | |
| session required pam_limits.so | |
| -session optional pam_systemd.so | |
| +session optional pam_oddjob_mkhomedir.so umask=0077 | |
| session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid | |
| session required pam_unix.so | |
| +session optional pam_sss.so | |
| diff --git a/pam.d/system-auth-ac b/pam.d/system-auth-ac | |
| index d0af872..6d5c559 100644 | |
| --- a/pam.d/system-auth-ac | |
| +++ b/pam.d/system-auth-ac | |
| @@ -3,21 +3,28 @@ | |
| # User changes will be destroyed the next time authconfig is run. | |
| auth required pam_env.so | |
| auth required pam_faildelay.so delay=2000000 | |
| +auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet | |
| +auth [default=1 ignore=ignore success=ok] pam_localuser.so | |
| auth sufficient pam_unix.so nullok try_first_pass | |
| auth requisite pam_succeed_if.so uid >= 1000 quiet_success | |
| +auth sufficient pam_sss.so forward_pass | |
| auth required pam_deny.so | |
| account required pam_unix.so | |
| account sufficient pam_localuser.so | |
| account sufficient pam_succeed_if.so uid < 1000 quiet | |
| +account [default=bad success=ok user_unknown=ignore] pam_sss.so | |
| account required pam_permit.so | |
| password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= | |
| password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok | |
| +password sufficient pam_sss.so use_authtok | |
| password required pam_deny.so | |
| session optional pam_keyinit.so revoke | |
| session required pam_limits.so | |
| -session optional pam_systemd.so | |
| +session optional pam_oddjob_mkhomedir.so umask=0077 | |
| session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid | |
| session required pam_unix.so | |
| +session optional pam_sss.so | |
| diff --git a/sysconfig/authconfig b/sysconfig/authconfig | |
| index 3e8117e..fff4d7c 100644 | |
| --- a/sysconfig/authconfig | |
| +++ b/sysconfig/authconfig | |
| @@ -15,7 +15,7 @@ USEKERBEROS=no | |
| USELDAP=no | |
| USELDAPAUTH=no | |
| USELOCAUTHORIZE=yes | |
| -USEMKHOMEDIR=no | |
| +USEMKHOMEDIR=yes | |
| USENIS=no | |
| USEPAMACCESS=no | |
| USEPASSWDQC=no | |
| @@ -23,7 +23,7 @@ USEPWQUALITY=yes | |
| USESHADOW=yes | |
| USESMARTCARD=no | |
| USESSSD=yes | |
| -USESSSDAUTH=no | |
| +USESSSDAUTH=yes | |
| USESYSNETAUTH=no | |
| USEWINBIND=no | |
| USEWINBINDAUTH=no |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment