diff options
| author | Lennart Poettering <lennart@poettering.net> | 2024-01-17 23:41:14 +0100 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2024-01-18 00:59:05 +0100 |
| commit | 75f8b0fe70002176b505010d633d95628eb8c40a (patch) | |
| tree | 19433e7acb54bc97ac1e610ddf260de06e45abc5 /factory | |
| parent | vmspawn: include qemu cmdline in debug output (diff) | |
| download | systemd-75f8b0fe70002176b505010d633d95628eb8c40a.tar.xz systemd-75f8b0fe70002176b505010d633d95628eb8c40a.zip | |
man: don't suggest using pam_unix.so's use_authtok switch
Our dumbed down example PAM stacks do not contain cracklib/pwq modules,
hence using use_authtok on the pam_unix.so password change stack won't
work, because it has the effect that pam_unix.so never asks for a
password on its own, expecting the cracklib/pwq modules to have
queried/validated them beforehand.
I noticed this issue because of #30969: Debian's PAM setup suffers by
the same issue – even though they don't actually use our suggested PAM
fragments at all.
See: #30969
Diffstat (limited to 'factory')
| -rw-r--r-- | factory/etc/pam.d/system-auth | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/factory/etc/pam.d/system-auth b/factory/etc/pam.d/system-auth index c2d6240930..cb4e570361 100644 --- a/factory/etc/pam.d/system-auth +++ b/factory/etc/pam.d/system-auth @@ -13,7 +13,7 @@ account sufficient pam_unix.so account required pam_permit.so -password sufficient pam_systemd_home.so -password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok +password sufficient pam_unix.so sha512 shadow try_first_pass password required pam_deny.so -session optional pam_keyinit.so revoke |