diff options
| author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2015-05-05 11:25:43 +0000 |
|---|---|---|
| committer | Baserock Gerrit <gerrit@baserock.org> | 2015-05-07 14:09:14 +0000 |
| commit | ef619b6115513dd36923c39190f907b55b0a4825 (patch) | |
| tree | 1b813683e225c9ce5a718e0e331220e8b8b98371 /strata/foundation | |
| parent | ebf9125fb758c9b0fb74277e8babb5c4669534d6 (diff) | |
| download | definitions-ef619b6115513dd36923c39190f907b55b0a4825.tar.gz | |
Configure shadow to work with PAM.
Also modify some /etc/pam.d files:
- Make the requirement on pam_selinux.so optional in shadow default
pam.d configuration files.
- Modify 'system-auth' when installing systemd to add pam_deny.so,
so that login attempts with wrong passwords fail now that
shadow is configured to use PAM.
Change-Id: I7110d27b6b46ce33eeaeae904dea854deb46c759
Diffstat (limited to 'strata/foundation')
| -rw-r--r-- | strata/foundation/systemd.morph | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/strata/foundation/systemd.morph b/strata/foundation/systemd.morph index efca734f..5dc48e70 100644 --- a/strata/foundation/systemd.morph +++ b/strata/foundation/systemd.morph @@ -39,3 +39,8 @@ post-install-commands: EOF # Use the pam config systemd provides - cp -a "$DESTDIR/$PREFIX"/share/factory/etc/pam.d/* "$DESTDIR/etc/pam.d" + +# Add pam_deny.so to the default systemd-auth pam.d config file. Without +# it, if shadow is configured to use PAM, it would be possible to login +# to a system with the wrong password. +- echo 'auth requisite pam_deny.so' >> "$DESTDIR"/etc/pam.d/system-auth |