diff options
-rw-r--r-- | strata/core/shadow.morph | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/strata/core/shadow.morph b/strata/core/shadow.morph index d709ddcb..34ec6197 100644 --- a/strata/core/shadow.morph +++ b/strata/core/shadow.morph @@ -31,9 +31,20 @@ post-install-commands: PASS_CHANGE_TRIES \ PASS_ALWAYS_WARN \ CHFN_AUTH \ - ENCRYPT_METHOD \ ENVIRON_FILE do - sed -i "s/^${OPTION}.*/# & #This option is handled by PAM instead./" \ + sed -i -e "s/^${OPTION}.*/# & #This option is handled by PAM instead./" \ "$DESTDIR/etc/login.defs" done +# ENCRYPT_METHOD is handled specially with PAM, it will use the default as +# provided in login.defs, but it may be overridden in the pam.d config. +# We do not currently override this though, and it's better to guard oursleves +# against accidentally reducing password security by forgetting to include the +# algorithm as an argument to the PAM module, so ENCRYPT_METHOD is configured +# here, rather than in PAM. +- | + if grep -q '[\s#]ENCRYPT_METHOD' "$DESTDIR/etc/login.defs"; then + sed -i -e '/^[\s#]*ENCRYPT_METHOD /s/.*/ENCRYPT_METHOD SHA512/g' "$DESTDIR/etc/login.defs" + else + echo 'ENCRYPT_METHOD SHA512' >>"$DESTDIR/etc/login.defs" + fi |