You are not logged in.
Current system-auth from pambase 20200721.1-1 in testing
#%PAM-1.0
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.soFrom man 8 pam_systemd_home
#%PAM-1.0
auth sufficient pam_unix.so
-auth sufficient pam_systemd_home.so
auth required pam_deny.so
account required pam_nologin.so
-account sufficient pam_systemd_home.so
account sufficient pam_unix.so
account required pam_permit.so
-password sufficient pam_systemd_home.so
password sufficient pam_unix.so sha512 shadow try_first_pass try_authtok
password required pam_deny.so
-session optional pam_keyinit.so revoke
-session optional pam_loginuid.so
-session optional pam_systemd_home.so
-session optional pam_systemd.so
session required pam_unix.soI read through https://wiki.archlinux.org/index.php/Talk:Systemd-homed
In the auth section pam_unix.so is listed before pam_systemd_home.so but that is reversed in account, password and session. I could not find a reason for this.
In the account section the pam_permit.so is more permissive than the current config? Was this the cause of the allowing login without password?
In the session section pam_unix is required for a systemd-homed user?
From man 8 pam_faillock second example
auth required pam_securetty.so
auth required pam_env.so
auth required pam_nologin.so
auth required pam_faillock.so preauth
# optionally use requisite above if you do not want to prompt for the password
# on locked accounts
auth sufficient pam_unix.so
auth [default=die] pam_faillock.so authfail
auth required pam_deny.so
account required pam_faillock.so
# if you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures
account required pam_unix.so
password required pam_unix.so shadow
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_unix.so
session required pam_selinux.so openProposed merged result
#%PAM-1.0
auth required pam_env.so
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth sufficient pam_unix.so try_first_pass nullok
-auth sufficient pam_systemd_home.so
auth [default=die] pam_faillock.so authfail
auth required pam_deny.so
account required pam_faillock.so
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
account required pam_time.so
-account sufficient pam_systemd_home.so
account sufficient pam_unix.so
account required pam_deny.so
-password sufficient pam_systemd_home.so
password sufficient pam_unix.so try_first_pass nullok shadow
password required pam_deny.so
session required pam_limits.so
-session optional pam_systemd_home.so
session required pam_unix.soDropped pam_permit.so as it served no purpose.
Dropped sha512 option from pam_unix as it overrides the value in /etc/login.defs
Does the above seem reasonable?
Edit:
sufficient returning immediately breaks stacks that have entries after include system-login / include system-auth.
#%PAM-1.0
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth [success=2 new_authtok_reqd=2 default=ignore] pam_unix.so try_first_pass nullok
-auth [success=1 new_authtok_reqd=1 default=ignore] pam_systemd_home.so
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
-account [success=1 new_authtok_reqd=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
-password [success=1 new_authtok_reqd=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow
password optional pam_permit.so
session required pam_limits.so
-session optional pam_systemd_home.so
session required pam_unix.so
session optional pam_permit.soEdit:
Alternative substack approach
#%PAM-1.0
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth substack system-auth-substack
auth required pam_env.so
account required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
account substack system-auth-substack
account required pam_time.so
password substack system-auth-substack
session required pam_limits.so
-session optional pam_systemd_home.so
session required pam_unix.so#%PAM-1.0
auth sufficient pam_unix.so try_first_pass nullok
-auth sufficient pam_systemd_home.so
auth [default=die] pam_faillock.so authfail
-account sufficient pam_systemd_home.so
account sufficient pam_unix.so
account required pam_deny.so
password sufficient pam_unix.so try_first_pass nullok shadow
-password sufficient pam_systemd_home.so
password required pam_deny.soLast edited by loqs (2020-09-05 10:54:53)
Offline