-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
Post-freeze I would like to merge the following patch, which will remove the Password: promot on RHEL7 boxes after a failed pasword+token.
commit 17f4dce44a5f105cb2f7850085d42626e054c224 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Wed Sep 16 17:57:02 2015 +0000
Remove the Password: promopt when 2fa failed
diff --git a/files/2fa/sudo.pam b/files/2fa/sudo.pam index aa59ebf..08f7630 100644 - --- a/files/2fa/sudo.pam +++ b/files/2fa/sudo.pam @@ -1,6 +1,6 @@ #%PAM-1.0 auth required pam_env.so - -auth sufficient pam_url.so config=/etc/pam_url.conf +auth requisite pam_url.so config=/etc/pam_url.conf auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
diff --git a/roles/totpcgi/files/sudo.pam b/roles/totpcgi/files/sudo.pam index aa59ebf..08f7630 100644 - --- a/roles/totpcgi/files/sudo.pam +++ b/roles/totpcgi/files/sudo.pam @@ -1,6 +1,6 @@ #%PAM-1.0 auth required pam_env.so - -auth sufficient pam_url.so config=/etc/pam_url.conf +auth requisite pam_url.so config=/etc/pam_url.conf auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
- -- With kind regards, Patrick Uiterwijk Fedora Infra
_______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/postorius/infrastructure@lists.fedoraproject....
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Corrected patch follows. With the original one, it would still fall through to system-auth.
This patch removes that. We don't need the original system-auth anymore, since we already have pam_env, pam_succeed_if and pam_deny in the sudo pam.
diff --git a/files/2fa/sudo.pam b/files/2fa/sudo.pam index aa59ebf..356a9db 100644 - --- a/files/2fa/sudo.pam +++ b/files/2fa/sudo.pam @@ -1,10 +1,9 @@ #%PAM-1.0 auth required pam_env.so - -auth sufficient pam_url.so config=/etc/pam_url.conf +auth requisite pam_url.so config=/etc/pam_url.conf auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
- -auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke diff --git a/roles/totpcgi/files/sudo.pam b/roles/totpcgi/files/sudo.pam index aa59ebf..356a9db 100644 - --- a/roles/totpcgi/files/sudo.pam +++ b/roles/totpcgi/files/sudo.pam @@ -1,10 +1,9 @@ #%PAM-1.0 auth required pam_env.so - -auth sufficient pam_url.so config=/etc/pam_url.conf +auth requisite pam_url.so config=/etc/pam_url.conf auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
- -auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke
On Wed, Sep 16, 2015 at 07:59:35PM +0200, Patrick Uiterwijk wrote:
Hi,
Post-freeze I would like to merge the following patch, which will remove the Password: promot on RHEL7 boxes after a failed pasword+token.
commit 17f4dce44a5f105cb2f7850085d42626e054c224 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Wed Sep 16 17:57:02 2015 +0000
Remove the Password: promopt when 2fa faileddiff --git a/files/2fa/sudo.pam b/files/2fa/sudo.pam index aa59ebf..08f7630 100644 --- a/files/2fa/sudo.pam +++ b/files/2fa/sudo.pam @@ -1,6 +1,6 @@ #%PAM-1.0 auth required pam_env.so -auth sufficient pam_url.so config=/etc/pam_url.conf +auth requisite pam_url.so config=/etc/pam_url.conf auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
diff --git a/roles/totpcgi/files/sudo.pam b/roles/totpcgi/files/sudo.pam index aa59ebf..08f7630 100644 --- a/roles/totpcgi/files/sudo.pam +++ b/roles/totpcgi/files/sudo.pam @@ -1,6 +1,6 @@ #%PAM-1.0 auth required pam_env.so -auth sufficient pam_url.so config=/etc/pam_url.conf +auth requisite pam_url.so config=/etc/pam_url.conf auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
-- With kind regards, Patrick Uiterwijk Fedora Infra _______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/postorius/infrastructure@lists.fedoraproject....
- -- With kind regards, Patrick Uiterwijk Fedora Infra
_______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/postorius/infrastructure@lists.fedoraproject....
+1 provided it tests ok in stg. ;)
kevin
_______________________________________________ infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/postorius/infrastructure@lists.fedoraproject....
Same here.
On 16 September 2015 at 12:10, Kevin Fenzi kevin@scrye.com wrote:
+1 provided it tests ok in stg. ;)
kevin
infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/postorius/infrastructure@lists.fedoraproject....
infrastructure@lists.fedoraproject.org
-
Kevin Fenzi -
Patrick Uiterwijk -
Stephen John Smoogen