/etc/pam.d changes breaks authselect and FreeIPA changes #836
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Description
I suggest that compatibility with authselect and FreeIPA should be maintained.
Solution
Authselect.
It is my understanding, that authselect has a core default auth file it uses, which system-auth and password-auth are linked to. In addition, any local overrides should be in the local-files, which in turn should override the core defaults. Would in not be feasible, to simply write all the hardened options into the local files, overriding (almost everything) in the core defaults? As it currently stands, the hardenings change the links from the core defaults to local links, resulting on errors when authselect apply-changes is executed.
FreeIPA
FreeIPA likes to use oddjob for automatically creating home directories. As it currently stands, the hardenings overwrite also this line in the config, resulting in a need to modify the files (with yet another ansible task) to include the line required by FreeIPA (session optional pam_oddjob_mkhomedir.so). I would suggest that this is somehow counted for, either as a var of some kind or in some other way.
Alternatives
No response
Additional information
...
The text was updated successfully, but these errors were encountered: