-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Corrected patch follows. With the original one, it would still fall through to system-auth. This patch removes that. We don't need the original system-auth anymore, since we already have pam_env, pam_succeed_if and pam_deny in the sudo pam. diff --git a/files/2fa/sudo.pam b/files/2fa/sudo.pam index aa59ebf..356a9db 100644 - --- a/files/2fa/sudo.pam +++ b/files/2fa/sudo.pam @@ -1,10 +1,9 @@ #%PAM-1.0 auth required pam_env.so - -auth sufficient pam_url.so config=/etc/pam_url.conf +auth requisite pam_url.so config=/etc/pam_url.conf auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so - -auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke diff --git a/roles/totpcgi/files/sudo.pam b/roles/totpcgi/files/sudo.pam index aa59ebf..356a9db 100644 - --- a/roles/totpcgi/files/sudo.pam +++ b/roles/totpcgi/files/sudo.pam @@ -1,10 +1,9 @@ #%PAM-1.0 auth required pam_env.so - -auth sufficient pam_url.so config=/etc/pam_url.conf +auth requisite pam_url.so config=/etc/pam_url.conf auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so - -auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke On Wed, Sep 16, 2015 at 07:59:35PM +0200, Patrick Uiterwijk wrote: > Hi, > > Post-freeze I would like to merge the following patch, which will remove the > Password: promot on RHEL7 boxes after a failed pasword+token. > > > > > commit 17f4dce44a5f105cb2f7850085d42626e054c224 > Author: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx> > Date: Wed Sep 16 17:57:02 2015 +0000 > > Remove the Password: promopt when 2fa failed > > diff --git a/files/2fa/sudo.pam b/files/2fa/sudo.pam > index aa59ebf..08f7630 100644 > --- a/files/2fa/sudo.pam > +++ b/files/2fa/sudo.pam > @@ -1,6 +1,6 @@ > #%PAM-1.0 > auth required pam_env.so > -auth sufficient pam_url.so config=/etc/pam_url.conf > +auth requisite pam_url.so config=/etc/pam_url.conf > auth requisite pam_succeed_if.so uid >= 500 quiet > auth required pam_deny.so > > diff --git a/roles/totpcgi/files/sudo.pam b/roles/totpcgi/files/sudo.pam > index aa59ebf..08f7630 100644 > --- a/roles/totpcgi/files/sudo.pam > +++ b/roles/totpcgi/files/sudo.pam > @@ -1,6 +1,6 @@ > #%PAM-1.0 > auth required pam_env.so > -auth sufficient pam_url.so config=/etc/pam_url.conf > +auth requisite pam_url.so config=/etc/pam_url.conf > auth requisite pam_succeed_if.so uid >= 500 quiet > auth required pam_deny.so > > > > -- > With kind regards, > Patrick Uiterwijk > Fedora Infra > _______________________________________________ > infrastructure mailing list > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/postorius/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx - -- With kind regards, Patrick Uiterwijk Fedora Infra -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJV+a/DAAoJEIZXmA2atR5QeWcP/0EOvaFVaEHlVYdTvM7emzep sAckQ0wsK8nVbu739OEQYJGzt1dNDiUCZISrpsaqxym8CwIfaE8FaFTpcPeGRmez 9lJjE0SZehqjEGPGJvIxrkWU434I3HBxwSfyOvVOgKdizwcNH1k9Rx+Y4tEsN5JJ TDpc2kH6/0mv4ACt7JxGXNjtwcEInfVBiOHRspdaTyJginB2XLDTF4OH9xMnIDdE NR4XySngUcscAZs4/vwb6ahRmv5rOh//72NhwAxVeYyrul6sIxe1NDmDg7/oHUKN P08L4usJcDGTc0YUkYb+cChActo9TFGof3sAEF3pMEhkDt/qlE3odnE7z7ScMjrR TESWs0kU72+auMuR4GUEFuN2dTRay+9oEHelBmZ3xMZVdG3wemYpVFXlOo1pa4sx H1YdNseDUwxcXN7IP5MCXmm6eBOv6YA2z/LYoE+UseZ4TfYFDs5auZPJoDuTnYwe 8iC+obcHclQlpQ0WZNWFKzg4PFPD/IhbA6VljFAq+kZ4fYDjTyAiMYoF2eQbr2yq 7zZbucCNacaD4Nzi6CPmqT6forteL8OkNZLwYBYaFozjzD1p8E44i1wSsgcKoLaW 4Vz/6nMx0iPuOlvThkmC552fZ0hLZkzmgiDkG3Mi8yiXUCG0bcij+HSCVPQHzj33 JfOCCyOFCFW2e2Oe/H66 =wsm9 -----END PGP SIGNATURE----- _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/postorius/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
