user/linux-pam: harden configuration

Refuse to allow logins for accounts with no password.

user/linux-pam: harden configuration
70e535f4 · Anna Wilcox · 9e76c2f0 · 70e535f4 · 70e535f4 · 70e535f4
Unverified Commit 70e535f4 authored 5 years ago by Anna Wilcox
--- a/system/linux-pam/APKBUILD
+++ b/system/linux-pam/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=linux-pam
 pkgver=1.3.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Pluggable Authentication Modules"
 url="https://www.kernel.org/pub/linux/libs/pam"
 arch="all"
@@ -87,10 +87,10 @@ sha512sums="6bc8e2a5b64686f0a23846221c5228c88418ba485b17c53b3a12f91262b5bb73566d
 f49edf3876cc6bcb87bbea4e7beaeb0a382d596898c755f5fbaf6c2ed4e0c8f082b2cd16dde8a74af82bb09a1334f463e07a4bb5b8a48f023ff90a67ad2fdd44  libpam-fix-build-with-eglibc-2.16.patch
 82fb1ec27b370ed5d30451f31aecbacf94ff8aff9db52e79090466dcdd1b1b2c18ca7e0641b1b51a3ed78ea7203fe9464b50f63d6dbf661e10f68366c79196ae  musl-fix-pam_exec.patch
 8352c0bd36f776251143d1e73d92a1e746e8f23778462e441cc989afd4204887aca6b310d87ab8e5b315b13c4ad1225c87531b71a0fef693772fc7e12bcde418  use-utmpx.patch
-0672ab21adb969af2a0082e2559f1196d8a4f8b1cff2836f97e5f24edb03b6aed156c61cf335a4df978e423dcd9934ffee8cb5784ed5dde704d7e5ddec4ba9f6  base-auth.pamd
-85462201a4044c7e170e617d39b0eceb4790abc6c0504999117548030a16d80a9d2078d1ad97690d7d346e6374201f0c52e792ccb08ce2b1c4bbf0cc2be96f5b  base-account.pamd
-8223b815148c3b9b874d2c283840f6428c266e56c7cf49ce8fc508c4945ae31c837bef96dab17f64a60812d1c9cd0055cf0a50d7951d23070b69bd2e5bb9666d  base-password.pamd
-b0138f662715974bd865d755c5e7d403faf5b9ad1b7e2b1d1598ad7eb5764a9ff407f1a5e6ce7f16db9fc10f8d643323b494563416fd6a654032529b52213c5b  base-session.pamd
-444e20046843057b17c0aac14d2b71a68923b989b3d8b478bbf684698673683186e928e5ca2e6cb9a1c76abc4248044a0e10ef6b06b3f51857106796ecce250d  base-session-noninteractive.pamd
-d103ba06b2c4929171e09c845f9866539220cd20d8d56a03d25850342ef5eabe281e958dfe1eaefd550c00f9440e8700c1d74c88c3001f933134ca6fd7cb9b7b  other.pamd
-b512d691f2a6b11fc329bf91dd05ca9c589bbd444308b27d3c87c75262dedf6afc68a9739229249a4bd3d0c43cb1f871eecbb93c4fe559e0f38bdabbffd06ad7  su.pamd"
+2df1d45af0f32ed3755fde2771129f73f28761e0c5d8b08ca880a0206c6eaa3a32cc1bcf27045b960f33d062cff901220acd535e319ae3c4368614dada08cd2a  base-auth.pamd
+62144e8f785ce324771465017a27b9a538856ba120d80d1181f5b1012d56170b712c4cd9d018ee51af387a2cdf0442c14f7d07d556abcb2e2bea54bca2c4c262  base-account.pamd
+b8e6f5cf4ada79470be9f24cd414dd1bb7918ad2c973d2e19134e27016596142d32b593fff0b9f15b58dc2e9af52763070fe11667815e649c09aef5580f5bc95  base-password.pamd
+59b746dbd220ccf7217f5dc01c8c2554bb18a37b48f966b63dcb189e07a19ab0b0187511fed232f26f326d734ee32fa7fd47e0194d6ebd4bed5766247165d553  base-session.pamd
+2d42a0a8781a71405ca4512bb32c409ac73cbed0fc4d0bf9483f7825feae0976fd04ef2002f0a8fe4b9ff69a6b98dae060685b4da47769b09b6020a1e5ff0ef0  base-session-noninteractive.pamd
+862df6a009dea562e46242552fdbcfa8bc0ebc8abbaa9cf91eae106f9e41557209dfa98cc49968fed05ca9427cb5748ff158433e3502cf80729b050e85cbd60c  other.pamd
+1676ee7a95041a3a9c3e3ae03bd714d72b9a47759c1b6c28511071c949df828e5f22814f3751ae4e01bb6dab4444369eeadd3d6e57a0ac8996901e6f0be97296  su.pamd"
--- a/system/linux-pam/base-account.pamd
+++ b/system/linux-pam/base-account.pamd
-# basic PAM configuration for Alpine.
+# Welcome to Adélie Linux.
+
+# This file contains the system-wide PAM configuration for account management.

 account		required	pam_unix.so
--- a/system/linux-pam/base-auth.pamd
+++ b/system/linux-pam/base-auth.pamd
-# basic PAM configuration for Alpine.
+# Welcome to Adélie Linux.
+
+# This file contains the system-wide PAM configuration for authentication.

 auth		required	pam_env.so
-auth		required	pam_unix.so	nullok_secure
+auth		required	pam_unix.so
 auth		required	pam_nologin.so	successok
--- a/system/linux-pam/base-password.pamd
+++ b/system/linux-pam/base-password.pamd
-# basic PAM configuration for Alpine.
+# Welcome to Adélie Linux.

-password	required	pam_unix.so	nullok obscure md5 sha512
+# This file contains the system-wide PAM configuration for passwords.
+
+password	required	pam_unix.so	obscure sha512 minlen=8
--- a/system/linux-pam/base-session-noninteractive.pamd
+++ b/system/linux-pam/base-session-noninteractive.pamd
-# basic PAM configuration for Alpine.
+# Welcome to Adélie Linux.
+
+# This file contains the system-wide PAM configuration for session management.

 session		required	pam_limits.so
 session		required	pam_unix.so
--- a/system/linux-pam/base-session.pamd
+++ b/system/linux-pam/base-session.pamd
-# basic PAM configuration for Alpine.
+# Welcome to Adélie Linux.
+
+# This file contains the system-wide PAM configuration for session management
+# for interactive logins.

 session		include		base-session-noninteractive
 session		required	pam_motd.so
--- a/system/linux-pam/other.pamd
+++ b/system/linux-pam/other.pamd
-# basic PAM configuration for Alpine.
+# Welcome to Adélie Linux.
+
+# This file ensures that the system-wide PAM configuration is read by default.

 auth		include		base-auth
 account		include		base-account

--- a/system/linux-pam/su.pamd
+++ b/system/linux-pam/su.pamd
-# basic PAM configuration for Alpine.
+# Welcome to Adélie Linux.
+
+# This file allows root to become any user without needing that user's
+# password, via pam_rootok.so.
+# If you do not wish to allow this behaviour, simply remove that line.
+
 auth		sufficient	pam_rootok.so
 auth		include		base-auth
 account		include		base-account