From 643d2eef83397376bf7da792e04fbc1f6c3827f5 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 18 Dec 2016 17:57:22 +0100
Subject: [PATCH] (auth/installer) force unlocked account, so pam can use
 standard pam_unix.so

---
 src/etc/inc/auth.inc | 6 +++---
 src/etc/rc.bootup    | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index c4684ec22..ff34a70aa 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -401,7 +401,7 @@ function local_sync_accounts($verbose = false)
     }
 }
 
-function local_user_set(&$user)
+function local_user_set(&$user, $force_unlock = false)
 {
     if (empty($user['password'])) {
         log_error(sprintf(
@@ -416,7 +416,7 @@ function local_user_set(&$user)
     $user_home = "/home/{$user_name}";
     $user_shell = '/sbin/nologin';
     $user_group = 'nobody';
-    $lock_account = 'lock';
+    $lock_account = $force_unlock ? 'unlock' : 'lock';
 
     @mkdir('/home', 0755);
 
@@ -430,7 +430,7 @@ function local_user_set(&$user)
         $user_shell = '/bin/csh';
     }
 
-    /* unlock valid shell users */
+    /* unlock valid shell users (only when integrated auth is disabled, our users are locked locally by default)*/
     if (!is_account_disabled($user_name) && !is_account_expired($user_name)
       && !empty($config['system']['disableintegratedauth'])) {
         $lock_account = 'unlock';
diff --git a/src/etc/rc.bootup b/src/etc/rc.bootup
index bae78583e..7edf42472 100755
--- a/src/etc/rc.bootup
+++ b/src/etc/rc.bootup
@@ -189,7 +189,7 @@ if ($setup_installer) {
     if ($root) {
         $root['shell'] = '/usr/local/etc/rc.installer';
         $root['name'] = 'installer';
-        local_user_set($root);
+        local_user_set($root, true);
 
         mwexec("/usr/local/etc/rc.sshd installer");