(pam) work in progress: pam helper skip for non local users, for non existing users pam should proceed to the next option.

When our pam modules is used, we set local auth to disabled (locked) for our users, non local users should automatically use normal unix auth. For this to work, we should pass PAM_USER_UNKNOWN as return value in our pam module when the user is not local to us and unauthenticated.
2026-03-14 16:44:39 +00:00 · 2016-12-18 13:51:23 +01:00 · 2016-12-18 13:51:23 +01:00 · ff8632c2c8
commit ff8632c2c8
parent 92d7bce2f0
2 changed files with 8 additions and 5 deletions
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@ -431,7 +431,8 @@ function local_user_set(&$user)
    }

    /* unlock valid shell users */
-    if (!is_account_disabled($user_name) && !is_account_expired($user_name)) {
+    if (!is_account_disabled($user_name) && !is_account_expired($user_name)
+      && !empty($config['system']['disableintegratedauth'])) {
        $lock_account = 'unlock';
    }

--- a/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
+++ b/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
@ -9,16 +9,18 @@ auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
-{% if system.disableintegratedauth|default('0') == '1' %}
-auth		required	pam_unix.so		no_warn try_first_pass
-{% else %}
-auth		required	pam_opnsense.so
+{% if system.disableintegratedauth|default('0') == '0' %}
+auth		sufficient	pam_opnsense.so
 {% endif %}
+auth		required	pam_unix.so		no_warn try_first_pass

 # account
 account		required	pam_nologin.so
 #account	required	pam_krb5.so
 account		required	pam_login_access.so
+{% if system.disableintegratedauth|default('0') == '0' %}
+account		sufficient	pam_opnsense.so
+{% endif %}
 account		required	pam_unix.so

 # session