From ff8632c2c8d7ba43ec66751ea2adad7fae3f2de6 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 18 Dec 2016 13:51:23 +0100
Subject: [PATCH] (pam) work in progress: pam helper skip for non local users,
 for non existing users pam should proceed to the next option.

When our pam modules is used, we set local auth to disabled (locked) for our users, non local users should automatically use normal unix auth.
For this to work, we should pass PAM_USER_UNKNOWN as return value in our pam module when the user is not local to us and unauthenticated.
---
 src/etc/inc/auth.inc                                  |  3 ++-
 src/opnsense/service/templates/OPNsense/Auth/sshd.pam | 10 ++++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index 19014ead2..c4684ec22 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -431,7 +431,8 @@ function local_user_set(&$user)
     }
 
     /* unlock valid shell users */
-    if (!is_account_disabled($user_name) && !is_account_expired($user_name)) {
+    if (!is_account_disabled($user_name) && !is_account_expired($user_name)
+      && !empty($config['system']['disableintegratedauth'])) {
         $lock_account = 'unlock';
     }
 
diff --git a/src/opnsense/service/templates/OPNsense/Auth/sshd.pam b/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
index e7b7a1578..e58925029 100644
--- a/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
+++ b/src/opnsense/service/templates/OPNsense/Auth/sshd.pam
@@ -9,16 +9,18 @@ auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
-{% if system.disableintegratedauth|default('0') == '1' %}
-auth		required	pam_unix.so		no_warn try_first_pass
-{% else %}
-auth		required	pam_opnsense.so
+{% if system.disableintegratedauth|default('0') == '0' %}
+auth		sufficient	pam_opnsense.so
 {% endif %}
+auth		required	pam_unix.so		no_warn try_first_pass
 
 # account
 account		required	pam_nologin.so
 #account	required	pam_krb5.so
 account		required	pam_login_access.so
+{% if system.disableintegratedauth|default('0') == '0' %}
+account		sufficient	pam_opnsense.so
+{% endif %}
 account		required	pam_unix.so
 
 # session