Stick to unix configuration

For backwards compatibility, we only remove nullok from the Passwords section in unix
ComplianceAsCode · Dec 11, 2024 · 9430dee · 9430dee
1 parent e198101
commit 9430dee
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 4 deletions.
diff --git a/...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
@@ -5,7 +5,7 @@
 {{% if "debian" in product or "sle12" in product %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
 {{% elif "ubuntu" in product %}}
-config_file="/usr/share/pam-configs/cac_unix"
+config_file="/usr/share/pam-configs/unix"
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}
 {{% endif %}}

diff --git a/..._password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh b/..._password_attempts/accounts_password_pam_unix_remember/tests/ubuntu_correct_value.pass.sh
@@ -2,7 +2,7 @@
 # platform = multi_platform_ubuntu
 # variables = var_password_pam_unix_remember=5
 
-config_file=/usr/share/pam-configs/cac_unix
+config_file=/usr/share/pam-configs/unix
 remember_cnt=5
 
 {{{ bash_pam_unix_enable() }}}

diff --git a/...m/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh b/...m/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
@@ -7,7 +7,7 @@ PAM_FILE_PATH="/etc/pam.d/common-password"
 CONTROL="required"
 {{%- elif 'ubuntu' in product -%}}
 {{{ bash_pam_unix_enable() }}}
-PAM_FILE_PATH=/usr/share/pam-configs/cac_unix
+PAM_FILE_PATH=/usr/share/pam-configs/unix
 {{%- else -%}}
 PAM_FILE_PATH="/etc/pam.d/system-auth"
 CONTROL="sufficient"

diff --git a/.../system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/.../system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
@@ -12,7 +12,19 @@ for FILE in ${NULLOK_FILES}; do
 done
 {{% elif 'ubuntu' in product %}}
 {{{ bash_pam_unix_enable() }}}
-sed --follow-symlinks -i 's/\<nullok\>//g' /usr/share/pam-configs/cac_unix
+config_file="/usr/share/pam-configs/unix"
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*nullok//g
+    }
+}' "$config_file"
+
+sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        s/\s*nullok//g
+    }
+}' "$config_file"
+
 DEBIAN_FRONTEND=noninteractive pam-auth-update
 {{% else %}}
 if [ -f /usr/bin/authselect ]; then