diff options
| author | Patrick Uiterwijk <puiterwijk@redhat.com> | 2016-07-05 06:26:17 +0000 |
|---|---|---|
| committer | Patrick Uiterwijk <puiterwijk@redhat.com> | 2016-07-05 06:27:21 +0000 |
| commit | ffdb64f327e4282cfe9534dbd1ce6e780de30e5d (patch) | |
| tree | 4cfc637d74e8fc232d9f74eeffba0670e50eb0f5 | |
| parent | 0a9e60db32554a9431dd76891c2851452773120f (diff) | |
| download | ansible-ffdb64f327e4282cfe9534dbd1ce6e780de30e5d.tar.gz ansible-ffdb64f327e4282cfe9534dbd1ce6e780de30e5d.tar.xz ansible-ffdb64f327e4282cfe9534dbd1ce6e780de30e5d.zip | |
Disable the password: fallback on token failure
There is nothing in system-auth that we don't have in the pam module,
so this should allow us to remove pam_unix just fine.
Currently only for stg.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
| -rw-r--r-- | files/2fa/sudo.pam | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/files/2fa/sudo.pam b/files/2fa/sudo.pam index aa59ebf7a..ae846a766 100644 --- a/files/2fa/sudo.pam +++ b/files/2fa/sudo.pam @@ -4,7 +4,10 @@ auth sufficient pam_url.so config=/etc/pam_url.conf auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so +{% if env == "production" %} auth include system-auth +{% endif %} + account include system-auth password include system-auth session optional pam_keyinit.so revoke |