factory: tighten PAM configuration

Apparently PAM reacts differently on different systems (?) and if no
authoritative matching module is found might either succeed/fail,
depending on the system.

Let's lock this down explicitly, by hooking in pam_deny.so.

Of course, these PAM files are just examples, and no distro in its right
mind would ship these unmodified, but let's default to something safe.

Fixes: #12950

diff --git a/factory/etc/pam.d/system-auth b/factory/etc/pam.d/system-auth
index dec7a8f..d988233 100644 (file)
--- a/factory/etc/pam.d/system-auth
+++ b/factory/etc/pam.d/system-auth
@@ -1,11 +1,14 @@
 # This file is part of systemd.
 
 auth     sufficient pam_unix.so nullok try_first_pass
+auth     required   pam_deny.so
 
 account  required   pam_nologin.so
 account  sufficient pam_unix.so
+account  required   pam_permit.so
 
 password sufficient pam_unix.so nullok sha512 shadow try_first_pass try_authtok
+password required   pam_deny.so
 
 -session optional   pam_loginuid.so
 -session optional   pam_systemd.so