Description
Description
I suggest that compatibility with authselect and FreeIPA should be maintained.
Solution
-
Authselect.
It is my understanding, that authselect has a core default auth file it uses, which system-auth and password-auth are linked to. In addition, any local overrides should be in the local-files, which in turn should override the core defaults. Would in not be feasible, to simply write all the hardened options into the local files, overriding (almost everything) in the core defaults? As it currently stands, the hardenings change the links from the core defaults to local links, resulting on errors when authselect apply-changes is executed. -
FreeIPA
FreeIPA likes to use oddjob for automatically creating home directories. As it currently stands, the hardenings overwrite also this line in the config, resulting in a need to modify the files (with yet another ansible task) to include the line required by FreeIPA (session optional pam_oddjob_mkhomedir.so). I would suggest that this is somehow counted for, either as a var of some kind or in some other way.
Alternatives
No response
Additional information
...