[Kim] vyos#2554 update pam-configs for ldap, unix and sss

* divert standard config
* add pam_localuser.so to unix profile to skip unix prompts if non-local user
* change use_first_pass for sss auth to forward_pass as use_first_pass will not handle 2fa prompting
* change ldap profile to not be enabled by default

debian/vyos-1x.preinst

@@ -23,3 +23,6 @@ dpkg-divert --package vyos-1x --divert /config/freeipa/etc/sssd/pki/sssd_auth_ca
 dpkg-divert --package vyos-1x --divert /config/freeipa/etc/sssd/sssd.conf --add --rename /etc/sssd/sssd.conf
 dpkg-divert --package vyos-1x --divert /config/freeipa/etc/telegraf/telegraf.conf --add --rename /etc/telegraf/telegraf.conf
 dpkg-divert --package vyos-1x --divert /config/freeipa/root/.k5login --add --rename /root/.k5login
+dpkg-divert --package vyos-1x --add --rename /usr/share/pam-configs/ldap
+dpkg-divert --package vyos-1x --add --rename /usr/share/pam-configs/sss
+dpkg-divert --package vyos-1x --add --rename /usr/share/pam-configs/unix

src/pam-configs/ldap

@@ -0,0 +1,20 @@
+Name: LDAP Authentication
+Default: no
+Priority: 128
+Auth-Type: Primary
+Auth-Initial:
+        [success=end default=ignore]    pam_ldap.so minimum_uid=1000
+Auth:
+        [success=end default=ignore]    pam_ldap.so minimum_uid=1000 use_first_pass
+Account-Type: Additional
+Account:
+        [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]        pam_ldap.so minimum_uid=1000
+Password-Type: Primary
+Password-Initial:
+        [success=end default=ignore]    pam_ldap.so minimum_uid=1000
+Password:
+        [success=end default=ignore]    pam_ldap.so minimum_uid=1000 try_first_pass
+Session-Type: Additional
+Session:
+        [success=ok default=ignore]     pam_ldap.so minimum_uid=1000
+

src/pam-configs/sss

@@ -0,0 +1,23 @@
+Name: SSS authentication
+Default: yes
+Priority: 128
+
+Auth-Type: Primary
+Auth:
+        [success=end default=ignore]    pam_sss.so forward_pass
+Auth-Initial:
+        [success=end default=ignore]    pam_sss.so forward_pass
+Account-Type: Additional
+Account:
+        sufficient                      pam_localuser.so
+        [default=bad success=ok user_unknown=ignore]    pam_sss.so
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+        optional                        pam_sss.so
+Password-Type: Primary
+Password:
+        sufficient                      pam_sss.so use_authtok
+Password-Initial:
+        sufficient                      pam_sss.so
+

src/pam-configs/unix

@@ -0,0 +1,30 @@
+Name: Unix authentication
+Default: yes
+Priority: 256
+Auth-Type: Primary
+Auth:
+        [success=ok default=1]    pam_localuser.so
+        [success=end default=ignore]    pam_unix.so nullok try_first_pass
+Auth-Initial:
+        [success=ok default=1]    pam_localuser.so
+        [success=end default=ignore]    pam_unix.so nullok
+Account-Type: Primary
+Account:
+        [success=ok default=1]    pam_localuser.so
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Account-Initial:
+        [success=ok default=1]    pam_localuser.so
+        [success=end new_authtok_reqd=done default=ignore]      pam_unix.so
+Session-Type: Additional
+Session:
+        required        pam_unix.so
+Session-Initial:
+        required        pam_unix.so
+Password-Type: Primary
+Password:
+        [success=ok default=1]    pam_localuser.so
+        [success=end default=ignore]    pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+        [success=ok default=1]    pam_localuser.so
+        [success=end default=ignore]    pam_unix.so obscure yescrypt
+