PAM Config for skipping pam_unix unless there is a local password
Another way of phrasing this would be checking for a password in the shadow file, otherwise skipping the check/failure for local password.
This might be one of those things that don't exist for a good reason.
Here is what I am thinking about.
Hourly schedule a script: update-local-password.sh
#!/bin/bash
# Script to run periodically to keep a list of users with local passwords for the pam_localuser.so module
LOCALUSER=/etc/localuser.pam
if [[ /etc/shadow -nt ${LOCALUSER} ]]; then
/bin/cat /etc/shadow | ( export IFS=:
while read user pass junk;do
[[ ${#pass} -gt 6 ]] && echo ${user}
done) > ${LOCALUSER}
fi
Possible: /etc/pam.d/system-auth-ac
auth required pam_tally2.so deny=5 onerr=fail unlock_time=3600
auth required pam_env.so
auth [success=1 default=ignore] pam_listfile.so onerr=succeed item=user sense=allow file=/etc/localuser.pam
auth required pam_krb5.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_warn.so
auth required pam_deny.so
Clearly this example of skipping pam_krb5 is there IS a local password. I hope to avoid the ugliness of running a cronjob to update the list of local users.