Add pam.d flags to maintain compatiblity with FreeIPA deployments.

[BlamKiwi]

Description

FreeIPA uses authselect to enforce various system policies, such as creating a home directory or enabling sudo support for users. dev-sec.os_hardening unconditionally overrides various system links such as:

• /etc/pam.d/rhel_auth.j2
• /etc/pam.d/password-auth
• /etc/pam.d/system-auth

This breaks FreeIPA, as the authselect tool expects the system to be in a particular state. This makes use of dev-sec-os_hardening tricky when used in conjunction with FreeIPA domain management.

Solution

Add additional flags to control this behaviour as FreeIPA assumes it has control over pam.d once deployed.

Alternatives

Add additional variables to supply a path that overrides the pam.d links.

Additional information

This is the output of sudo authselect enable-feature with-mkhomedir on a AlmaLinux 9.3 Server after joining a FreeIPA domain:

[error] Link [/etc/pam.d/system-auth] does not point to [/etc/authselect/system-auth]
[error] [/etc/pam.d/system-auth] was not created by authselect!
[error] Link [/etc/pam.d/password-auth] does not point to [/etc/authselect/password-auth]
[error] [/etc/pam.d/password-auth] was not created by authselect!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
Unable to enable feature [17]: File exists

[BlamKiwi]

I should also add, existing variables such as os_auth_pam_oddjob_mkhomedir are insufficient, as commands such as authselect enable-feature with-sudo are also required to manage practical deployments. authselect also controls smart cards, finger print readers setc.