Replace --sha512 and --yescrypt with --encrypt option

Signed-off-by: Mike Gilbert <floppym@gentoo.org>

Author: floppym

pambase.py

@@ -51,14 +51,10 @@ def main():
     )
     parser.add_argument("--sssd", action="store_true", help="enable sssd.so module")
     parser.add_argument(
-        "--yescrypt",
-        action="store_true",
-        help="enable yescrypt option for pam_unix.so module",
-    )
-    parser.add_argument(
-        "--sha512",
-        action="store_true",
-        help="enable sha512 option for pam_unix.so module",
+        "--encrypt",
+        choices=["md5", "sha256", "sha512", "blowfish", "gost_yescrypt", "yescrypt"],
+        default="md5",
+        help="select encryption to use for passwords stored by pam_unix.so module",
     )
     parser.add_argument("--krb5", action="store_true", help="enable pam_krb5.so module")
     parser.add_argument(
@@ -91,13 +87,6 @@ def process_args(args):
 
     output = vars(args)
 
-    if args.yescrypt:
-        output["unix_extended_encryption"] = "yescrypt shadow"
-    elif args.sha512:
-        output["unix_extended_encryption"] = "sha512 shadow"
-    else:
-        output["unix_extended_encryption"] = "md5 shadow"
-
     return output
 
 

templates/system-auth.tpl

@@ -70,11 +70,7 @@ password	[success=1 default=ignore]	pam_krb5.so {{ debug }} ignore_root try_firs
 password	[success=1 default=ignore]	pam_systemd_home.so
 {% endif %}
 
-{% if passwdqc or pwquality %}
-password	{{ 'sufficient' if sssd else 'required' }}	pam_unix.so try_first_pass use_authtok {{ nullok }} {{ unix_extended_encryption|default('', true) }} {{ debug }}
-{% else %}
-password	{{ 'sufficient' if sssd else 'required' }}	pam_unix.so try_first_pass {{ nullok }} {{ unix_extended_encryption|default('', true) }} {{ debug }}
-{% endif %}
+password	{{ 'sufficient' if sssd else 'required' }}	pam_unix.so try_first_pass shadow {% if passwdqc or pwquality %}use_authtok{% endif %} {{ nullok }} {{ encrypt }} {{ debug }}
 
 {% if sssd %}
 password	sufficient	pam_sss.so use_authtok

tests/rendered/custom/system-auth

@@ -5,7 +5,7 @@ auth		[default=die]	pam_faillock.so authfail
 account		required	pam_unix.so
 account		required	pam_faillock.so
 password	required	pam_passwdqc.so config=/etc/security/passwdqc.conf
-password	required	pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password	required	pam_unix.so try_first_pass shadow use_authtok nullok sha512
 session		required	pam_limits.so
 session		required	pam_env.so
 session		required	pam_unix.so

tests/rendered/default/system-auth

@@ -4,7 +4,7 @@ auth		[success=1 new_authtok_reqd=1 ignore=ignore default=bad]	pam_unix.so   try
 auth		[default=die]	pam_faillock.so authfail
 account		required	pam_unix.so
 account		required	pam_faillock.so
-password	required	pam_unix.so try_first_pass  md5 shadow
+password	required	pam_unix.so try_first_pass shadow   md5
 session		required	pam_limits.so
 session		required	pam_env.so
 session		required	pam_unix.so

tests/rendered/minimal/system-auth

@@ -4,7 +4,7 @@ auth		[success=1 new_authtok_reqd=1 ignore=ignore default=bad]	pam_unix.so   try
 auth		[default=die]	pam_faillock.so authfail
 account		required	pam_unix.so
 account		required	pam_faillock.so
-password	required	pam_unix.so try_first_pass  md5 shadow
+password	required	pam_unix.so try_first_pass shadow   md5
 session		required	pam_limits.so
 session		required	pam_env.so
 session		required	pam_unix.so

tox.ini

@@ -14,5 +14,5 @@ commands =
     default: diff -Nru tests/rendered/default stack
     minimal: python pambase.py --minimal
     minimal: diff -Nru tests/rendered/minimal stack
-    custom: python pambase.py --elogind --nullok --passwdqc --sha512 --shells
+    custom: python pambase.py --elogind --nullok --passwdqc --encrypt sha512 --shells
     custom: diff -Nru tests/rendered/custom stack