[Pkg-sssd-devel] Bug#1001644: libpam-sss: OTP-enabled users do not recieve OTP prompts from pam_sss.so

Sam Morris sam at robots.org.uk
Mon Dec 13 17:39:57 GMT 2021 

Package: libpam-sss
Version: 2.6.1-1
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

In the default configuration, /etc/pam.d/common-auth contains:

  auth	[success=2 default=ignore]	pam_unix.so nullok
  auth	[success=1 default=ignore]	pam_sss.so use_first_pass
  auth    requisite                       pam_deny.so

This means that pam_unix has the first & only change to prompt the user
for authentication, and the user gets a single 'Password:' prompt.

In the Red Hat world, /etc/pam.d/password-auth contains:

  auth        required                                     pam_env.so
  auth        required                                     pam_faildelay.so delay=2000000
  auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
  auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
  auth        sufficient                                   pam_unix.so nullok
  auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
  auth        sufficient                                   pam_sss.so forward_pass
  auth        required                                     pam_deny.so

A local user will hit pam_unix. A non-local user will skip over it and
be prompted by pam_sss.so.

An easy fix is to increase the Priority in /usr/share/pam-configs/sss to
some value > 256. That way, pam-auth-update puts pam_sss before
pam_unix.

I tested this, and 'su - localuser' still works.

Unfortunately I don't know of a way for a user to override this value
other than by editing that file, which is owned by libpam-sss.

Is there a good reason that pam_unix has to be first in the module
stack? If not, could we make this change?

- -- System Information:
Debian Release: 11.1
  APT prefers stable-updates
  APT policy: (550, 'stable-updates'), (550, 'stable'), (530, 'testing'), (520, 'unstable'), (500, 'stable-security'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-9-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-sss depends on:
ii  libc6             2.32-5
ii  libgssapi-krb5-2  1.18.3-7
ii  libpam-pwquality  1.4.4-1
ii  libpam-runtime    1.4.0-9+deb11u1
ii  libpam0g          1.4.0-11

Versions of packages libpam-sss recommends:
ii  sssd  2.6.1-1

libpam-sss suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iIgEARYIADAWIQTWOGqGn6HETecdzqZOEaKLhlAYigUCYbeFXRIcc2FtQHJvYm90
cy5vcmcudWsACgkQThGii4ZQGIpR9gEAldojCYmY4mvOcns5k9wcfXpTN324+MUx
wiiKCeGy5PgBAKsWW6nGrvuFyQggaQADHH5O1p+bdr5q35Bp4suL0w0A
=ldXe
-----END PGP SIGNATURE-----

More information about the Pkg-sssd-devel mailing list