[Pkg-sssd-devel] Bug#1001644: Bug#1001644: libpam-sss: OTP-enabled users do not recieve OTP prompts from pam_sss.so
Timo Aaltonen
tjaalton at debian.org
Wed Dec 15 09:19:23 GMT 2021
On 13.12.2021 19.39, Sam Morris wrote:
> Package: libpam-sss
> Version: 2.6.1-1
> Severity: normal
>
> In the default configuration, /etc/pam.d/common-auth contains:
>
> auth [success=2 default=ignore] pam_unix.so nullok
> auth [success=1 default=ignore] pam_sss.so use_first_pass
> auth requisite pam_deny.so
>
> This means that pam_unix has the first & only change to prompt the user
> for authentication, and the user gets a single 'Password:' prompt.
>
> In the Red Hat world, /etc/pam.d/password-auth contains:
>
> auth required pam_env.so
> auth required pam_faildelay.so delay=2000000
> auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
> auth [default=1 ignore=ignore success=ok] pam_localuser.so
> auth sufficient pam_unix.so nullok
> auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
> auth sufficient pam_sss.so forward_pass
> auth required pam_deny.so
>
> A local user will hit pam_unix. A non-local user will skip over it and
> be prompted by pam_sss.so.
>
> An easy fix is to increase the Priority in /usr/share/pam-configs/sss to
> some value > 256. That way, pam-auth-update puts pam_sss before
> pam_unix.
>
> I tested this, and 'su - localuser' still works.
>
> Unfortunately I don't know of a way for a user to override this value
> other than by editing that file, which is owned by libpam-sss.
>
> Is there a good reason that pam_unix has to be first in the module
> stack? If not, could we make this change?
You're asking in the wrong place.. Anyway, pam_sss is not above pam_unix
in Fedora either, so why should it have a higher priority here?
--
t
More information about the Pkg-sssd-devel
mailing list