[Pkg-sssd-devel] Bug#1052392: libpam-sss: Please ship a PAM config file for pam_sss_gss.so

Sam Morris sam at robots.org.uk
Thu Sep 21 10:24:43 BST 2023 

Package: libpam-sss
Version: 2.8.2-4
Severity: wishlist

Here's the config file I am using:

    $ cat /usr/share/pam-configs/sss-gss 
    Name: Authenticate if the user can obtain a valid Kerberos ticket for the local host
    Default: yes
    Priority: 512

    Auth-Type: Primary
    Auth:
	    [success=end default=ignore]	pam_sss_gss.so
    Auth-Initial:
	    [success=end default=ignore]	pam_sss_gss.so

However it can't be added to the package yet because it will break
authentication for non-local users (beacuse we use the 'use_first_pass'
option with pam_sss.so when it's not the initial module, so a non-local
user is not able to log in when pam_sss.so is not the initial module and
no prior modules stashed a password for it to consume). 

For the time being we need 'use_first_pass' so that non-local users
don't get prompted by _both_ pam.unix.so and pam_sss.so.

Ideally pam_sss.so would have a 'try_first_pass' option which would
unblock us from shipping an sss-gss pam config. I've filed an RFE here:
<https://github.com/SSSD/sssd/issues/6946>.

-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (550, 'stable-updates'), (550, 'stable-security'), (550, 'stable'), (530, 'testing'), (520, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-10-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages libpam-sss depends on:
ii  libc6             2.36-9+deb12u1
ii  libgssapi-krb5-2  1.20.1-2
ii  libpam-pwquality  1.4.5-1+b1
ii  libpam-runtime    1.5.2-6
ii  libpam0g          1.5.2-6

Versions of packages libpam-sss recommends:
ii  sssd  2.8.2-4

libpam-sss suggests no packages.

-- no debconf information

More information about the Pkg-sssd-devel mailing list