On 13.12.2021 19.39, Sam Morris wrote:
> Package: libpam-sss
> Version: 2.6.1-1
> Severity: normal
>
In the default configuration, /etc/pam.d/common-auth contains:
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
This means that pam_unix has the first & only change to prompt the user
for authentication, and the user gets a single 'Password:' prompt.
In the Red Hat world, /etc/pam.d/password-auth contains:
auth required pam_env.so
auth required pam_faildelay.so
delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so
isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so
isregular
auth sufficient pam_sss.so
forward_pass
auth required pam_deny.so
A local user will hit pam_unix. A non-local user will skip over it and
be prompted by pam_sss.so.
An easy fix is to increase the Priority in /usr/share/pam-configs/sss to
some value > 256. That way, pam-auth-update puts pam_sss before
pam_unix.
I tested this, and 'su - localuser' still works.
Unfortunately I don't know of a way for a user to override this value
other than by editing that file, which is owned by libpam-sss.
Is there a good reason that pam_unix has to be first in the module
stack? If not, could we make this change?
You're asking in the wrong place.. Anyway, pam_sss is not above pam_unix
in Fedora either, so why should it have a higher priority here?
--
t
