Public bug reported:
Working with pam-auth-update and custom profiles in /usr/share/pam-
configs I'm discovering a lack of flexibility with regard to ordering
and being able to cleanly stack different auth modules.
This relates to both unix and sss profiles using '[success=end
default=ignore]'.
Say my goal is to add MFA as a subsequent requirement to authenticate
after successfully authenticating to AD via pam_sss.so.
I can't simply have a profile called 'duo' that will come in at a
slightly lower priority and land under pam_sss.so as a subsequent
authentication because it'll get skipped in the stack by pam_sss's
[success=2] jump placed dynamically by [success=end] in the sss
template.
The same applies to pam_unix.so's template, since it also uses
[success=end].
I think that the template process needs to be reworked to be able to
denote that a subsequent module is mandatory and can't be skipped in the
stack, or that it's at least a mandatory follow up to specific prior
modules (eg allow unix to [success=2] over both pam_sss.so and
pam_duo.so to permit.so).
The only way I have to work around this while still doing things the
pam-auth-update way instead of hacking common-auth in place is to
create a conflicting template called 'duo-sss' that conflicts with
'sss', and reimplement it's contents but with a stack skip tweak like
so:
```
Name: DUO authentication with combined SSSD
Default: no
Priority: 192
Conflicts: sss
Auth-Type: Primary
Auth:
[default=ignore] pam_sss.so use_first_pass
[success=end] /usr/lib64/security/pam_duo.so
```
As you can imagine, this can get complicated the more prior modules I
need to override.
Now it very well could be that I'm misunderstanding how to use pam-auth-
update profiles. The PAMConfigFramework Spec is very minimal so I've
pored over that a few times and supplemented what I learned with the
perl content of pam-auth-update itself but I'm also no Perl monk.
Assuming this is a legitimate request and I'm not missing some way to
more cleanly achieve my flexibility goals, here is the required bug
info:
VERSION="20.04.6 LTS (Focal Fossa)"
libpam-runtime:
Installed: 1.3.1-5ubuntu4.7
** Affects: pam (Ubuntu)
Importance: Undecided
Status: New
** Tags: pam pam-auth-update
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2075389
Title:
pam-auth-update lacks flexibility needed to support sss + foo-auth-
module cleanly
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2075389/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
