To configure my system I've followed the instructions at [1] but there are two things not quite right:
1. All normal local users (i.e. not /root/) get prompted twice at login. My testing shows that it's only the 2nd time the password must be correct. 2. I can't use ~su~ to become root (though =sudo= works, so it's not the end of the world).
My PAM-fu is rather limited, so I don't even know where I should start looking to fix this. Maybe someone on this list can see right away what's wrong with those instructions, or at least can offer me a pointer on where to turn to figure it out?
/M
[1]: https://wiki.archlinux.org/index.php/LDAP_authentication#Online_and_Offline_...
On (01/02/16 16:53), Magnus Therning wrote:
To configure my system I've followed the instructions at [1] but there are two things not quite right:
- All normal local users (i.e. not /root/) get prompted twice at login.
My testing shows that it's only the 2nd time the password must be correct. 2. I can't use ~su~ to become root (though =sudo= works, so it's not the end of the world).
My PAM-fu is rather limited, so I don't even know where I should start looking to fix this. Maybe someone on this list can see right away what's wrong with those instructions, or at least can offer me a pointer on where to turn to figure it out?
/M
You might inspire in fedora system-auth
Thanks a lot!M-1.0
# This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
Nick
-- Magnus Therning, magnus.therning@cipherstone.com Cipherstone Technologies AB Theres Svenssons gata 10, 417 55 Gothenburg, Sweden
Sometimes I wonder whether the world is being run by smart people who are putting us on or by imbeciles who really mean it. -- Mark Twain Clearly, it's the imbeciles. And they really mean it. -- DBT _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Mon, Feb 01, 2016 at 05:13:51PM +0100, Lukas Slebodnik wrote:
On (01/02/16 16:53), Magnus Therning wrote:
To configure my system I've followed the instructions at [1] but there are two things not quite right:
- All normal local users (i.e. not /root/) get prompted twice at login.
My testing shows that it's only the 2nd time the password must be correct. 2. I can't use ~su~ to become root (though =sudo= works, so it's not the end of the world).
My PAM-fu is rather limited, so I don't even know where I should start looking to fix this. Maybe someone on this list can see right away what's wrong with those instructions, or at least can offer me a pointer on where to turn to figure it out?
/M
You might inspire in fedora system-auth
Thanks a lot!M-1.0
# This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
I would recommend to use the Fedora style as well. Nevertheless in the archlinux examples you might try to replace
auth sufficient pam_sss.so
by
auth sufficient pam_sss.so forward_pass
because by default pam_sss does not put the password on the PAM stack to avoid leaking the password.
HTH
bye, Sumit
Nick
-- Magnus Therning, magnus.therning@cipherstone.com Cipherstone Technologies AB Theres Svenssons gata 10, 417 55 Gothenburg, Sweden
Sometimes I wonder whether the world is being run by smart people who are putting us on or by imbeciles who really mean it. -- Mark Twain Clearly, it's the imbeciles. And they really mean it. -- DBT _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Sumit Bose writes:
On Mon, Feb 01, 2016 at 05:13:51PM +0100, Lukas Slebodnik wrote:
On (01/02/16 16:53), Magnus Therning wrote:
To configure my system I've followed the instructions at [1] but there are two things not quite right:
- All normal local users (i.e. not /root/) get prompted twice at login.
My testing shows that it's only the 2nd time the password must be correct. 2. I can't use ~su~ to become root (though =sudo= works, so it's not the end of the world).
My PAM-fu is rather limited, so I don't even know where I should start looking to fix this. Maybe someone on this list can see right away what's wrong with those instructions, or at least can offer me a pointer on where to turn to figure it out?
/M
You might inspire in fedora system-auth
Thanks a lot!M-1.0
# This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
I would recommend to use the Fedora style as well. Nevertheless in the archlinux examples you might try to replace
auth sufficient pam_sss.so
by
auth sufficient pam_sss.so forward_pass
because by default pam_sss does not put the password on the PAM stack to avoid leaking the password.
Thanks, that did it!
I did have a look at the settings in Debian too, but they were a bit more complicated and it's unclear what the extra complexity actually gives me. I have of course updated the Archlinux Wiki page.
If anyone else looks at the suggested settings there and see something strange/sub-optimal/... then I'd really appreciate an email about it.
/M
sssd-users@lists.fedorahosted.org
-
Lukas Slebodnik -
Magnus Therning -
Sumit Bose