New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE: can we get a try_first_pass option for pam_sss.so? #6946
Comments
Hi, currently authselect is generating the following
With this you can avoid the try-and-error scheme and each PAM module can prompt for its own users. Would this work for you? bye, |
Hi @yrro Did you have a chance to go through Sumit's comment? |
I'm still working on a post to |
Dear Contributor/User, Recognizing the importance of addressing enhancements, bugs, and issues for the SSSD project's quality and reliability, we also need to consider our long-term goals and resource constraints. After thoughtful consideration, regrettably, we are unable to address this request at this time. To avoid any misconception, we're closing it; however, we encourage continued collaboration and contributions from anyone interested. We apologize for any inconvenience and appreciate your understanding of our resource limitations. While you're welcome to open a new issue (or reopen this one), immediate attention may not be guaranteed due to competing priorities. Thank you once again for sharing your feedback. We look forward to ongoing collaboration to deliver the best possible solutions, supporting in any way we can. Best regards, |
In Debian, when
pam_sss.so
is not the first module in the stack, theuse_first_pass
option is configured: https://salsa.debian.org/sssd-team/sssd/-/blob/b5ab8ee7e6284d47de19880384d9dce683547f22/debian/libpam-sss.pam-auth-update#L7This is done so that if
pam_unix.so
is beforepam_sss.so
in the stack (which is the default), that module prompts for the password, andpam_sss.so
uses it.There is a problem in the (non-default) configuration where the following is the case:
Password:
prompt, the admin has configured the system to runpam_sss.so
beforepam_unix.so
pam_sss_gss.so
to run first (which is the normal way to use it)Here is the sequence of events:
pam_sss_gss.so
runspam_sss.so
runs withuse_first_pass
pam_sss.so
fails authenticationpam_unix.so
runs, and can't authenticate the non-local userDebian could remove
use_first_pass
from the file linked above, but then ifpam_unix.so
runs beforepam_sss.so
(which is the current default), and a non-local user tries to log in then they get prompted by both modules!If
pam_sss.so
had atry_first_pass
option then in the above scenario authentication would succeed afterpam_sss.so
prompted the user for authentication. In the case of a local user,pam_unix.so
would use the password collected bypam_sss.so
to authenticate the user without prompting them a second time.The text was updated successfully, but these errors were encountered: