RFE: can we get a try_first_pass option for pam_sss.so?

[yrro]

In Debian, when pam_sss.so is not the first module in the stack, the use_first_pass option is configured: https://salsa.debian.org/sssd-team/sssd/-/blob/b5ab8ee7e6284d47de19880384d9dce683547f22/debian/libpam-sss.pam-auth-update#L7

This is done so that if pam_unix.so is before pam_sss.so in the stack (which is the default), that module prompts for the password, and pam_sss.so uses it.

There is a problem in the (non-default) configuration where the following is the case:

• so that users get multiple MFA prompts, instead of a single Password: prompt, the admin has configured the system to run pam_sss.so before pam_unix.so
• the admin has configured pam_sss_gss.so to run first (which is the normal way to use it)
• a non-local user (e.g., FreeIPA) wants to authenticate

Here is the sequence of events:

1. pam_sss_gss.so runs
2. pam_sss.so runs with use_first_pass
3. There is no password to use
4. pam_sss.so fails authentication
5. pam_unix.so runs, and can't authenticate the non-local user
6. Authentication is denied

Debian could remove use_first_pass from the file linked above, but then if pam_unix.so runs before pam_sss.so (which is the current default), and a non-local user tries to log in then they get prompted by both modules!

If pam_sss.so had a try_first_pass option then in the above scenario authentication would succeed after pam_sss.so prompted the user for authentication. In the case of a local user, pam_unix.so would use the password collected by pam_sss.so to authenticate the user without prompting them a second time.

[sumit-bose]

Hi,

currently authselect is generating the following auth block to handle this case:

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss_gss.so
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

With this you can avoid the try-and-error scheme and each PAM module can prompt for its own users. Would this work for you?

bye,
Sumit

[andreboscatto]

Hi @yrro Did you have a chance to go through Sumit's comment?

[yrro]

I'm still working on a post to debian-devel to see what Debian developers think about the various options. On my own systems I started to use pam_localuser.so, rather than bumping the priority of pam_sss.so so we'll see what others think...

[andreboscatto]

Dear Contributor/User,

Recognizing the importance of addressing enhancements, bugs, and issues for the SSSD project's quality and reliability, we also need to consider our long-term goals and resource constraints.

After thoughtful consideration, regrettably, we are unable to address this request at this time. To avoid any misconception, we're closing it; however, we encourage continued collaboration and contributions from anyone interested.

We apologize for any inconvenience and appreciate your understanding of our resource limitations. While you're welcome to open a new issue (or reopen this one), immediate attention may not be guaranteed due to competing priorities.

Thank you once again for sharing your feedback. We look forward to ongoing collaboration to deliver the best possible solutions, supporting in any way we can.

Best regards,
André Boscatto