Missing libsss_sudo

[jdel]

In the process of migrating my CoreOS EC2 instances to Fedora CoreOS I am encountering the following issue.

Expected behaviour:
With SSSD configured and sudoers sss support in nsswitch.conf I expect to be able to use sudo rules provided by FreeIPA SSSD is connected to.

Actual behaviour:
Executing sudo yields:

sudo: unable to load /usr/lib64/libsss_sudo.so

Steps to reproduce the issue

Add the following to /etc/nsswitch.conf:

sudoers:    files sss

Reboot. It does not matter if you have sudo rules or even if SSSD is setup.
Execute sudo with the core user.

Resolution:
Install libsss_sudo with:

rpm-ostree install libsss_sudo

Output of rpm-ostree status:

State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://fedora:fedora/x86_64/coreos/stable
                   Version: 31.20200310.3.0 (2020-03-25T19:42:10Z)
                    Commit: 436592e6eb93e899bebab8dbd17514c85be683390ef8bbce8c6d96069ce4c543
              GPGSignature: Valid signature by 7D22D5867F2A4236474BF7B850CB390B3C3359C4

The Fedora CoreOS documentation does not specify what is the recommended way to install such packages using the Ignition configuration. Please advise.

Thanks in advance

[dustymabe]

We discussed this in the meeting today

12:53:54     dustymabe | #agreed The functionality provided by libsss_sudo appears to be missing functionality that we want in FCOS. We
                       | are leaning towards including it in the base unless good reasoning for not doing so surfaces.

@jdel - as part of this do you mind providing us an example fcct snippet that you use to configure the system to use this plugin? This would be useful as an example for future people who want to do the same thing.

[jdel]

Hello Dusty,

I won't go through the whole sssd setup but prerequisites are to configure and enable the service likeso https://coreos.com/os/docs/latest/sssd.html

The following fcct template works for me:

variant: fcos
version: 1.0.0

storage:
  files:
  - path: /etc/ssh/sshd_config
    append:
      - inline: |        
          AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
          AuthorizedKeysCommandUser nobody

  - path: /etc/nsswitch.conf
    append:
      - inline: |
          sudoers:    files sss

  - path: /etc/pam.d/system-auth
    overwrite: true
    mode: 0644  
    contents:
      inline: |
        #%PAM-1.0
        # This file is auto-generated.
        # User changes will be destroyed the next time authselect is run.
        auth        required      pam_env.so
        auth        sufficient    pam_unix.so try_first_pass nullok
        auth        sufficient    pam_sss.so use_first_pass
        auth        required      pam_deny.so

        account     required      pam_unix.so
        # Don't fail if the user is unknown to sssd or if sssd isn't running
        account     required      pam_sss.so ignore_unknown_user ignore_authinfo_unavail

        password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
        password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
        password    sufficient    pam_sss.so use_authtok
        password    required      pam_deny.so

        session     optional      pam_keyinit.so revoke
        session     required      pam_limits.so
        session     optional      pam_sss.so
        -session     optional      pam_systemd.so
        session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
        session     required      pam_unix.so
        session     optional      pam_mkhomedir.so

The sshd and pam.d configs will enable users to login using their FreeIPA user and the keys they have specified in FreeIPA.

The addition of pam_mkhomedir.so will create FreeIPA users home directories automatically when they login for the first time.

The nsswitch.conf addition enables sssd as a source for sudo rules.

The content /etc/pam.d/system-auth is based on the content of that file in the current FCOS release to which I added the pam_sss.so lines. I don't have a lot of PAM knowledge so I'm open for suggestions and also how to improve the configuration of pam_sss.so in a more programatic way.

[dustymabe]

thanks @jdel !

[dustymabe]

PR for this over in coreos/fedora-coreos-config#330

[dustymabe]

The fix for this landed upstream. It is now pending a testing stream release.

[jdel]

Superb, thank you for the quick turnaround !

[dustymabe]

The fix for this went into testing stream release 31.20200407.2.2. Please try out the new release and report issues.

[jdel]

Confirmed libsss_sudo is present in the new testing AMI. 👍
Thanks

[dustymabe]

The fix for this went into stable stream release 31.20200407.3.0.