Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plase add pam_sss config #1

Closed
joakim-tjernlund opened this issue Aug 9, 2020 · 11 comments
Closed

Plase add pam_sss config #1

joakim-tjernlund opened this issue Aug 9, 2020 · 11 comments

Comments

@joakim-tjernlund
Copy link

sssd, https://github.com/SSSD/sssd, has a pam_sss.so module needed for login when using sssd as login service
@Zlogene
Copy link
Contributor

Zlogene commented Aug 10, 2020

@joakim-tjernlund do you have something working in your local stack to include? I have no sssd anymore, so can not test the module

@joakim-tjernlund
Copy link
Author

We use this

auth		required	pam_env.so
auth		sufficient	pam_unix.so try_first_pass likeauth nullok
auth		required	pam_sss.so forward_pass use_first_pass
#auth		required	pam_winbind.so use_first_pass

account		sufficient	pam_unix.so
account		required	pam_sss.so forward_pass
#account	required	pam_winbind.so use_first_pass

password	sufficient	pam_unix.so sha512 shadow
password	required	pam_krb5.so minimun_uid=1000

session		required	pam_limits.so
session		required	pam_mkhomedir.so umask=0077
session		required	pam_env.so
session		required	pam_unix.so
session		optional	pam_sss.so forward_pass
-session        optional        pam_elogind.so
#session	optional	pam_winbind.so

@Dessa
Copy link

Dessa commented Aug 13, 2020

@joakim-tjernlund you have a typo in password section: "minimun"

i can't get it to work with faillock. closest i got was getting a failure in pam_unix and a success in pam_sss (in the same login)

for now i ended up using fedoras system-auth which also has password sufficient pam_sss.so use_authtok

i need to dive a little bit deeper with this then what i have done so far...

@joakim-tjernlund
Copy link
Author

sure, the passwd I haven't played much with so I am not sure what to have there

@razamatan
Copy link

razamatan commented Nov 6, 2020
edited

actually.. i just realized i had to tweak what was in the wiki. what i have currently is (sssd-2.4.0, pambase-20201103):

auth            required        pam_env.so
auth            sufficient      pam_ssh.so try_first_pass
auth            requisite       pam_faillock.so preauth
auth            sufficient      pam_sss.so try_first_pass
auth            [success=1 default=ignore]      pam_unix.so nullok  try_first_pass
auth            [default=die]   pam_faillock.so authfail
auth            optional        pam_permit.so
-auth           optional        pam_cap.so

account         required        pam_unix.so 
account         [default=bad success=ok user_unknown=ignore]    pam_sss.so
account         required        pam_faillock.so
account         optional        pam_permit.so

password        required        pam_passwdqc.so config=/etc/security/passwdqc.conf
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        sufficient      pam_sss.so use_authtok
password        optional        pam_permit.so

session         optional        pam_ssh.so
session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_sss.so
session         optional        pam_permit.so
-session        optional        pam_elogind.so

@Zlogene
Copy link
Contributor

Zlogene commented Nov 14, 2020

@razamatan looks better than previous ones, but:
1.) auth sufficient pam_ssh.so try_first_pass does stack really hands over pass from some other module?
2.) auth sufficient pam_sss.so try_first_pass no password processing happens here in auth

@Dessa
Copy link

Dessa commented Nov 14, 2020 via email

@razamatan
Copy link

razamatan commented Nov 15, 2020 via email

@alexxy
Copy link

alexxy commented Nov 21, 2020

I use this

auth            required        pam_env.so 
auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_sss.so use_first_pass
auth            required        pam_deny.so

account         required        pam_unix.so
account         sufficient      pam_localuser.so
account         [default=bad success=ok user_unknown=ignore] pam_sss.so
account         required        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow 
password        sufficient      pam_sss.so use_authtok
password        required        pam_deny.so

session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
session         optional        pam_keyinit.so revoke
session         required        pam_limits.so
session         required        pam_env.so
session         [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session         required        pam_unix.so
session         optional        pam_sss.so
session         optional        pam_permit.so
-session        optional        pam_elogind.so

@razamatan
Copy link

@razamatan looks better than previous ones, but:
1.) auth sufficient pam_ssh.so try_first_pass does stack really hands over pass from some other module?
2.) auth sufficient pam_sss.so try_first_pass no password processing happens here in auth

  1. yep. i removed try_first_pass and things continued to work
  2. can you explain where i should put pam_sss.so then? i'm not an expert in pam. i thought sss needed to live before pam_unix to have an effect.

@razamatan
Copy link

ok.. answered my own question by playing around. this is my current config that seems to be working fully:

auth            required        pam_env.so
auth            sufficient      pam_sss.so
auth            requisite       pam_faillock.so preauth
auth            [success=1 default=ignore]      pam_unix.so nullok try_first_pass
auth            [default=die]   pam_faillock.so authfail
auth            optional        pam_permit.so
-auth           optional        pam_cap.so

account         required        pam_unix.so 
account         [default=bad success=ok user_unknown=ignore]    pam_sss.so
account         required        pam_faillock.so
account         optional        pam_permit.so

password        required        pam_passwdqc.so config=/etc/security/passwdqc.conf
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        sufficient      pam_sss.so use_authtok
password        optional        pam_permit.so

session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_sss.so
session         optional        pam_permit.so
-session        optional        pam_elogind.so

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alexxy @Dessa @razamatan @Zlogene @joakim-tjernlund