Package: libpam-sss
Version: 2.8.2-4
Severity: wishlist
Here's the config file I am using:
$ cat /usr/share/pam-configs/sss-gss
Name: Authenticate if the user can obtain a valid Kerberos ticket for the
local host
Default: yes
Priority: 512
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_sss_gss.so
Auth-Initial:
[success=end default=ignore] pam_sss_gss.so
However it can't be added to the package yet because it will break
authentication for non-local users (beacuse we use the 'use_first_pass'
option with pam_sss.so when it's not the initial module, so a non-local
user is not able to log in when pam_sss.so is not the initial module and
no prior modules stashed a password for it to consume).
For the time being we need 'use_first_pass' so that non-local users
don't get prompted by _both_ pam.unix.so and pam_sss.so.
Ideally pam_sss.so would have a 'try_first_pass' option which would
unblock us from shipping an sss-gss pam config. I've filed an RFE here:
<https://github.com/SSSD/sssd/issues/6946>.
-- System Information:
Debian Release: 12.1
APT prefers stable-updates
APT policy: (550, 'stable-updates'), (550, 'stable-security'), (550,
'stable'), (530, 'testing'), (520, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-10-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default
Versions of packages libpam-sss depends on:
ii libc6 2.36-9+deb12u1
ii libgssapi-krb5-2 1.20.1-2
ii libpam-pwquality 1.4.5-1+b1
ii libpam-runtime 1.5.2-6
ii libpam0g 1.5.2-6
Versions of packages libpam-sss recommends:
ii sssd 2.8.2-4
libpam-sss suggests no packages.
-- no debconf information
