Public bug reported:
Default common-auth with sssd is:
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
However, this does not allow gdm to query the smartcard to determine the
identity.
Changing /usr/share/pam-configs/sss like:
--- /usr/share/pam-configs/sss.orig 2019-09-13 14:08:43.360118486 -0600
+++ /usr/share/pam-configs/sss 2019-09-13 10:07:34.799762334 -0600
@@ -1,12 +1,12 @@
Name: SSS authentication
Default: yes
-Priority: 128
+Priority: 512
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_sss.so use_first_pass
Auth-Initial:
- [success=end default=ignore] pam_sss.so forward_pass
+ [success=end default=ignore] pam_sss.so forward_pass
allow_missing_name
Account-Type: Additional
Account:
sufficient pam_localuser.so
Generates:
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_sss.so forward_pass
allow_missing_name
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
which allows this to work.
** Affects: sssd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1843946
Title:
pam_sss configuration is incorrect for smartcard usage
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1843946/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
