Package: libpam-sss Version: 2.6.1-1 Severity: normal -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
In the default configuration, /etc/pam.d/common-auth contains: auth [success=2 default=ignore] pam_unix.so nullok auth [success=1 default=ignore] pam_sss.so use_first_pass auth requisite pam_deny.so This means that pam_unix has the first & only change to prompt the user for authentication, and the user gets a single 'Password:' prompt. In the Red Hat world, /etc/pam.d/password-auth contains: auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so A local user will hit pam_unix. A non-local user will skip over it and be prompted by pam_sss.so. An easy fix is to increase the Priority in /usr/share/pam-configs/sss to some value > 256. That way, pam-auth-update puts pam_sss before pam_unix. I tested this, and 'su - localuser' still works. Unfortunately I don't know of a way for a user to override this value other than by editing that file, which is owned by libpam-sss. Is there a good reason that pam_unix has to be first in the module stack? If not, could we make this change? - -- System Information: Debian Release: 11.1 APT prefers stable-updates APT policy: (550, 'stable-updates'), (550, 'stable'), (530, 'testing'), (520, 'unstable'), (500, 'stable-security'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-9-amd64 (SMP w/2 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libpam-sss depends on: ii libc6 2.32-5 ii libgssapi-krb5-2 1.18.3-7 ii libpam-pwquality 1.4.4-1 ii libpam-runtime 1.4.0-9+deb11u1 ii libpam0g 1.4.0-11 Versions of packages libpam-sss recommends: ii sssd 2.6.1-1 libpam-sss suggests no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- iIgEARYIADAWIQTWOGqGn6HETecdzqZOEaKLhlAYigUCYbeFXRIcc2FtQHJvYm90 cy5vcmcudWsACgkQThGii4ZQGIpR9gEAldojCYmY4mvOcns5k9wcfXpTN324+MUx wiiKCeGy5PgBAKsWW6nGrvuFyQggaQADHH5O1p+bdr5q35Bp4suL0w0A =ldXe -----END PGP SIGNATURE-----