Package: libpam-sss Version: 2.10.1-2+b1 Severity: important Tags: patch upstream
I've submitted https://github.com/SSSD/sssd/pull/7916 with the following note: After the change in "krb5_child: do not try passwords with OTP #7462" pam_sss broke PAM configurations like this: auth sufficient pam_unix.so nullok auth sufficient pam_sss.so forward_pass What happens in this case is that the combined password+otp is entered at the prompt generated by pam_unix, then forwarded to pam_sss. But in pam_sss any forwarded authtok is unconditionally set to SSS_AUTHTOK_TYPE_PASSWORD. This causes tokeninfo_matches to bail with the message "Unsupported authtok type 1" in krb5_child.log because tokeninfo_matches no longer handles SSS_AUTHTOK_TYPE_PASSWORD. This patch adds the logic used elsewhere in pam_sss to determine whether a pam_authtok string should be treated as SSS_AUTHTOK_TYPE_PASSWORD or SSS_AUTHTOK_TYPE_2FA_SINGLE. Given the duplication it may be useful to refactor that logic into a separate function, but I tried to keep the change minimal. [end upstream PR] This is a much more serious bug on debian because the broken configuration is the default pam configuration. It does not affect the default redhat configuration which uses: auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass and thus never prompts for a unix password from a remote user. I think the redhat mechanism makes a lot more sense, but changing that is unlikely to happen before freeze because it would affect multiple pam packages (and wouldn't necessarily help upgrades anyway--leading to situations where users can log in but cannot use sudo after an upgrade due to this bug). -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.12-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libpam-sss depends on: ii libc6 2.41-6 ii libgssapi-krb5-2 1.21.3-5 ii libpam-pwquality 1.4.5-5 ii libpam-runtime 1.7.0-3 ii libpam0g 1.7.0-3 Versions of packages libpam-sss recommends: ii sssd 2.10.1-2+b1 libpam-sss suggests no packages. -- no debconf information
