subject:"\[Freeipa\-users\] Re\: OTP behaviour on Debian"

[Freeipa-users] Re: OTP behaviour on Debian

2021-12-14 Thread Sam Morris via FreeIPA-users

On Tue, 2021-12-14 at 10:23 +0100, Sumit Bose wrote:
> Am Mon, Dec 13, 2021 at 06:14:13PM - schrieb Sam Morris via FreeIPA-users:
> 
> > 
> > I've filed https://bugs.debian.org/1001644 to discuss whether pam_sss can 
> > be moved before pam_unix in the Debian packaging.
> 
> Btw, in RHEL and Fedora we use authselect
> (https://github.com/authselect/authselect) to flexible manage the
> system's PAM configuration. Maybe this is something Debian would like to
> adopt as well.

As a user that would sure be nice. Debian has pam-auth-update which
does the same thing but doesn't really have any user-configurable
knobs. But I don't plan on carrying the torch to get pam-auth-update
adopted... :)

Regardless, I found that bumping the priority of the sss pam-auth-
update config file to a value greater than that of the unix config file
causes pam-auth-update to do the right thing and we get:

   # here are the per-package modules (the "Primary" block)
   auth [success=2 default=ignore]  pam_sss.so forward_pass
   auth [success=1 default=ignore]  pam_unix.so nullok try_first_pass
   # here's the fallback if no module succeeds

Which appears to work fine for both local and directory users on my
system.

However, I note that on Red Hat, pam_localuser is used on to ensure
that local users are handled by pam_unix, and non-local users are only
handled by pam_sss. Is there any benefit to doing this, or is a config
like what I pasted above OK as well?

-- 
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: OTP behaviour on Debian

2021-12-14 Thread Sumit Bose via FreeIPA-users

Am Mon, Dec 13, 2021 at 06:14:13PM - schrieb Sam Morris via FreeIPA-users:
> You're absolutely right. On Debian in /etc/pam.d/common-auth we have:
> 
> # here are the per-package modules (the "Primary" block)
> auth[success=2 default=ignore]  pam_unix.so nullok
> auth[success=1 default=ignore]  pam_sss.so use_first_pass
> # here's the fallback if no module succeeds
> authrequisite   pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success code
> # since the modules above will each just jump around
> authrequiredpam_permit.so
> # and here are more per-package modules (the "Additional" block)
> authoptionalpam_cap.so 
> # end of pam-auth-update config
> 
> A quick hack that removes pam_unix.so and removes the use_first_pass line 
> from pam_sssd.so results in the OTP prompts being produced by pam_sssd. 
> Thanks!

Hi,

glad I could help.

> 
> I've filed https://bugs.debian.org/1001644 to discuss whether pam_sss can be 
> moved before pam_unix in the Debian packaging.

Btw, in RHEL and Fedora we use authselect
(https://github.com/authselect/authselect) to flexible manage the
system's PAM configuration. Maybe this is something Debian would like to
adopt as well.

bye,
Sumit

> 
> --
> Sam Morris 
> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: OTP behaviour on Debian

2021-12-13 Thread Sam Morris via FreeIPA-users

You're absolutely right. On Debian in /etc/pam.d/common-auth we have:

# here are the per-package modules (the "Primary" block)
auth[success=2 default=ignore]  pam_unix.so nullok
auth[success=1 default=ignore]  pam_sss.so use_first_pass
# here's the fallback if no module succeeds
authrequisite   pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
authrequiredpam_permit.so
# and here are more per-package modules (the "Additional" block)
authoptionalpam_cap.so 
# end of pam-auth-update config

A quick hack that removes pam_unix.so and removes the use_first_pass line from 
pam_sssd.so results in the OTP prompts being produced by pam_sssd. Thanks!

I've filed https://bugs.debian.org/1001644 to discuss whether pam_sss can be 
moved before pam_unix in the Debian packaging.

--
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: OTP behaviour on Debian

2021-12-13 Thread Sumit Bose via FreeIPA-users

Am Mon, Dec 13, 2021 at 01:34:12PM - schrieb Sam Morris via FreeIPA-users:
> I enabled OTP for my user. On RHEL and Fedora systems, I get the
> expected interactive 'first factor' followed by 'second factor'
> prompts which work fine.
> 
> On a Debian system, PAM still only gives me the single 'Password:'
> prompt and I have to enter the password + OTP at the same time.
> 
> I'm not very familiar with where I need to be looking but I guess
> starting with the version of pam_sss.so would be a good idea, I've got
> 2.6.1-1 installed. Had a quick look through sssd.conf(5), sssd-ipa(5)
> and sssd-krb5(5) and didn't see any options that seemed relevant to
> OTP processing. Before I fire a bug report off to the Debian BTS, can
> anyone suggest anything else I can check out?

Hi,

I would suggest to look at the PAM configuration. Typically with PAM you
let one module ask for the password and if it can't handle it the
password will be forwarded to the next module. The drawback is that more
modules only know about password and will only prompt you for a
password.

On RHEL and Fedora there are checks in the PAM configuration if the user
trying to log in is a local user from /etc/passwd and then pam_unix ius
called. Otherwise pam_unix will be skipped and pam_sss will be called
directly and now pam_sss can determine with the help of SSSD how to
prompt the user.

HTH

bye,
Sumit

> 
> Thanks
> 
> --
> Sam Morris 
> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Re: OTP behaviour on Debian

[Freeipa-users] Re: OTP behaviour on Debian

[Freeipa-users] Re: OTP behaviour on Debian

[Freeipa-users] Re: OTP behaviour on Debian

4 matches

Site Navigation

Mail list logo

Footer information