Please ignore my previous email as this is insecure:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass

One does not simply have pam_unix as sufficient and expect to not get hacked

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/PAM_Configuration_Files.html



Thanks,

Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: d...@med.cornell.edu
O: 212-746-5454
F: 212-746-8690

On Thu, Aug 25, 2016 at 5:27 PM, Douglas Duckworth <dod2...@med.cornell.edu>
wrote:

> I got this working on Centos 6 using the following for password-auth-ac /
> system-auth-ac.
>
> #%PAM-1.0
> # pam_succeed_if.so in auth MUST be sufficient
> # pam_succeed_if.so in account does not currently work with uid under 500
> and pwdReset:TRUE in OpenLDAP
>
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        sufficient    pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_sss.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> #account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     sufficient    pam_sss.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_sss.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     sufficient    pam_sss.so
> session     required      pam_unix.so
>
> Thanks,
>
> Douglas Duckworth, MSc, LFCS
> HPC System Administrator
> Physiology and Biophysics
> Weill Cornell Medicine
> E: d...@med.cornell.edu
> O: 212-746-5454
> F: 212-746-8690
>
> On Thu, Aug 25, 2016 at 4:59 PM, Lukas Slebodnik <lsleb...@redhat.com>
> wrote:
>
>> On (25/08/16 20:44), xcor...@gmail.com wrote:
>> >I have an environment set up with OpenLDAP, ppolicy and sssd on Ubuntu
>> 12.04. I've got ppolicy working fine, for the most part, but I'm trying to
>> set pwdReset: TRUE in LDAP to force users to change passwords and it's not
>> having any effect.  I have pwdMustChange: TRUE in the default password
>> policy, and password prompts for expired passwords works, so I know it's
>> not grossly misconfigured or something.
>> >
>> >I've spent a few days looking into this and from other posts and blogs
>> it sounds like pwdReset can be handled by sssd and is somehow enforced by
>> pam, but I'm not seeing any error messages about pam or password resets
>> (pam verbosity 3 and debug_level 9). With the lack of errors, I'm basically
>> wondering what are the requirements to get pwdReset functioning with sssd?
>> >
>> Ubuntu 12.04 seems to have sssd 1.8.2
>> The ppa[2] seems to have 1.11.5
>>
>> It would be good to test with more recent version of sssd.
>> You can try sssd in 16.04.
>>
>> I can confirm that "pwdReset: TRUE" works with latest sssd 1.13
>> which is in xenial(16.04)
>>
>> LS
>>
>> [1] https://urldefense.proofpoint.com/v2/url?u=http-3A__packages
>> .ubuntu.com_search-3Fkeywords-3Dsssd-26searchon-3Dnames-
>> 26suite-3Dprecise-26section-3Dall&d=DQIGaQ&c=lb62iw4YL4RFa
>> lcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUj
>> nRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Qy72hsJc4f8
>> 7I&s=N0Lii3TQAhrxxkHAsA1mnnJH_nzNooMhVjkJW9AGhio&e=
>> [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__launchp
>> ad.net_-7Esssd_-2Barchive_ubuntu_updates&d=DQIGaQ&c=lb62
>> iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_
>> e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDumy2ONJT4dlFcqr7saa51Q
>> y72hsJc4f87I&s=Ql0q2KebQkGKdDX18BnMX8kAgrDhOP5veCzFmLu1GRg&e=
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users@lists.fedorahosted.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.f
>> edorahosted.org_admin_lists_sssd-2Dusers-40lists.fedorahoste
>> d.org&d=DQIGaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s
>> &r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=e5O5zPnwDum
>> y2ONJT4dlFcqr7saa51Qy72hsJc4f87I&s=Ik1cAF4mlAZIwL7EXJakHVYvp
>> Y3FXgdmwJFM3W4qNp4&e=
>>
>
>
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to