error: PAM: User account has expired when used in combination with pam_aad - Githubissues

CyberNinjas / libnss_aad

Name Service Switch (NSS) Module for performing user lookups against the Azure Active Directory (AAD).

GNU General Public License v3.0

12 stars 6 forks source link

error: PAM: User account has expired when used in combination with pam_aad #6

Closed Jnchi closed 5 years ago

Jnchi commented 5 years ago

User is created on successful directory lookup, however a password is currently not set for the user, causing authentication to fail.

See: https://github.com/CyberNinjas/pam_aad/issues/24#issuecomment-473915933

Jnchi commented 5 years ago

Resources:

Jnchi commented 5 years ago

/etc/pam.d/sshd

# libnss_aad does not set the user's password.
password required pam_exec.so quiet /usr/bin/genpasswd PAM_RUSER

/usr/bin/genpasswd

#!/bin/sh
echo "$1:$(openssl rand -base64 32)" | chpasswd

http://linux-pam.org/Linux-PAM-html/sag-pam_exec.html

Jnchi commented 5 years ago

Mar 18 13:29:07 debian sshd[28360]: PAM (sshd) illegal module type: passwd

Oops, it should be password required pam_exec.so ..., not passwd...

Jnchi commented 5 years ago

Mar 18 13:35:54 debian sshd[28433]: Connection from 192.168.1.120 port 52874 on 192.168.1.129 port 22
Mar 18 13:35:55 debian sshd[28438]: pam_exec(sshd:auth): execve(/usr/local/bin/gen_passwd.sh,...) failed: Permission denied
Mar 18 13:35:55 debian sshd[28437]: pam_exec(sshd:auth): /usr/local/bin/gen_passwd.sh failed: exit code 13
Mar 18 13:36:08 debian sshd[28433]: Postponed keyboard-interactive for jnchi from 192.168.1.120 port 52874 ssh2 [preauth]
Mar 18 13:36:08 debian sshd[28433]: Failed keyboard-interactive/pam for jnchi from 192.168.1.120 port 52874 ssh2
Mar 18 13:36:08 debian sshd[28446]: pam_exec(sshd:auth): execve(/usr/local/bin/gen_passwd.sh,...) failed: Permission denied
Mar 18 13:36:08 debian sshd[28445]: pam_exec(sshd:auth): /usr/local/bin/gen_passwd.sh failed: exit code 13

https://github.com/shadow-maint/shadow/blob/master/lib/exitcodes.h

Jnchi commented 5 years ago

diff --git a/src/pam_aad.c b/src/pam_aad.c
index aa99cb7..f6654f0 100644
--- a/src/pam_aad.c
+++ b/src/pam_aad.c
@@ -418,3 +418,9 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
 {
        return PAM_SUCCESS;
 }
+
+PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
+               int argc, const char **argv)
+{
+       return PAM_SUCCESS;
+}

Mar 18 14:43:40 debian sshd[30428]: Connection from 192.168.1.125 port 62748 on 192.168.1.129 port 22
Mar 18 14:43:59 debian sshd[30428]: Postponed keyboard-interactive for jnchi from 192.168.1.125 port 62748 ssh2 [preauth]
Mar 18 14:43:59 debian sshd[30428]: Failed keyboard-interactive/pam for jnchi from 192.168.1.125 port 62748 ssh2
Mar 18 14:43:59 debian sshd[30428]: fatal: monitor_read: unpermitted request 104

http://www.linux-pam.org/Linux-PAM-html/mwg-expected-by-module-item.html