Closed joakim-tjernlund closed 10 months ago
@joakim-tjernlund do you have something working in your local stack to include? I have no sssd anymore, so can not test the module
We use this
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_sss.so forward_pass use_first_pass
#auth required pam_winbind.so use_first_pass
account sufficient pam_unix.so
account required pam_sss.so forward_pass
#account required pam_winbind.so use_first_pass
password sufficient pam_unix.so sha512 shadow
password required pam_krb5.so minimun_uid=1000
session required pam_limits.so
session required pam_mkhomedir.so umask=0077
session required pam_env.so
session required pam_unix.so
session optional pam_sss.so forward_pass
-session optional pam_elogind.so
#session optional pam_winbind.so
@joakim-tjernlund you have a typo in password section: "minimun"
i can't get it to work with faillock. closest i got was getting a failure in pam_unix and a success in pam_sss (in the same login)
for now i ended up using fedoras system-auth which also has password sufficient pam_sss.so use_authtok
i need to dive a little bit deeper with this then what i have done so far...
sure, the passwd I haven't played much with so I am not sure what to have there
actually.. i just realized i had to tweak what was in the wiki. what i have currently is (sssd-2.4.0, pambase-20201103):
auth required pam_env.so
auth sufficient pam_ssh.so try_first_pass
auth requisite pam_faillock.so preauth
auth sufficient pam_sss.so try_first_pass
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
-auth optional pam_cap.so
account required pam_unix.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_faillock.so
account optional pam_permit.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password sufficient pam_sss.so use_authtok
password optional pam_permit.so
session optional pam_ssh.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_permit.so
-session optional pam_elogind.so
@razamatan looks better than previous ones, but:
1.) auth sufficient pam_ssh.so try_first_pass
does stack really hands over pass from some other module?
2.) auth sufficient pam_sss.so try_first_pass
no password processing happens here in auth
pam_ssh should probably also not be part of this, it probably works together, sure, but its its own thing.
yep. the ssh stuff comes in via the template if the ssh use flag is set. mine is, so that's why my config has it.
From: Dessa notifications@github.com Sent: Saturday, November 14, 2020 7:08 AM To: gentoo/pambase pambase@noreply.github.com Cc: razamatan razamatan@hotmail.com; Mention mention@noreply.github.com Subject: Re: [gentoo/pambase] Plase add pam_sss config (#1)
pam_ssh should probably also not be part of this, it probably works together, sure, but its its own thing.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/gentoo/pambase/issues/1#issuecomment-727220443, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAD53TYG77AEQWW7ZNJZEHTSP2MP7ANCNFSM4PZFLVIQ.
I use this
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_env.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_permit.so
-session optional pam_elogind.so
@razamatan looks better than previous ones, but: 1.)
auth sufficient pam_ssh.so try_first_pass
does stack really hands over pass from some other module? 2.)auth sufficient pam_sss.so try_first_pass
no password processing happens here inauth
1) yep. i removed try_first_pass and things continued to work 2) can you explain where i should put pam_sss.so then? i'm not an expert in pam. i thought sss needed to live before pam_unix to have an effect.
ok.. answered my own question by playing around. this is my current config that seems to be working fully:
auth required pam_env.so
auth sufficient pam_sss.so
auth requisite pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
-auth optional pam_cap.so
account required pam_unix.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_faillock.so
account optional pam_permit.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password sufficient pam_sss.so use_authtok
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_permit.so
-session optional pam_elogind.so
sssd, https://github.com/SSSD/sssd, has a pam_sss.so module needed for login when using sssd as login service