gentoo / pambase

[MIRROR] Base settings for PAM configuration in Gentoo
https://gitweb.gentoo.org/proj/pambase.git
MIT License
6 stars 8 forks source link

Plase add pam_sss config #1

Closed joakim-tjernlund closed 10 months ago

joakim-tjernlund commented 4 years ago

sssd, https://github.com/SSSD/sssd, has a pam_sss.so module needed for login when using sssd as login service

Zlogene commented 4 years ago

@joakim-tjernlund do you have something working in your local stack to include? I have no sssd anymore, so can not test the module

joakim-tjernlund commented 4 years ago

We use this


auth        required    pam_env.so
auth        sufficient  pam_unix.so try_first_pass likeauth nullok
auth        required    pam_sss.so forward_pass use_first_pass
#auth       required    pam_winbind.so use_first_pass

account     sufficient  pam_unix.so
account     required    pam_sss.so forward_pass
#account    required    pam_winbind.so use_first_pass

password    sufficient  pam_unix.so sha512 shadow
password    required    pam_krb5.so minimun_uid=1000

session     required    pam_limits.so
session     required    pam_mkhomedir.so umask=0077
session     required    pam_env.so
session     required    pam_unix.so
session     optional    pam_sss.so forward_pass
-session        optional        pam_elogind.so
#session    optional    pam_winbind.so
Dessa commented 4 years ago

@joakim-tjernlund you have a typo in password section: "minimun"

i can't get it to work with faillock. closest i got was getting a failure in pam_unix and a success in pam_sss (in the same login)

for now i ended up using fedoras system-auth which also has password sufficient pam_sss.so use_authtok

i need to dive a little bit deeper with this then what i have done so far...

joakim-tjernlund commented 4 years ago

sure, the passwd I haven't played much with so I am not sure what to have there

razamatan commented 4 years ago

actually.. i just realized i had to tweak what was in the wiki. what i have currently is (sssd-2.4.0, pambase-20201103):

auth            required        pam_env.so
auth            sufficient      pam_ssh.so try_first_pass
auth            requisite       pam_faillock.so preauth
auth            sufficient      pam_sss.so try_first_pass
auth            [success=1 default=ignore]      pam_unix.so nullok  try_first_pass
auth            [default=die]   pam_faillock.so authfail
auth            optional        pam_permit.so
-auth           optional        pam_cap.so

account         required        pam_unix.so 
account         [default=bad success=ok user_unknown=ignore]    pam_sss.so
account         required        pam_faillock.so
account         optional        pam_permit.so

password        required        pam_passwdqc.so config=/etc/security/passwdqc.conf
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        sufficient      pam_sss.so use_authtok
password        optional        pam_permit.so

session         optional        pam_ssh.so
session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_sss.so
session         optional        pam_permit.so
-session        optional        pam_elogind.so
Zlogene commented 4 years ago

@razamatan looks better than previous ones, but: 1.) auth sufficient pam_ssh.so try_first_pass does stack really hands over pass from some other module? 2.) auth sufficient pam_sss.so try_first_pass no password processing happens here in auth

Dessa commented 4 years ago

pam_ssh should probably also not be part of this, it probably works together, sure, but its its own thing.

razamatan commented 4 years ago

yep. the ssh stuff comes in via the template if the ssh use flag is set. mine is, so that's why my config has it.


From: Dessa notifications@github.com Sent: Saturday, November 14, 2020 7:08 AM To: gentoo/pambase pambase@noreply.github.com Cc: razamatan razamatan@hotmail.com; Mention mention@noreply.github.com Subject: Re: [gentoo/pambase] Plase add pam_sss config (#1)

pam_ssh should probably also not be part of this, it probably works together, sure, but its its own thing.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/gentoo/pambase/issues/1#issuecomment-727220443, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAD53TYG77AEQWW7ZNJZEHTSP2MP7ANCNFSM4PZFLVIQ.

alexxy commented 4 years ago

I use this

auth            required        pam_env.so 
auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_sss.so use_first_pass
auth            required        pam_deny.so

account         required        pam_unix.so
account         sufficient      pam_localuser.so
account         [default=bad success=ok user_unknown=ignore] pam_sss.so
account         required        pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow 
password        sufficient      pam_sss.so use_authtok
password        required        pam_deny.so

session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
session         optional        pam_keyinit.so revoke
session         required        pam_limits.so
session         required        pam_env.so
session         [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session         required        pam_unix.so
session         optional        pam_sss.so
session         optional        pam_permit.so
-session        optional        pam_elogind.so
razamatan commented 4 years ago

@razamatan looks better than previous ones, but: 1.) auth sufficient pam_ssh.so try_first_pass does stack really hands over pass from some other module? 2.) auth sufficient pam_sss.so try_first_pass no password processing happens here in auth

1) yep. i removed try_first_pass and things continued to work 2) can you explain where i should put pam_sss.so then? i'm not an expert in pam. i thought sss needed to live before pam_unix to have an effect.

razamatan commented 4 years ago

ok.. answered my own question by playing around. this is my current config that seems to be working fully:

auth            required        pam_env.so
auth            sufficient      pam_sss.so
auth            requisite       pam_faillock.so preauth
auth            [success=1 default=ignore]      pam_unix.so nullok try_first_pass
auth            [default=die]   pam_faillock.so authfail
auth            optional        pam_permit.so
-auth           optional        pam_cap.so

account         required        pam_unix.so 
account         [default=bad success=ok user_unknown=ignore]    pam_sss.so
account         required        pam_faillock.so
account         optional        pam_permit.so

password        required        pam_passwdqc.so config=/etc/security/passwdqc.conf
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        sufficient      pam_sss.so use_authtok
password        optional        pam_permit.so

session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_sss.so
session         optional        pam_permit.so
-session        optional        pam_elogind.so