openSUSE Security

Download

security@lists.opensuse.org

March 2020

1 participants
1 discussions

[opensuse-security] pam-config and sssd
by Markus Gaugusch 31 Mar '20

31 Mar '20

Hi all, I'm using openSUSE Leap 15.1 on a machine which was previously configured with samba/winbind for enumeration of users from a Microsoft AD. It was also possible for those users to login to the machine. After upgrades and changes to the domain controllers (Windows Server 2019), I got lots of winbind errors in the logs. I decided to do a fresh start and use sssd instead of winbind. I configured it using realmd (realmd join mydomain.xxx --user myadminuser), and it worked quite well. I also configured ssh login in the following way (/etc/pam.d): (please forgive the strange stuff in the auth section, but after some fighting it worked :)) sshd: auth requisite pam_nologin.so auth required pam_env.so auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet auth sufficient pam_sss.so account requisite pam_nologin.so account include common-account <===== check this [... password, session omitted ...] common-account: account required pam_unix.so try_first_pass account sufficient pam_sss.so forward_pass Now I installed recent upgrades, which obviously executed pam-config. The common-account was updated and contained only the following lines: account requisite pam_unix.so try_first_pass account sufficient pam_localuser.so account required pam_sss.so use_first_pass My users could no longer login, because the pam_unix requisite kills the login before pam_sss is even called. I checked the source of pam-config and it is doing exactly that: https://github.com/SUSE/pam-config/blob/master/src/mod_pam_unix.c#L64 case ACCOUNT: if (with_krb5 || with_ldap || with_lum || with_winbind || with_sss) fprintf (fp, "account\trequisite\tpam_unix.so\t"); else fprintf (fp, "account\trequired\tpam_unix.so\t"); break; QUESTION: Why does pam-config use account "requisite" for pam_unix.so in case of pam_sss presence? I'd expect "required", and that also works if I change it manually. But unfortunately, my changes are lost every time pam-config is run again ... Also, pam_sss should be "sufficient" afterwards, not "required" ... (At least that works, and while I've learned a lot about PAM during the last days, I'm not there yet I think :) thanks! Markus -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0