Bug 1195817 - Let SSSD prompt non-local users for passwords
Let SSSD prompt non-local users for passwords
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 1204864
  Show dependency treegraph
 
Reported: 2015-02-24 11:16 EST by Sumit Bose
Modified: 2017-02-17 07:17 EST (History)
3 users (show)

See Also:
Fixed In Version: authconfig-6.2.10-6.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1204864 (view as bug list)
Environment:
Last Closed: 2015-04-21 15:31:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for authconfig 6.2.9 (7.02 KB, patch)
2015-03-23 12:10 EDT, Sumit Bose
no flags Details | Diff
Patch for authconfig 6.2.10 (7.02 KB, patch)
2015-03-23 12:10 EDT, Sumit Bose
no flags Details | Diff

  None (edit)
Description Sumit Bose 2015-02-24 11:16:45 EST
Description of problem:
The next version of SSSD will be able to prompt users with 2-Factor-Authentication (2FA) separately for the two factors. This way the first factor (long term password) can be used e.g. to unlock the users keyring or for offline authentication.

With the current configuration pam_unix will always prompt the user for a password. Letting SSSD ask users of 2FA again for the password will lead to a bad user experience. Letting SSSD only ask for the second factor will make it hard for applications like gdm to show specific 2FA dialogs.

It would be best if pam_unix would only ask for password for local users and let SSSD prompt SSSD users. To achieve this pam_localuser could be added to the PAM configuration like in the following example:

auth        required  pam_env.so
auth        sufficient pam_fprintd.so
auth        [default=1 success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient pam_sss.so forward_pass
auth        required      pam_deny.so

To allow to configure the old version without pam_localuser as well the new line should only be added if --enableforcelegacy is not set.
Comment 1 Sumit Bose 2015-02-24 11:18:10 EST
I'd be happy to help here. Please tell me if you want me to provide a patch or if I shall test patches.
Comment 2 Sumit Bose 2015-03-23 12:10:20 EDT
Created attachment 1005470 [details]
Patch for authconfig 6.2.9
Comment 3 Sumit Bose 2015-03-23 12:10:56 EDT
Created attachment 1005477 [details]
Patch for authconfig 6.2.10
Comment 4 Sumit Bose 2015-03-23 12:17:29 EDT
Please find attached a patch which adds a new option --enableSSSDAuthPrompting which adds the pam_localuser line and  changes the option of pam_sss to forward_pass in the auth section if SSSD authentication is enabled (explicit or implicit).

Since with this approach no existing behavior is changed and the new behavior must be enabled explicitly (e.g. by ipa-client-install) I would like to ask you if you can consider to include the patch in the Fedora 22 version of authconfig.
Comment 5 Fedora Update System 2015-03-30 08:06:20 EDT
authconfig-6.2.10-4.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/authconfig-6.2.10-4.fc22
Comment 6 Fedora Update System 2015-04-01 21:41:55 EDT
Package authconfig-6.2.10-5.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing authconfig-6.2.10-5.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5273/authconfig-6.2.10-5.fc22
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2015-04-02 14:59:37 EDT
Package authconfig-6.2.10-6.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing authconfig-6.2.10-6.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5273/authconfig-6.2.10-6.fc22
then log in and leave karma (feedback).
Comment 8 Scott Poore 2015-04-06 14:00:04 EDT
seems to be fixed:

[root@fedora1 ~]# authconfig --disablesssdauth --update
[root@fedora1 ~]# grep localuser /etc/pam.d/*
/etc/pam.d/fingerprint-auth:account     sufficient    pam_localuser.so
/etc/pam.d/fingerprint-auth-ac:account     sufficient    pam_localuser.so
/etc/pam.d/password-auth:account     sufficient    pam_localuser.so
/etc/pam.d/password-auth-ac:account     sufficient    pam_localuser.so
/etc/pam.d/smartcard-auth:account     sufficient    pam_localuser.so
/etc/pam.d/smartcard-auth-ac:account     sufficient    pam_localuser.so
/etc/pam.d/system-auth:account     sufficient    pam_localuser.so
/etc/pam.d/system-auth-ac:account     sufficient    pam_localuser.so

[root@fedora1 ~]# authconfig --enablesssdauth --update
[root@fedora1 ~]# grep localuser /etc/pam.d/*
/etc/pam.d/fingerprint-auth:account     sufficient    pam_localuser.so
/etc/pam.d/fingerprint-auth-ac:account     sufficient    pam_localuser.so
/etc/pam.d/password-auth:auth        [default=1 success=ok] pam_localuser.so
/etc/pam.d/password-auth:account     sufficient    pam_localuser.so
/etc/pam.d/password-auth-ac:auth        [default=1 success=ok] pam_localuser.so
/etc/pam.d/password-auth-ac:account     sufficient    pam_localuser.so
/etc/pam.d/smartcard-auth:account     sufficient    pam_localuser.so
/etc/pam.d/smartcard-auth-ac:account     sufficient    pam_localuser.so
/etc/pam.d/system-auth:auth        [default=1 success=ok] pam_localuser.so
/etc/pam.d/system-auth:account     sufficient    pam_localuser.so
/etc/pam.d/system-auth-ac:auth        [default=1 success=ok] pam_localuser.so
/etc/pam.d/system-auth-ac:account     sufficient    pam_localuser.so
Comment 9 Fedora Update System 2015-04-21 15:31:33 EDT
authconfig-6.2.10-6.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.