RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1204864 - Let SSSD prompt non-local users for passwords
Summary: Let SSSD prompt non-local users for passwords
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: authconfig
Version: 7.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: Dalibor Pospíšil
Depends On: 1195817
TreeView+ depends on / blocked
Reported: 2015-03-23 16:19 UTC by Sumit Bose
Modified: 2015-11-19 12:44 UTC (History)
5 users (show)

Fixed In Version: authconfig-6.2.8-10.el7
Doc Type: Enhancement
Doc Text:
The authconfig utility has been modified to configure the Pluggable Authentication Module (PAM) stack differently when support for the System Security Service Daemon (SSSD) is enabled implicitly or explicitly. Previously, only the pam_unix module was set to prompt non-local users for password, which prevented SSSD from properly prompting for two-factor authentication credentials. With this update, it is possible to update the PAM configuration with authconfig, so that only SSSD prompts non-local users for the password. This enhancement results in better user experience with SSSD two-factor authentication.
Clone Of: 1195817
Last Closed: 2015-11-19 12:44:14 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2403 0 normal SHIPPED_LIVE authconfig bug fix and enhancement update 2015-11-19 11:04:43 UTC

Description Sumit Bose 2015-03-23 16:19:03 UTC
+++ This bug was initially created as a clone of Bug #1195817 +++

Description of problem:
The next version of SSSD will be able to prompt users with 2-Factor-Authentication (2FA) separately for the two factors. This way the first factor (long term password) can be used e.g. to unlock the users keyring or for offline authentication.

With the current configuration pam_unix will always prompt the user for a password. Letting SSSD ask users of 2FA again for the password will lead to a bad user experience. Letting SSSD only ask for the second factor will make it hard for applications like gdm to show specific 2FA dialogs.

It would be best if pam_unix would only ask for password for local users and let SSSD prompt SSSD users. To achieve this pam_localuser could be added to the PAM configuration like in the following example:

auth        required  pam_env.so
auth        sufficient pam_fprintd.so
auth        [default=1 success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient pam_sss.so forward_pass
auth        required      pam_deny.so

To allow to configure the old version without pam_localuser as well the new line should only be added if --enableforcelegacy is not set.

--- Additional comment from Sumit Bose on 2015-02-24 11:18:10 EST ---

I'd be happy to help here. Please tell me if you want me to provide a patch or if I shall test patches.

--- Additional comment from Sumit Bose on 2015-03-23 12:10:20 EDT ---

--- Additional comment from Sumit Bose on 2015-03-23 12:10:56 EDT ---

--- Additional comment from Sumit Bose on 2015-03-23 12:17:29 EDT ---

Please find attached a patch which adds a new option --enableSSSDAuthPrompting which adds the pam_localuser line and  changes the option of pam_sss to forward_pass in the auth section if SSSD authentication is enabled (explicit or implicit).

Since with this approach no existing behavior is changed and the new behavior must be enabled explicitly (e.g. by ipa-client-install) I would like to ask you if you can consider to include the patch in the Fedora 22 version of authconfig.

Comment 1 Tomas Mraz 2015-07-03 09:51:51 UTC
We made this change non-optional (except it is disabled when --enablenis is present) in Fedora. I think it is fairly safe to make it non-optional in RHEL-7 as well.

Comment 4 errata-xmlrpc 2015-11-19 12:44:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.