In BZ#1749910, it was requested to enable sssd on RHCOS. We've enabled that as part of RHCOS/OCP 4.3, but there is additional work needed to configure PAM correctly.
Alex or Jakub, if you could provide what the necessary config changes would look like, we can implement them for 4.4
(In reply to Micah Abbott from comment #1) > Alex or Jakub, if you could provide what the necessary config changes would > look like, we can implement them for 4.4 I think you can use one of two approaches: 1) You can use a content verbatim. I would recommend to just base it on the default RHEL-8 PAM config just for the sake of having the same stack in RHCOS/FCOS and RHEL, then it would be easier to debug and you would get the same benefits as a side-effect, e.g. if someone wants to use smart-cards for login as a user to the coreos host, they would already have the PAM stack set up to do that. I'm not sure that's a valid use-case, though. 2) You could use the authconfig tool to generate the PAM stack. On RHEL-8, the files are not usual files provided directly by the PAM RPM, but rather symlinks to files generated by authconfig. I'm not sure if running authconfig either during first boot or during image creation or whatnot (sorry, my lack of knowledge about RHCOS is showing here..) is possible, but the benefit you'd get by using the generated content is that if authconfig ever changes the stack it generates, you'd get the changes to coreos as well. HTH
Thanks for the input, Jakub. We want to stay as close to RHEL as possible, so I would opt for the RHEL-8 PAM config option. My next question, is which package provides that config, so we can include it as part of RHCOS?
(In reply to Micah Abbott from comment #3) > Thanks for the input, Jakub. > > We want to stay as close to RHEL as possible, so I would opt for the RHEL-8 > PAM config option. My next question, is which package provides that config, > so we can include it as part of RHCOS? So that's the catch. There's no package that contains the "rendered" PAM config as RHEL uses it. There is a tool called authconfig that is able to render the PAM config based on provided command line options. By default (=you run authconfig with no additional flags), it would generate what RHEL uses in the default installation. Normally, authconfig is ran either from Anaconda or from the kickstart. That's why I said earlier that it might be useful to run authconfig as part of either COS image generation or somehow as part as ignitio.
(In reply to Jakub Hrozek from comment #4) > So that's the catch. There's no package that contains the "rendered" PAM > config as RHEL uses it. There is a tool called authconfig that is able to > render the PAM config based on provided command line options. By default > (=you run authconfig with no additional flags), it would generate what RHEL > uses in the default installation. Normally, authconfig is ran either from > Anaconda or from the kickstart. > > That's why I said earlier that it might be useful to run authconfig as part > of either COS image generation or somehow as part as ignitio. Ah! OK, I didn't read carefully enough. We should be able to handle that. Thanks again, Jakub!
This landed in RHCOS 44.81.202002121933-0
Verified on RHCOS 44.81.202002121933-0 [core@localhost pam.d]$ rpm-ostree status State: idle AutomaticUpdates: disabled Deployments: * ostree://d38a384545e042381767614ad6bfa5439641266005debc54acd201ef86e75f1c Version: 44.81.202002121933-0 (2020-02-12T19:38:37Z) [core@localhost ~]$ cd /etc/pam.d/ [core@localhost pam.d]$ ls config-util password-auth runuser-l su-l vlock fingerprint-auth polkit-1 smartcard-auth sudo vmtoolsd login postlogin sshd sudo-i other remote sssd-shadowutils system-auth passwd runuser su systemd-user [core@localhost pam.d]$ cat system-auth auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so [core@localhost pam.d]$ cat password-auth auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so [core@localhost pam.d]$ cat smartcard-auth [core@localhost pam.d]$ cat fingerprint-auth [core@localhost pam.d]$ cat postlogin session optional pam_umask.so silent session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed [core@localhost pam.d]$ cat /etc/nsswitch.conf # If you want to make changes to nsswitch.conf please modify # /etc/authselect/user-nsswitch.conf and run 'authselect apply-changes'. # # Note that your changes may not be applied as they may be # overwritten by selected profile. Maps set in the authselect # profile takes always precedence and overwrites the same maps # set in the user file. Only maps that are not set by the profile # are applied from the user file. # # For example, if the profile sets: # passwd: sss files # and /etc/authselect/user-nsswitch.conf contains: # passwd: files # hosts: files dns # the resulting generated nsswitch.conf will be: # passwd: sss files # from profile # hosts: files dns # from user file passwd: sss files altfiles systemd group: sss files altfiles systemd netgroup: sss files automount: sss files services: sss files # Included from /etc/authselect/user-nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files in /etc # db Use the pre-processed /var/db files # compat Use /etc files plus *_compat pseudo-databases # hesiod Use Hesiod (DNS) for user lookups # sss Use sssd (System Security Services Daemon) # [NOTFOUND=return] Stop searching if not found so far # # 'sssd' performs its own 'files'-based caching, so it should # generally come before 'files'. # To use 'db', install the nss_db package, and put the 'db' in front # of 'files' for entries you want to be looked up first in the # databases, like this: # # passwd: db files # shadow: db files # group: db files shadow: files sss hosts: files dns myhostname bootparams: files ethers: files netmasks: files networks: files protocols: files rpc: files publickey: files aliases: files
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581