different security policy for login(password+otp) and screenlock (password only) for workstation

AD Trust and ipa cli/Web UI

SSH problems in cross-forest trust

Jelle de Jong

Monday, 18 March 2019 Mon, 18 Mar '19

10:37 a.m.

Hello everybody, I am looking for a way to have different authentication policy for a freeia-client logout and screenlock on linux workstations. When a user logs in I want to use my password+otp (this is working)! When a user locks it screen I want to be able unlock it with only the password. When a user logs out and back in then it needs to use the password+otp again. I am aware of the security implications for this. How can I configure this policy? Kind regards, Jelle de Jong

Show replies by date

Alexander Bokovoy

Monday, 18 March Mon, 18 Mar

11:14 a.m.

New subject: different security policy for login(password+otp) and screenlock (password only) for workstation

On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:

...

I don't think there is a way to deploy such policy through SSSD at all. Jakub, do you have an idea how to make that possible? -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

Sumit Bose

12:22 p.m.

New subject: different security policy for login(password+otp) and screenlock (password only) for workstation

On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy via FreeIPA-users wrote:

...

On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote: > Hello everybody, > > > I am looking for a way to have different authentication policy for a > freeia-client logout and screenlock on linux workstations. > > When a user logs in I want to use my password+otp (this is working)! > > When a user locks it screen I want to be able unlock it with only the > password. > > When a user logs out and back in then it needs to use the password+otp > again. > > I am aware of the security implications for this. > > How can I configure this policy? I don't think there is a way to deploy such policy through SSSD at all.

Currently this is not possible, one problem already is that gdm at login and the Gnome screen lock use the same pam service (gdm-password). So at least for the default RHEL/Fedora desktop pam_sss.so has to detect in what kind of process it is running and send this information besides the PAM service to SSSD. This might be a little bit easier if other screen savers are used but I think a solution should covers the default desktop. The configurable prompting I'm working on (WIP design page at https://pagure.io/fork/sbose/SSSD/docs/blob/18821451b62f0f3dcc0f5822e5a38... comments and suggestions welcome) might help a bit, but as said login and screen saver must use different PAM services to make it work. HTH bye, Sumit > > Jakub, do you have an idea how to make that possible? > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...

Jakub Hrozek

2:44 p.m.

New subject: different security policy for login(password+otp) and screenlock (password only) for workstation

On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote:

...

Currently I can't think of anything clean either. Is the lock screen and the login manager the same PAM service? If they are different, maybe some hack like letting pam_unix to always read the password and then just pass it on to pam_sss would work.. But I know Sumit is working on improving the 2FA prompting lately, so maybe this will be improved in the upcoming release.

Jelle de Jong

Tuesday, 19 March Tue, 19 Mar

1:16 p.m.

New subject: different security policy for login(password+otp) and screenlock (password only) for workstation

Hello everybody, Thank you all for replying. On 18/03/2019 20:44, Jakub Hrozek wrote:

...

On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote: > On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote: >> Hello everybody, >> >> >> I am looking for a way to have different authentication policy for a >> freeia-client logout and screenlock on linux workstations. >> >> When a user logs in I want to use my password+otp (this is working)! >> >> When a user locks it screen I want to be able unlock it with only the >> password. >> >> When a user logs out and back in then it needs to use the password+otp >> again. >> >> I am aware of the security implications for this. >> >> How can I configure this policy? > I don't think there is a way to deploy such policy through SSSD at all. > > Jakub, do you have an idea how to make that possible? Currently I can't think of anything clean either. Is the lock screen and the login manager the same PAM service? If they are different, maybe some hack like letting pam_unix to always read the password and then just pass it on to pam_sss would work.. But I know Sumit is working on improving the 2FA prompting lately, so maybe this will be improved in the upcoming release.

I seem to have mate-screensaver, lightdm and xrdp-sesman. Will that be enough to hook a custom pam rule together for mate-screensaver? If not is it possible to disable OTP for all the destkop systems in sssd.conf? and have it still working for all other systems with --user-auth-type=otp as only enabled option in freeipa? Also for laptop systems in offline disable_preauth forward_pass Mar 19 18:54:50 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong Mar 19 18:54:51 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong cat /etc/pam.d/mate-screensaver @include common-auth auth optional pam_gnome_keyring.so cat /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so # end of pam-auth-update config sssd 1.16.1-1ubuntu1.1 root@workstation01:~# ls -hal /etc/pam.d/ total 136K drwxr-xr-x 2 root root 4,0K Mar 15 11:35 . drwxr-xr-x 161 root root 12K Mar 19 18:22 .. -rw-r--r-- 1 root root 384 Jan 25 2018 chfn -rw-r--r-- 1 root root 92 Jan 25 2018 chpasswd -rw-r--r-- 1 root root 581 Jan 25 2018 chsh -rw-r--r-- 1 root root 1,3K Mar 11 16:11 common-account -rw-r--r-- 1 root root 1,4K Mar 11 16:11 common-auth -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-password -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-session -rw-r--r-- 1 root root 1,5K Mar 11 16:11 common-session-noninteractive -rw-r--r-- 1 root root 606 Nov 16 2017 cron -rw-r--r-- 1 root root 69 Mar 27 2018 cups -rw-r--r-- 1 root root 884 Mar 22 2018 lightdm -rw-r--r-- 1 root root 551 Mar 22 2018 lightdm-autologin -rw-r--r-- 1 root root 727 Mar 22 2018 lightdm-greeter -rw-r--r-- 1 root root 4,9K Jan 25 2018 login -rw-r--r-- 1 root root 57 Dec 11 2014 mate-screensaver -rw-r--r-- 1 root root 92 Jan 25 2018 newusers -rw-r--r-- 1 root root 520 Apr 4 2018 other -rw-r--r-- 1 root root 92 Jan 25 2018 passwd -rw-r--r-- 1 root root 270 Jul 13 2018 polkit-1 -rw-r--r-- 1 root root 168 Feb 26 2018 ppp -rw-r--r-- 1 root root 143 Feb 14 2018 runuser -rw-r--r-- 1 root root 138 Feb 14 2018 runuser-l -rw-r--r-- 1 root root 84 Nov 8 19:09 samba -rw-r--r-- 1 root root 2,1K Mar 4 13:17 sshd -rw-r--r-- 1 root root 214 Jan 16 16:58 sssd-shadowutils -rw-r--r-- 1 root root 2,3K Jan 25 2018 su -rw-r--r-- 1 root root 239 Jan 18 2018 sudo -rw-r--r-- 1 root root 317 Apr 20 2018 systemd-user -rw-r--r-- 1 root root 104 Feb 16 2018 xrdp-sesman Thank you in advance! Kind regards, Jelle de Jong

Jelle de Jong

Thursday, 21 March Thu, 21 Mar

11:29 a.m.

New subject: different security policy for login(password+otp) and screenlock (password only) for workstation

Community question, as I am trying to think of solutions and can use some advice. On 19/03/2019 19:16, Jelle de Jong wrote:

...

On 18/03/2019 20:44, Jakub Hrozek wrote: > On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote: >> On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote: >>> Hello everybody, >>> >>> I am looking for a way to have different authentication policy for a >>> freeia-client logout and screenlock on linux workstations. >>> >>> When a user logs in I want to use my password+otp (this is working)! >>> >>> When a user locks it screen I want to be able unlock it with only the >>> password. >>> >>> When a user logs out and back in then it needs to use the password+otp >>> again. >>> >>> I am aware of the security implications for this. >>> >>> How can I configure this policy? >> I don't think there is a way to deploy such policy through SSSD at all. >> >> Jakub, do you have an idea how to make that possible? > > Currently I can't think of anything clean either. Is the lock screen > and the > login manager the same PAM service? If they are different, maybe some > hack like letting pam_unix to always read the password and then just > pass it on to pam_sss would work.. > > But I know Sumit is working on improving the 2FA prompting lately, so > maybe this will be improved in the upcoming release. I seem to have mate-screensaver, lightdm and xrdp-sesman. Will that be enough to hook a custom pam rule together for mate-screensaver? If not is it possible to disable OTP for all the destkop systems in sssd.conf? and have it still working for all other systems with --user-auth-type=otp as only enabled option in freeipa? Also for laptop systems in offline disable_preauth forward_pass

I need 2FA with SAML2 for web applications and 2FA for new logins on the linux workstations, my customer does not want to use 2FA for screenlocks.... How long and what will it take to have sssd have this possibility supported? I need to have a different policy for screensaver or different technology stack... or different customer... Would it be possible to have 2FA from IPA turned off for specific ipa clients (desktop workstations) while the ipa user does have OTP configured to be used by Ipsilon to provide 2FA for web application. Otherwise would an keycloak or privacyidea soluton be possible for the 2FA part with freeipa backend and ipa-client workstations but with freeipa otp turned off and have this part taken over by keycloak or privacyidea, simpleSAMLphp? It is not clear from the keycloak documentation that if I use federated sssd the 2FA is taken from freeipa or handled by keycloak itself? https://www.keycloak.org/docs/3.0/server_admin/topics/user-federation/sss... Thank you in advance! Kind regards, Jelle de Jong

Charles Hedrick

Tuesday, 26 March Tue, 26 Mar

12:04 p.m.

New subject: different security policy for login(password+otp) and screenlock (password only) for workstation

Basically if you put pam_unix before pam_sss, you’ll get a single prompt, and things like RDP will work with OTP. Here’s the default in password-auth and system-auth for Centos 7 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass This causes local users and users with UID < 1000 to use Unix, otherwise go directly to sss. You can add another line to test for specific services, and force pam_unix, i.e. a single prompt, e.g. auth [success=2 default=ignore] pam_succeed_if.so service in lightdm:xrdp-sesman. auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass The one that gets messy is x2go, because it uses ssh, and can’t be detected by a service test.

...

On Mar 19, 2019, at 2:16 PM, Jelle de Jong via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote: Hello everybody, Thank you all for replying. On 18/03/2019 20:44, Jakub Hrozek wrote: > On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote: >> On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote: >>> Hello everybody, >>> >>> >>> I am looking for a way to have different authentication policy for a >>> freeia-client logout and screenlock on linux workstations. >>> >>> When a user logs in I want to use my password+otp (this is working)! >>> >>> When a user locks it screen I want to be able unlock it with only the >>> password. >>> >>> When a user logs out and back in then it needs to use the password+otp >>> again. >>> >>> I am aware of the security implications for this. >>> >>> How can I configure this policy? >> I don't think there is a way to deploy such policy through SSSD at all. >> >> Jakub, do you have an idea how to make that possible? > Currently I can't think of anything clean either. Is the lock screen and the > login manager the same PAM service? If they are different, maybe some > hack like letting pam_unix to always read the password and then just > pass it on to pam_sss would work.. > But I know Sumit is working on improving the 2FA prompting lately, so > maybe this will be improved in the upcoming release. I seem to have mate-screensaver, lightdm and xrdp-sesman. Will that be enough to hook a custom pam rule together for mate-screensaver? If not is it possible to disable OTP for all the destkop systems in sssd.conf? and have it still working for all other systems with --user-auth-type=otp as only enabled option in freeipa? Also for laptop systems in offline disable_preauth forward_pass Mar 19 18:54:50 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong Mar 19 18:54:51 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong cat /etc/pam.d/mate-screensaver @include common-auth auth optional pam_gnome_keyring.so cat /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so # end of pam-auth-update config sssd 1.16.1-1ubuntu1.1 root@workstation01:~# ls -hal /etc/pam.d/ total 136K drwxr-xr-x 2 root root 4,0K Mar 15 11:35 . drwxr-xr-x 161 root root 12K Mar 19 18:22 .. -rw-r--r-- 1 root root 384 Jan 25 2018 chfn -rw-r--r-- 1 root root 92 Jan 25 2018 chpasswd -rw-r--r-- 1 root root 581 Jan 25 2018 chsh -rw-r--r-- 1 root root 1,3K Mar 11 16:11 common-account -rw-r--r-- 1 root root 1,4K Mar 11 16:11 common-auth -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-password -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-session -rw-r--r-- 1 root root 1,5K Mar 11 16:11 common-session-noninteractive -rw-r--r-- 1 root root 606 Nov 16 2017 cron -rw-r--r-- 1 root root 69 Mar 27 2018 cups -rw-r--r-- 1 root root 884 Mar 22 2018 lightdm -rw-r--r-- 1 root root 551 Mar 22 2018 lightdm-autologin -rw-r--r-- 1 root root 727 Mar 22 2018 lightdm-greeter -rw-r--r-- 1 root root 4,9K Jan 25 2018 login -rw-r--r-- 1 root root 57 Dec 11 2014 mate-screensaver -rw-r--r-- 1 root root 92 Jan 25 2018 newusers -rw-r--r-- 1 root root 520 Apr 4 2018 other -rw-r--r-- 1 root root 92 Jan 25 2018 passwd -rw-r--r-- 1 root root 270 Jul 13 2018 polkit-1 -rw-r--r-- 1 root root 168 Feb 26 2018 ppp -rw-r--r-- 1 root root 143 Feb 14 2018 runuser -rw-r--r-- 1 root root 138 Feb 14 2018 runuser-l -rw-r--r-- 1 root root 84 Nov 8 19:09 samba -rw-r--r-- 1 root root 2,1K Mar 4 13:17 sshd -rw-r--r-- 1 root root 214 Jan 16 16:58 sssd-shadowutils -rw-r--r-- 1 root root 2,3K Jan 25 2018 su -rw-r--r-- 1 root root 239 Jan 18 2018 sudo -rw-r--r-- 1 root root 317 Apr 20 2018 systemd-user -rw-r--r-- 1 root root 104 Feb 16 2018 xrdp-sesman Thank you in advance! Kind regards, Jelle de Jong _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...

Jelle de Jong

4:17 p.m.

New subject: different security policy for login(password+otp) and screenlock (password only) for workstation

Thank you Charles, I do not have local user accounts, will pam_unix use then? I thought it has to go through sss.so? I will give it a try! Kind regards, Jelle de Jong On 26/03/2019 18:04, Charles Hedrick via FreeIPA-users wrote: > Basically if you put pam_unix before pam_sss, you’ll get a single prompt, and things like RDP will work with OTP. > > Here’s the default in password-auth and system-auth for Centos 7 > > auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet > auth [default=1 ignore=ignore success=ok] pam_localuser.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_sss.so forward_pass > > This causes local users and users with UID < 1000 to use Unix, otherwise go directly to sss. > You can add another line to test for specific services, and force pam_unix, i.e. a single prompt, e.g. > > auth [success=2 default=ignore] pam_succeed_if.so service in lightdm:xrdp-sesman. > auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet > auth [default=1 ignore=ignore success=ok] pam_localuser.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_sss.so forward_pass > > The one that gets messy is x2go, because it uses ssh, and can’t be detected by a service test. > >> On Mar 19, 2019, at 2:16 PM, Jelle de Jong via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote: >> >> Hello everybody, >> >> Thank you all for replying. >> >> On 18/03/2019 20:44, Jakub Hrozek wrote: >>> On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote: >>>> On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote: >>>>> Hello everybody, >>>>> >>>>> >>>>> I am looking for a way to have different authentication policy for a >>>>> freeia-client logout and screenlock on linux workstations. >>>>> >>>>> When a user logs in I want to use my password+otp (this is working)! >>>>> >>>>> When a user locks it screen I want to be able unlock it with only the >>>>> password. >>>>> >>>>> When a user logs out and back in then it needs to use the password+otp >>>>> again. >>>>> >>>>> I am aware of the security implications for this. >>>>> >>>>> How can I configure this policy? >>>> I don't think there is a way to deploy such policy through SSSD at all. >>>> >>>> Jakub, do you have an idea how to make that possible? >>> Currently I can't think of anything clean either. Is the lock screen and the >>> login manager the same PAM service? If they are different, maybe some >>> hack like letting pam_unix to always read the password and then just >>> pass it on to pam_sss would work.. >>> But I know Sumit is working on improving the 2FA prompting lately, so >>> maybe this will be improved in the upcoming release. >> >> I seem to have mate-screensaver, lightdm and xrdp-sesman. >> >> Will that be enough to hook a custom pam rule together for mate-screensaver? >> >> If not is it possible to disable OTP for all the destkop systems in sssd.conf? and have it still working for all other systems with --user-auth-type=otp as only enabled option in freeipa? >> >> Also for laptop systems in offline >> >> disable_preauth >> forward_pass >> >> Mar 19 18:54:50 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong >> >> Mar 19 18:54:51 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong >> >> Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong >> >> Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong >> >> Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong >> >> Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong >> >> cat /etc/pam.d/mate-screensaver >> @include common-auth >> auth optional pam_gnome_keyring.so >> >> cat /etc/pam.d/common-auth >> # >> # /etc/pam.d/common-auth - authentication settings common to all services >> # >> # This file is included from other service-specific PAM config files, >> # and should contain a list of the authentication modules that define >> # the central authentication scheme for use on the system >> # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the >> # traditional Unix authentication mechanisms. >> # >> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. >> # To take advantage of this, it is recommended that you configure any >> # local modules either before or after the default block, and use >> # pam-auth-update to manage selection of other modules. See >> # pam-auth-update(8) for details. >> >> # here are the per-package modules (the "Primary" block) >> auth [success=2 default=ignore] pam_unix.so nullok_secure >> auth [success=1 default=ignore] pam_sss.so use_first_pass >> # here's the fallback if no module succeeds >> auth requisite pam_deny.so >> # prime the stack with a positive return value if there isn't one already; >> # this avoids us returning an error just because nothing sets a success code >> # since the modules above will each just jump around >> auth required pam_permit.so >> # and here are more per-package modules (the "Additional" block) >> auth optional pam_ecryptfs.so unwrap >> auth optional pam_cap.so >> # end of pam-auth-update config >> >> sssd 1.16.1-1ubuntu1.1 >> >> root@workstation01:~# ls -hal /etc/pam.d/ >> total 136K >> drwxr-xr-x 2 root root 4,0K Mar 15 11:35 . >> drwxr-xr-x 161 root root 12K Mar 19 18:22 .. >> -rw-r--r-- 1 root root 384 Jan 25 2018 chfn >> -rw-r--r-- 1 root root 92 Jan 25 2018 chpasswd >> -rw-r--r-- 1 root root 581 Jan 25 2018 chsh >> -rw-r--r-- 1 root root 1,3K Mar 11 16:11 common-account >> -rw-r--r-- 1 root root 1,4K Mar 11 16:11 common-auth >> -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-password >> -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-session >> -rw-r--r-- 1 root root 1,5K Mar 11 16:11 common-session-noninteractive >> -rw-r--r-- 1 root root 606 Nov 16 2017 cron >> -rw-r--r-- 1 root root 69 Mar 27 2018 cups >> -rw-r--r-- 1 root root 884 Mar 22 2018 lightdm >> -rw-r--r-- 1 root root 551 Mar 22 2018 lightdm-autologin >> -rw-r--r-- 1 root root 727 Mar 22 2018 lightdm-greeter >> -rw-r--r-- 1 root root 4,9K Jan 25 2018 login >> -rw-r--r-- 1 root root 57 Dec 11 2014 mate-screensaver >> -rw-r--r-- 1 root root 92 Jan 25 2018 newusers >> -rw-r--r-- 1 root root 520 Apr 4 2018 other >> -rw-r--r-- 1 root root 92 Jan 25 2018 passwd >> -rw-r--r-- 1 root root 270 Jul 13 2018 polkit-1 >> -rw-r--r-- 1 root root 168 Feb 26 2018 ppp >> -rw-r--r-- 1 root root 143 Feb 14 2018 runuser >> -rw-r--r-- 1 root root 138 Feb 14 2018 runuser-l >> -rw-r--r-- 1 root root 84 Nov 8 19:09 samba >> -rw-r--r-- 1 root root 2,1K Mar 4 13:17 sshd >> -rw-r--r-- 1 root root 214 Jan 16 16:58 sssd-shadowutils >> -rw-r--r-- 1 root root 2,3K Jan 25 2018 su >> -rw-r--r-- 1 root root 239 Jan 18 2018 sudo >> -rw-r--r-- 1 root root 317 Apr 20 2018 systemd-user >> -rw-r--r-- 1 root root 104 Feb 16 2018 xrdp-sesman >> >> Thank you in advance! >> >> Kind regards, >> >> Jelle de Jong >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >

Jelle de Jong

Friday, 29 March Fri, 29 Mar

7:28 a.m.

New subject: different security policy for login(password+otp) and screenlock (password only) for workstation

Hello everybody, I tried the bellow configuration, but I can still only authorize with pass+otp. I assume pam_unix.so only works for local users? I only have sssd freeipa users. Is there a way to tell pam_sss.so to only use the password if --user-auth-type=otp is set? /etc/pam.d/common-auth auth [success=2 default=ignore] pam_succeed_if.so service in mate-screensaver:lightdm:xrdp-sesman auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid

...

= 1000 quiet

auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so Mar 29 13:19:01 workstation01 mate-screensaver-dialog: pam_succeed_if(mate-screensaver:auth): requirement "service in mate-screensaver:lightdm:xrdp-sesman" was met by user "jdejong" Mar 29 13:19:49 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jdejong Mar 29 13:19:50 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jdejong Kind regards, Jelle de Jong On 26/03/2019 18:04, Charles Hedrick via FreeIPA-users wrote: > Basically if you put pam_unix before pam_sss, you’ll get a single prompt, and things like RDP will work with OTP. > > Here’s the default in password-auth and system-auth for Centos 7 > > auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid

...

= 1000 quiet

> auth [default=1 ignore=ignore success=ok] pam_localuser.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_sss.so forward_pass > > This causes local users and users with UID < 1000 to use Unix, otherwise go directly to sss. > You can add another line to test for specific services, and force pam_unix, i.e. a single prompt, e.g. > > auth [success=2 default=ignore] pam_succeed_if.so service in lightdm:xrdp-sesman. > auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid

...

= 1000 quiet

> auth [default=1 ignore=ignore success=ok] pam_localuser.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_sss.so forward_pass > > The one that gets messy is x2go, because it uses ssh, and can’t be detected by a service test. > >> On Mar 19, 2019, at 2:16 PM, Jelle de Jong via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote: >> >> Hello everybody, >> >> Thank you all for replying. >> >> On 18/03/2019 20:44, Jakub Hrozek wrote: >>> On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote: >>>> On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote: >>>>> Hello everybody, >>>>> >>>>> >>>>> I am looking for a way to have different authentication policy for a >>>>> freeia-client logout and screenlock on linux workstations. >>>>> >>>>> When a user logs in I want to use my password+otp (this is working)! >>>>> >>>>> When a user locks it screen I want to be able unlock it with only the >>>>> password. >>>>> >>>>> When a user logs out and back in then it needs to use the password+otp >>>>> again. >>>>> >>>>> I am aware of the security implications for this. >>>>> >>>>> How can I configure this policy? >>>> I don't think there is a way to deploy such policy through SSSD at all. >>>> >>>> Jakub, do you have an idea how to make that possible? >>> Currently I can't think of anything clean either. Is the lock screen and the >>> login manager the same PAM service? If they are different, maybe some >>> hack like letting pam_unix to always read the password and then just >>> pass it on to pam_sss would work.. >>> But I know Sumit is working on improving the 2FA prompting lately, so >>> maybe this will be improved in the upcoming release. >> >> I seem to have mate-screensaver, lightdm and xrdp-sesman. >> >> Will that be enough to hook a custom pam rule together for mate-screensaver? >> >> If not is it possible to disable OTP for all the destkop systems in sssd.conf? and have it still working for all other systems with --user-auth-type=otp as only enabled option in freeipa? >> >> Also for laptop systems in offline >> >> disable_preauth >> forward_pass >> >> Mar 19 18:54:50 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong >> >> Mar 19 18:54:51 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong >> >> Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong >> >> Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong >> >> Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong >> >> Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong >> >> cat /etc/pam.d/mate-screensaver >> @include common-auth >> auth optional pam_gnome_keyring.so >> >> cat /etc/pam.d/common-auth >> # >> # /etc/pam.d/common-auth - authentication settings common to all services >> # >> # This file is included from other service-specific PAM config files, >> # and should contain a list of the authentication modules that define >> # the central authentication scheme for use on the system >> # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the >> # traditional Unix authentication mechanisms. >> # >> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. >> # To take advantage of this, it is recommended that you configure any >> # local modules either before or after the default block, and use >> # pam-auth-update to manage selection of other modules. See >> # pam-auth-update(8) for details. >> >> # here are the per-package modules (the "Primary" block) >> auth [success=2 default=ignore] pam_unix.so nullok_secure >> auth [success=1 default=ignore] pam_sss.so use_first_pass >> # here's the fallback if no module succeeds >> auth requisite pam_deny.so >> # prime the stack with a positive return value if there isn't one already; >> # this avoids us returning an error just because nothing sets a success code >> # since the modules above will each just jump around >> auth required pam_permit.so >> # and here are more per-package modules (the "Additional" block) >> auth optional pam_ecryptfs.so unwrap >> auth optional pam_cap.so >> # end of pam-auth-update config >> >> sssd 1.16.1-1ubuntu1.1 >> >> root@workstation01:~# ls -hal /etc/pam.d/ >> total 136K >> drwxr-xr-x 2 root root 4,0K Mar 15 11:35 . >> drwxr-xr-x 161 root root 12K Mar 19 18:22 .. >> -rw-r--r-- 1 root root 384 Jan 25 2018 chfn >> -rw-r--r-- 1 root root 92 Jan 25 2018 chpasswd >> -rw-r--r-- 1 root root 581 Jan 25 2018 chsh >> -rw-r--r-- 1 root root 1,3K Mar 11 16:11 common-account >> -rw-r--r-- 1 root root 1,4K Mar 11 16:11 common-auth >> -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-password >> -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-session >> -rw-r--r-- 1 root root 1,5K Mar 11 16:11 common-session-noninteractive >> -rw-r--r-- 1 root root 606 Nov 16 2017 cron >> -rw-r--r-- 1 root root 69 Mar 27 2018 cups >> -rw-r--r-- 1 root root 884 Mar 22 2018 lightdm >> -rw-r--r-- 1 root root 551 Mar 22 2018 lightdm-autologin >> -rw-r--r-- 1 root root 727 Mar 22 2018 lightdm-greeter >> -rw-r--r-- 1 root root 4,9K Jan 25 2018 login >> -rw-r--r-- 1 root root 57 Dec 11 2014 mate-screensaver >> -rw-r--r-- 1 root root 92 Jan 25 2018 newusers >> -rw-r--r-- 1 root root 520 Apr 4 2018 other >> -rw-r--r-- 1 root root 92 Jan 25 2018 passwd >> -rw-r--r-- 1 root root 270 Jul 13 2018 polkit-1 >> -rw-r--r-- 1 root root 168 Feb 26 2018 ppp >> -rw-r--r-- 1 root root 143 Feb 14 2018 runuser >> -rw-r--r-- 1 root root 138 Feb 14 2018 runuser-l >> -rw-r--r-- 1 root root 84 Nov 8 19:09 samba >> -rw-r--r-- 1 root root 2,1K Mar 4 13:17 sshd >> -rw-r--r-- 1 root root 214 Jan 16 16:58 sssd-shadowutils >> -rw-r--r-- 1 root root 2,3K Jan 25 2018 su >> -rw-r--r-- 1 root root 239 Jan 18 2018 sudo >> -rw-r--r-- 1 root root 317 Apr 20 2018 systemd-user >> -rw-r--r-- 1 root root 104 Feb 16 2018 xrdp-sesman >> >> Thank you in advance! >> >> Kind regards, >> >> Jelle de Jong >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >

Charles Hedrick

Tuesday, 9 April Tue, 9 Apr

9:52 a.m.

New subject: different security policy for login(password+otp) and screenlock (password only) for workstation

The purpose of suggesting pam_unix was to get a single prompt. I didn’t expect pam_unix to actually authenticate your users. I thought you had an issue with OTPs. In the newest RH/Centos, the normal pam file will prompt separately for password and OTP token. THat’s fine its ssh, but many web apps don’t have the ability to prompt separately, and thus will fail. If you set up pam to use pam_unix all the time you’ll get a single prompt, which will expect password and OTP key to be on the same line. That will work with web apps. Obviously pam_unix won’t understand those password, but it will sad the password on the stack, and pam_sss will use it.

...

On Mar 29, 2019, at 8:28 AM, Jelle de Jong via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote: Hello everybody, I tried the bellow configuration, but I can still only authorize with pass+otp. I assume pam_unix.so only works for local users? I only have sssd freeipa users. Is there a way to tell pam_sss.so to only use the password if --user-auth-type=otp is set? /etc/pam.d/common-auth auth [success=2 default=ignore] pam_succeed_if.so service in mate-screensaver:lightdm:xrdp-sesman auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so Mar 29 13:19:01 workstation01 mate-screensaver-dialog: pam_succeed_if(mate-screensaver:auth): requirement "service in mate-screensaver:lightdm:xrdp-sesman" was met by user "jdejong" Mar 29 13:19:49 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jdejong Mar 29 13:19:50 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jdejong Kind regards, Jelle de Jong On 26/03/2019 18:04, Charles Hedrick via FreeIPA-users wrote: > Basically if you put pam_unix before pam_sss, you’ll get a single prompt, and things like RDP will work with OTP. > Here’s the default in password-auth and system-auth for Centos 7 > auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet > auth [default=1 ignore=ignore success=ok] pam_localuser.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_sss.so forward_pass > This causes local users and users with UID < 1000 to use Unix, otherwise go directly to sss. > You can add another line to test for specific services, and force pam_unix, i.e. a single prompt, e.g. > auth [success=2 default=ignore] pam_succeed_if.so service in lightdm:xrdp-sesman. > auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet > auth [default=1 ignore=ignore success=ok] pam_localuser.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_sss.so forward_pass > The one that gets messy is x2go, because it uses ssh, and can’t be detected by a service test. >> On Mar 19, 2019, at 2:16 PM, Jelle de Jong via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote: >> >> Hello everybody, >> >> Thank you all for replying. >> >> On 18/03/2019 20:44, Jakub Hrozek wrote: >>> On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote: >>>> On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote: >>>>> Hello everybody, >>>>> >>>>> >>>>> I am looking for a way to have different authentication policy for a >>>>> freeia-client logout and screenlock on linux workstations. >>>>> >>>>> When a user logs in I want to use my password+otp (this is working)! >>>>> >>>>> When a user locks it screen I want to be able unlock it with only the >>>>> password. >>>>> >>>>> When a user logs out and back in then it needs to use the password+otp >>>>> again. >>>>> >>>>> I am aware of the security implications for this. >>>>> >>>>> How can I configure this policy? >>>> I don't think there is a way to deploy such policy through SSSD at all. >>>> >>>> Jakub, do you have an idea how to make that possible? >>> Currently I can't think of anything clean either. Is the lock screen and the >>> login manager the same PAM service? If they are different, maybe some >>> hack like letting pam_unix to always read the password and then just >>> pass it on to pam_sss would work.. >>> But I know Sumit is working on improving the 2FA prompting lately, so >>> maybe this will be improved in the upcoming release. >> >> I seem to have mate-screensaver, lightdm and xrdp-sesman. >> >> Will that be enough to hook a custom pam rule together for mate-screensaver? >> >> If not is it possible to disable OTP for all the destkop systems in sssd.conf? and have it still working for all other systems with --user-auth-type=otp as only enabled option in freeipa? >> >> Also for laptop systems in offline >> >> disable_preauth >> forward_pass >> >> Mar 19 18:54:50 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong >> >> Mar 19 18:54:51 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong >> >> Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong >> >> Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong >> >> Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong >> >> Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong >> >> cat /etc/pam.d/mate-screensaver >> @include common-auth >> auth optional pam_gnome_keyring.so >> >> cat /etc/pam.d/common-auth >> # >> # /etc/pam.d/common-auth - authentication settings common to all services >> # >> # This file is included from other service-specific PAM config files, >> # and should contain a list of the authentication modules that define >> # the central authentication scheme for use on the system >> # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the >> # traditional Unix authentication mechanisms. >> # >> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. >> # To take advantage of this, it is recommended that you configure any >> # local modules either before or after the default block, and use >> # pam-auth-update to manage selection of other modules. See >> # pam-auth-update(8) for details. >> >> # here are the per-package modules (the "Primary" block) >> auth [success=2 default=ignore] pam_unix.so nullok_secure >> auth [success=1 default=ignore] pam_sss.so use_first_pass >> # here's the fallback if no module succeeds >> auth requisite pam_deny.so >> # prime the stack with a positive return value if there isn't one already; >> # this avoids us returning an error just because nothing sets a success code >> # since the modules above will each just jump around >> auth required pam_permit.so >> # and here are more per-package modules (the "Additional" block) >> auth optional pam_ecryptfs.so unwrap >> auth optional pam_cap.so >> # end of pam-auth-update config >> >> sssd 1.16.1-1ubuntu1.1 >> >> root@workstation01:~# ls -hal /etc/pam.d/ >> total 136K >> drwxr-xr-x 2 root root 4,0K Mar 15 11:35 . >> drwxr-xr-x 161 root root 12K Mar 19 18:22 .. >> -rw-r--r-- 1 root root 384 Jan 25 2018 chfn >> -rw-r--r-- 1 root root 92 Jan 25 2018 chpasswd >> -rw-r--r-- 1 root root 581 Jan 25 2018 chsh >> -rw-r--r-- 1 root root 1,3K Mar 11 16:11 common-account >> -rw-r--r-- 1 root root 1,4K Mar 11 16:11 common-auth >> -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-password >> -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-session >> -rw-r--r-- 1 root root 1,5K Mar 11 16:11 common-session-noninteractive >> -rw-r--r-- 1 root root 606 Nov 16 2017 cron >> -rw-r--r-- 1 root root 69 Mar 27 2018 cups >> -rw-r--r-- 1 root root 884 Mar 22 2018 lightdm >> -rw-r--r-- 1 root root 551 Mar 22 2018 lightdm-autologin >> -rw-r--r-- 1 root root 727 Mar 22 2018 lightdm-greeter >> -rw-r--r-- 1 root root 4,9K Jan 25 2018 login >> -rw-r--r-- 1 root root 57 Dec 11 2014 mate-screensaver >> -rw-r--r-- 1 root root 92 Jan 25 2018 newusers >> -rw-r--r-- 1 root root 520 Apr 4 2018 other >> -rw-r--r-- 1 root root 92 Jan 25 2018 passwd >> -rw-r--r-- 1 root root 270 Jul 13 2018 polkit-1 >> -rw-r--r-- 1 root root 168 Feb 26 2018 ppp >> -rw-r--r-- 1 root root 143 Feb 14 2018 runuser >> -rw-r--r-- 1 root root 138 Feb 14 2018 runuser-l >> -rw-r--r-- 1 root root 84 Nov 8 19:09 samba >> -rw-r--r-- 1 root root 2,1K Mar 4 13:17 sshd >> -rw-r--r-- 1 root root 214 Jan 16 16:58 sssd-shadowutils >> -rw-r--r-- 1 root root 2,3K Jan 25 2018 su >> -rw-r--r-- 1 root root 239 Jan 18 2018 sudo >> -rw-r--r-- 1 root root 317 Apr 20 2018 systemd-user >> -rw-r--r-- 1 root root 104 Feb 16 2018 xrdp-sesman >> >> Thank you in advance! >> >> Kind regards, >> >> Jelle de Jong >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...

1837

days inactive

1859

days old

freeipa-users@lists.fedorahosted.org

Manage subscription

9 comments

5 participants

tags (0)

participants (5)

Alexander Bokovoy
Charles Hedrick
Jakub Hrozek
Jelle de Jong
Sumit Bose

2024

2023

2022

2021

2020

2019

2018

2017

different security policy for login(password+otp) and screenlock (password only) for workstation