Sumit Bose writes:
On Mon, Feb 01, 2016 at 05:13:51PM +0100, Lukas Slebodnik wrote:
> On (01/02/16 16:53), Magnus Therning wrote:
> >
> >To configure my system I've followed the instructions at [1] but there
> >are two things not quite right:
> >
> >1. All normal local users (i.e. not /root/) get prompted twice at login.
> > My testing shows that it's only the 2nd time the password must be
> > correct.
> >2. I can't use ~su~ to become root (though =sudo= works, so it's not the
> > end of the world).
> >
> >My PAM-fu is rather limited, so I don't even know where I should start
> >looking to fix this. Maybe someone on this list can see right away
> >what's wrong with those instructions, or at least can offer me a pointer
> >on where to turn to figure it out?
> >
> >/M
> >
> >[1]:
https://wiki.archlinux.org/index.php/LDAP_authentication#Online_and_Offli...
> >
>
> You might inspire in fedora system-auth
> >Thanks a lot!M-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_fprintd.so
> auth [default=1 success=ok] pam_localuser.so
> auth [success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_sss.so forward_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_pwquality.so try_first_pass local_users_only retry=3
authtok_type=
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
> session required pam_unix.so
> session optional pam_sss.so
I would recommend to use the Fedora style as well. Nevertheless in the
archlinux examples you might try to replace
auth sufficient pam_sss.so
by
auth sufficient pam_sss.so forward_pass
because by default pam_sss does not put the password on the PAM stack to
avoid leaking the password.
Thanks, that did it!
I did have a look at the settings in Debian too, but they were a bit
more complicated and it's unclear what the extra complexity actually
gives me. I have of course updated the Archlinux Wiki page.
If anyone else looks at the suggested settings there and see something
strange/sub-optimal/... then I'd really appreciate an email about it.
/M
--
Magnus Therning, magnus.therning(a)cipherstone.com
Cipherstone Technologies AB
Theres Svenssons gata 10, 417 55 Gothenburg, Sweden
Beauty is more important in computing than anywhere else in technology
because software is so complicated. Beauty is the ultimate defence
against complexity.
-- David Gelernter