8:19 a.m.
Version: sssd-1.16.2-13.el7.x86_64
Hello All,
I've been working with SSSD using FreeIPA directory services, and I've noticed
this odd behavior when passwords expire and prompted to change on auth:
---
ipa-user@host:~$ sudo su -
[sudo] password for ipa-user: <Enter password>
Password expired. Change your password now.
sudo: Account or password is expired, reset your password and try again
Current Password: <Hit Ctrl+C here>
sudo: unable to change expired password: Authentication token manipulation error
ipa-user@host:~$ ^C
ipa-user@host:~$ ^C
ipa-user@host:~$ ^C
ipa-user@host:~$ sudo su -
Last login: blah
[root@host ~]#
---
I don't believe we should be able to cancel out of expired password change and
subsequently be able to authenticate without any prompt? It appears the sudo ticket is
generated before the password expiration prompt is shown.
This seems like breaking behavior since the password expiration is not really being
enforced, and in our environment we'll only use passwords for sudo (ssh keys for
remote login).
For what it's worth, here's the contents of pam system-auth config:
---
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3
authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
---
Thanks in advance for any insight,
-Gabe