Version: sssd-1.16.2-13.el7.x86_64
Hello All,
I've been working with SSSD using FreeIPA directory services, and I've noticed this odd behavior when passwords expire and prompted to change on auth:
---
ipa-user@host:~$ sudo su - [sudo] password for ipa-user: <Enter password> Password expired. Change your password now. sudo: Account or password is expired, reset your password and try again Current Password: <Hit Ctrl+C here> sudo: unable to change expired password: Authentication token manipulation error ipa-user@host:~$ ^C ipa-user@host:~$ ^C ipa-user@host:~$ ^C ipa-user@host:~$ sudo su - Last login: blah [root@host ~]#
---
I don't believe we should be able to cancel out of expired password change and subsequently be able to authenticate without any prompt? It appears the sudo ticket is generated before the password expiration prompt is shown. This seems like breaking behavior since the password expiration is not really being enforced, and in our environment we'll only use passwords for sudo (ssh keys for remote login).
For what it's worth, here's the contents of pam system-auth config:
---
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
---
Thanks in advance for any insight, -Gabe