[gentoo-user] Pam configuration for winbind - gentoo-user

From:	Michael Jones <gentoo@×××××××.com>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] Pam configuration for winbind
Date:	Wed, 14 Oct 2020 20:18:56
Message-Id:	`CABfmKS+SkSQqukfxF0buYebiGjTGBM3hBwYnddETAy5FLSezMQ@mail.gmail.com`

1

With the recent update to sys-auth/pambase-20201013, i find myself

2

struggling to understand how to adapt the new default configuration to work

3

with winbind.

4

5

I'm writing to the list for help with this.

6

7

First, I'll provide my current system-auth, the new system-auth that comes

8

from sys-auth/pambase-20201013, and my attempt at merging the two versions.

9

After those items, I have several questions which I'll ask at the end of my

10

email.

First, here's my current /etc/pam.d/system-auth file:

15

16

auth        required pam_env.so

17

auth        sufficient pam_unix.so try_first_pass likeauth nullok

18

auth        sufficient pam_winbind.so use_first_pass

19

auth        required pam_deny.so

20

21

account sufficient pam_unix.so

22

account required pam_winbind.so

23

24

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2

25

retry=3

26

password sufficient pam_unix.so try_first_pass use_authtok nullok sha512

27

shadow

28

password sufficient pam_winbind.so use_authtok

29

password optional pam_permit.so

30

31

session required pam_limits.so

32

session required pam_env.so

33

session required pam_unix.so

34

session required pam_winbind.so

35

session optional pam_permit.so

36

37

38

Here's the new version that comes from sys-auth/pambase-20201013 with the

39

useflags: gnome-keyring nullok passwdqc sha512 systemd

40

41

auth        required pam_env.so

42

auth        required pam_unix.so try_first_pass likeauth nullok

43

auth        optional pam_permit.so

44

auth        required pam_faillock.so preauth

45

auth        sufficient pam_unix.so nullok try_first_pass

46

auth        [default=die] pam_faillock.so authfail

47

account required pam_unix.so

48

account optional pam_permit.so

49

account         required        pam_faillock.so

50

password required pam_passwdqc.so config=/etc/security/passwdqc.conf

51

password required pam_unix.so try_first_pass use_authtok nullok sha512

52

shadow

53

password optional pam_permit.so

54

session required pam_limits.so

55

session required pam_env.so

56

session required pam_unix.so

57

session optional pam_permit.so

58

59

60

Here's my attempt at merging these two together.

61

62

auth            required        pam_env.so

63

auth            required        pam_faillock.so preauth

64

auth            sufficient pam_unix.so nullok try_first_pass

65

auth            sufficient pam_winbind.so use_first_pass

66

auth            requisite pam_faillock.so authfail

67

68

account         required        pam_faillock.so

69

account         sufficient pam_unix.so

70

account         sufficient pam_winbind.so

71

account         optional        pam_permit.so

72

73

password        required        pam_passwdqc.so

74

config=/etc/security/passwdqc.conf

75

password        sufficient pam_unix.so try_first_pass use_authtok nullok

76

sha512 shadow

77

password        sufficient pam_winbind.so use_authtok

78

password        optional        pam_permit.so

79

80

session         required        pam_limits.so

81

session         required        pam_env.so

82

session         required        pam_unix.so

83

session         required        pam_winbind.so

84

session         optional        pam_permit.so

Questions:

90

91

1. Why does sys-auth/pambase use the "likeauth" flag? I cannot find any

92

real information about this except for a redhat bugzilla ticket that says

93

it's for legacy usage from 2004.

94

https://bugzilla.redhat.com/show_bug.cgi?id=120418

95

96

2. Why is pam_faillock.so used with "preauth" after the first use of

97

pam_unix.so ? The manpage for pam_faillock.so says that faillock should be

98

called with the "preauth" command prior to asking for the user's password.

99

100

3. Why is pam_permit.so used as the last item in each section other than

101

auth? The manpage for pam_permit indicates that this module always returns

102

success. Using it as an optional module is a no-op.

103

104

4. Why is pam_faillock.so the last module for the "account" type, instead

105

of the first module, as from the example in the manpage?

106

107

5. Why use [default=die] instead of requisite for pam_faillock.so in the

108

auth section?

Gentoo Archives: gentoo-user

Replies

1	With the recent update to sys-auth/pambase-20201013, i find myself
2	struggling to understand how to adapt the new default configuration to work
3	with winbind.
4
5	I'm writing to the list for help with this.
6
7	First, I'll provide my current system-auth, the new system-auth that comes
8	from sys-auth/pambase-20201013, and my attempt at merging the two versions.
9	After those items, I have several questions which I'll ask at the end of my
10	email.
11
12
13
14	First, here's my current /etc/pam.d/system-auth file:
15
16	auth required pam_env.so
17	auth sufficient pam_unix.so try_first_pass likeauth nullok
18	auth sufficient pam_winbind.so use_first_pass
19	auth required pam_deny.so
20
21	account sufficient pam_unix.so
22	account required pam_winbind.so
23
24	password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2
25	retry=3
26	password sufficient pam_unix.so try_first_pass use_authtok nullok sha512
27	shadow
28	password sufficient pam_winbind.so use_authtok
29	password optional pam_permit.so
30
31	session required pam_limits.so
32	session required pam_env.so
33	session required pam_unix.so
34	session required pam_winbind.so
35	session optional pam_permit.so
36
37
38	Here's the new version that comes from sys-auth/pambase-20201013 with the
39	useflags: gnome-keyring nullok passwdqc sha512 systemd
40
41	auth required pam_env.so
42	auth required pam_unix.so try_first_pass likeauth nullok
43	auth optional pam_permit.so
44	auth required pam_faillock.so preauth
45	auth sufficient pam_unix.so nullok try_first_pass
46	auth [default=die] pam_faillock.so authfail
47	account required pam_unix.so
48	account optional pam_permit.so
49	account required pam_faillock.so
50	password required pam_passwdqc.so config=/etc/security/passwdqc.conf
51	password required pam_unix.so try_first_pass use_authtok nullok sha512
52	shadow
53	password optional pam_permit.so
54	session required pam_limits.so
55	session required pam_env.so
56	session required pam_unix.so
57	session optional pam_permit.so
58
59
60	Here's my attempt at merging these two together.
61
62	auth required pam_env.so
63	auth required pam_faillock.so preauth
64	auth sufficient pam_unix.so nullok try_first_pass
65	auth sufficient pam_winbind.so use_first_pass
66	auth requisite pam_faillock.so authfail
67
68	account required pam_faillock.so
69	account sufficient pam_unix.so
70	account sufficient pam_winbind.so
71	account optional pam_permit.so
72
73	password required pam_passwdqc.so
74	config=/etc/security/passwdqc.conf
75	password sufficient pam_unix.so try_first_pass use_authtok nullok
76	sha512 shadow
77	password sufficient pam_winbind.so use_authtok
78	password optional pam_permit.so
79
80	session required pam_limits.so
81	session required pam_env.so
82	session required pam_unix.so
83	session required pam_winbind.so
84	session optional pam_permit.so
85
86
87
88
89	Questions:
90
91	1. Why does sys-auth/pambase use the "likeauth" flag? I cannot find any
92	real information about this except for a redhat bugzilla ticket that says
93	it's for legacy usage from 2004.
94	https://bugzilla.redhat.com/show_bug.cgi?id=120418
95
96	2. Why is pam_faillock.so used with "preauth" after the first use of
97	pam_unix.so ? The manpage for pam_faillock.so says that faillock should be
98	called with the "preauth" command prior to asking for the user's password.
99
100	3. Why is pam_permit.so used as the last item in each section other than
101	auth? The manpage for pam_permit indicates that this module always returns
102	success. Using it as an optional module is a no-op.
103
104	4. Why is pam_faillock.so the last module for the "account" type, instead
105	of the first module, as from the example in the manpage?
106
107	5. Why use [default=die] instead of requisite for pam_faillock.so in the
108	auth section?