1 |
With the recent update to sys-auth/pambase-20201013, i find myself |
2 |
struggling to understand how to adapt the new default configuration to work |
3 |
with winbind. |
4 |
|
5 |
I'm writing to the list for help with this. |
6 |
|
7 |
First, I'll provide my current system-auth, the new system-auth that comes |
8 |
from sys-auth/pambase-20201013, and my attempt at merging the two versions. |
9 |
After those items, I have several questions which I'll ask at the end of my |
10 |
email. |
11 |
|
12 |
|
13 |
|
14 |
First, here's my current /etc/pam.d/system-auth file: |
15 |
|
16 |
auth required pam_env.so |
17 |
auth sufficient pam_unix.so try_first_pass likeauth nullok |
18 |
auth sufficient pam_winbind.so use_first_pass |
19 |
auth required pam_deny.so |
20 |
|
21 |
account sufficient pam_unix.so |
22 |
account required pam_winbind.so |
23 |
|
24 |
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 |
25 |
retry=3 |
26 |
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 |
27 |
shadow |
28 |
password sufficient pam_winbind.so use_authtok |
29 |
password optional pam_permit.so |
30 |
|
31 |
session required pam_limits.so |
32 |
session required pam_env.so |
33 |
session required pam_unix.so |
34 |
session required pam_winbind.so |
35 |
session optional pam_permit.so |
36 |
|
37 |
|
38 |
Here's the new version that comes from sys-auth/pambase-20201013 with the |
39 |
useflags: gnome-keyring nullok passwdqc sha512 systemd |
40 |
|
41 |
auth required pam_env.so |
42 |
auth required pam_unix.so try_first_pass likeauth nullok |
43 |
auth optional pam_permit.so |
44 |
auth required pam_faillock.so preauth |
45 |
auth sufficient pam_unix.so nullok try_first_pass |
46 |
auth [default=die] pam_faillock.so authfail |
47 |
account required pam_unix.so |
48 |
account optional pam_permit.so |
49 |
account required pam_faillock.so |
50 |
password required pam_passwdqc.so config=/etc/security/passwdqc.conf |
51 |
password required pam_unix.so try_first_pass use_authtok nullok sha512 |
52 |
shadow |
53 |
password optional pam_permit.so |
54 |
session required pam_limits.so |
55 |
session required pam_env.so |
56 |
session required pam_unix.so |
57 |
session optional pam_permit.so |
58 |
|
59 |
|
60 |
Here's my attempt at merging these two together. |
61 |
|
62 |
auth required pam_env.so |
63 |
auth required pam_faillock.so preauth |
64 |
auth sufficient pam_unix.so nullok try_first_pass |
65 |
auth sufficient pam_winbind.so use_first_pass |
66 |
auth requisite pam_faillock.so authfail |
67 |
|
68 |
account required pam_faillock.so |
69 |
account sufficient pam_unix.so |
70 |
account sufficient pam_winbind.so |
71 |
account optional pam_permit.so |
72 |
|
73 |
password required pam_passwdqc.so |
74 |
config=/etc/security/passwdqc.conf |
75 |
password sufficient pam_unix.so try_first_pass use_authtok nullok |
76 |
sha512 shadow |
77 |
password sufficient pam_winbind.so use_authtok |
78 |
password optional pam_permit.so |
79 |
|
80 |
session required pam_limits.so |
81 |
session required pam_env.so |
82 |
session required pam_unix.so |
83 |
session required pam_winbind.so |
84 |
session optional pam_permit.so |
85 |
|
86 |
|
87 |
|
88 |
|
89 |
Questions: |
90 |
|
91 |
1. Why does sys-auth/pambase use the "likeauth" flag? I cannot find any |
92 |
real information about this except for a redhat bugzilla ticket that says |
93 |
it's for legacy usage from 2004. |
94 |
https://bugzilla.redhat.com/show_bug.cgi?id=120418 |
95 |
|
96 |
2. Why is pam_faillock.so used with "preauth" after the first use of |
97 |
pam_unix.so ? The manpage for pam_faillock.so says that faillock should be |
98 |
called with the "preauth" command prior to asking for the user's password. |
99 |
|
100 |
3. Why is pam_permit.so used as the last item in each section other than |
101 |
auth? The manpage for pam_permit indicates that this module always returns |
102 |
success. Using it as an optional module is a no-op. |
103 |
|
104 |
4. Why is pam_faillock.so the last module for the "account" type, instead |
105 |
of the first module, as from the example in the manpage? |
106 |
|
107 |
5. Why use [default=die] instead of requisite for pam_faillock.so in the |
108 |
auth section? |