Gentoo Archives: gentoo-user

From: Michael Jones <gentoo@×××××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] Pam configuration for winbind
Date: Wed, 14 Oct 2020 20:18:56
Message-Id: CABfmKS+SkSQqukfxF0buYebiGjTGBM3hBwYnddETAy5FLSezMQ@mail.gmail.com
1 With the recent update to sys-auth/pambase-20201013, i find myself
2 struggling to understand how to adapt the new default configuration to work
3 with winbind.
4
5 I'm writing to the list for help with this.
6
7 First, I'll provide my current system-auth, the new system-auth that comes
8 from sys-auth/pambase-20201013, and my attempt at merging the two versions.
9 After those items, I have several questions which I'll ask at the end of my
10 email.
11
12
13
14 First, here's my current /etc/pam.d/system-auth file:
15
16 auth required pam_env.so
17 auth sufficient pam_unix.so try_first_pass likeauth nullok
18 auth sufficient pam_winbind.so use_first_pass
19 auth required pam_deny.so
20
21 account sufficient pam_unix.so
22 account required pam_winbind.so
23
24 password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2
25 retry=3
26 password sufficient pam_unix.so try_first_pass use_authtok nullok sha512
27 shadow
28 password sufficient pam_winbind.so use_authtok
29 password optional pam_permit.so
30
31 session required pam_limits.so
32 session required pam_env.so
33 session required pam_unix.so
34 session required pam_winbind.so
35 session optional pam_permit.so
36
37
38 Here's the new version that comes from sys-auth/pambase-20201013 with the
39 useflags: gnome-keyring nullok passwdqc sha512 systemd
40
41 auth required pam_env.so
42 auth required pam_unix.so try_first_pass likeauth nullok
43 auth optional pam_permit.so
44 auth required pam_faillock.so preauth
45 auth sufficient pam_unix.so nullok try_first_pass
46 auth [default=die] pam_faillock.so authfail
47 account required pam_unix.so
48 account optional pam_permit.so
49 account required pam_faillock.so
50 password required pam_passwdqc.so config=/etc/security/passwdqc.conf
51 password required pam_unix.so try_first_pass use_authtok nullok sha512
52 shadow
53 password optional pam_permit.so
54 session required pam_limits.so
55 session required pam_env.so
56 session required pam_unix.so
57 session optional pam_permit.so
58
59
60 Here's my attempt at merging these two together.
61
62 auth required pam_env.so
63 auth required pam_faillock.so preauth
64 auth sufficient pam_unix.so nullok try_first_pass
65 auth sufficient pam_winbind.so use_first_pass
66 auth requisite pam_faillock.so authfail
67
68 account required pam_faillock.so
69 account sufficient pam_unix.so
70 account sufficient pam_winbind.so
71 account optional pam_permit.so
72
73 password required pam_passwdqc.so
74 config=/etc/security/passwdqc.conf
75 password sufficient pam_unix.so try_first_pass use_authtok nullok
76 sha512 shadow
77 password sufficient pam_winbind.so use_authtok
78 password optional pam_permit.so
79
80 session required pam_limits.so
81 session required pam_env.so
82 session required pam_unix.so
83 session required pam_winbind.so
84 session optional pam_permit.so
85
86
87
88
89 Questions:
90
91 1. Why does sys-auth/pambase use the "likeauth" flag? I cannot find any
92 real information about this except for a redhat bugzilla ticket that says
93 it's for legacy usage from 2004.
94 https://bugzilla.redhat.com/show_bug.cgi?id=120418
95
96 2. Why is pam_faillock.so used with "preauth" after the first use of
97 pam_unix.so ? The manpage for pam_faillock.so says that faillock should be
98 called with the "preauth" command prior to asking for the user's password.
99
100 3. Why is pam_permit.so used as the last item in each section other than
101 auth? The manpage for pam_permit indicates that this module always returns
102 success. Using it as an optional module is a no-op.
103
104 4. Why is pam_faillock.so the last module for the "account" type, instead
105 of the first module, as from the example in the manpage?
106
107 5. Why use [default=die] instead of requisite for pam_faillock.so in the
108 auth section?