Ubuntu
pam package

pam-auth-update lacks flexibility needed to support sss + foo-auth-module cleanly

Bug #2075389 reported by Kodiak Firesmith
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
New
Undecided
Unassigned

Bug Description

Working with pam-auth-update and custom profiles in /usr/share/pam-configs I'm discovering a lack of flexibility with regard to ordering and being able to cleanly stack different auth modules.

This relates to both unix and sss profiles using '[success=end default=ignore]'.

Say my goal is to add MFA as a subsequent requirement to authenticate after successfully authenticating to AD via pam_sss.so.

I can't simply have a profile called 'duo' that will come in at a slightly lower priority and land under pam_sss.so as a subsequent authentication because it'll get skipped in the stack by pam_sss's [success=2] jump placed dynamically by [success=end] in the sss template.

The same applies to pam_unix.so's template, since it also uses [success=end].

I think that the template process needs to be reworked to be able to denote that a subsequent module is mandatory and can't be skipped in the stack, or that it's at least a mandatory follow up to specific prior modules (eg allow unix to [success=2] over both pam_sss.so and pam_duo.so to permit.so).

The only way I have to work around this while still doing things the pam-auth-update way instead of hacking common-auth in place is to create a conflicting template called 'duo-sss' that conflicts with 'sss', and reimplement it's contents but with a stack skip tweak like so:

```
Name: DUO authentication with combined SSSD
Default: no
Priority: 192
Conflicts: sss

Auth-Type: Primary
Auth:
        [default=ignore] pam_sss.so use_first_pass
        [success=end] /usr/lib64/security/pam_duo.so
```

As you can imagine, this can get complicated the more prior modules I need to override.

Now it very well could be that I'm misunderstanding how to use pam-auth-update profiles. The PAMConfigFramework Spec is very minimal so I've pored over that a few times and supplemented what I learned with the perl content of pam-auth-update itself but I'm also no Perl monk.

Assuming this is a legitimate request and I'm not missing some way to more cleanly achieve my flexibility goals, here is the required bug info:

VERSION="20.04.6 LTS (Focal Fossa)"

libpam-runtime:
  Installed: 1.3.1-5ubuntu4.7

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.