pam-auth-update lacks flexibility needed to support sss + foo-auth-module cleanly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Working with pam-auth-update and custom profiles in /usr/share/
This relates to both unix and sss profiles using '[success=end default=ignore]'.
Say my goal is to add MFA as a subsequent requirement to authenticate after successfully authenticating to AD via pam_sss.so.
I can't simply have a profile called 'duo' that will come in at a slightly lower priority and land under pam_sss.so as a subsequent authentication because it'll get skipped in the stack by pam_sss's [success=2] jump placed dynamically by [success=end] in the sss template.
The same applies to pam_unix.so's template, since it also uses [success=end].
I think that the template process needs to be reworked to be able to denote that a subsequent module is mandatory and can't be skipped in the stack, or that it's at least a mandatory follow up to specific prior modules (eg allow unix to [success=2] over both pam_sss.so and pam_duo.so to permit.so).
The only way I have to work around this while still doing things the pam-auth-update way instead of hacking common-auth in place is to create a conflicting template called 'duo-sss' that conflicts with 'sss', and reimplement it's contents but with a stack skip tweak like so:
```
Name: DUO authentication with combined SSSD
Default: no
Priority: 192
Conflicts: sss
Auth-Type: Primary
Auth:
```
As you can imagine, this can get complicated the more prior modules I need to override.
Now it very well could be that I'm misunderstanding how to use pam-auth-update profiles. The PAMConfigFramework Spec is very minimal so I've pored over that a few times and supplemented what I learned with the perl content of pam-auth-update itself but I'm also no Perl monk.
Assuming this is a legitimate request and I'm not missing some way to more cleanly achieve my flexibility goals, here is the required bug info:
VERSION="20.04.6 LTS (Focal Fossa)"
libpam-runtime:
Installed: 1.3.1-5ubuntu4.7