sudo fails for ldap users #471
Description
Description
After updating to latest stable v2905.2.0 sudo fails for LDAP users using sssd. The problem seems to have been introduced by flatcar/baselayout#17
Impact
LDAP users could not elevate privileged with sudo after logging in to ssh with public keys.
Environment and steps to reproduce
- configure sssd with ldap
- login to ssh via public key
- elevate privilege using e.g.
sudo -i - sudo fails with correct password
Expected behavior
sudo should succeed when password is correct
Additional information
Moving pam_faillock.so after pam_sss.so fixes the issue and sudo works as expected.
auth required pam_env.so
auth requisite pam_faillock.so preauth deny=5 unlock_time=60 fail_interval=120
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_sss.so use_first_pass
# give pam_sss a chance to authenticate ldap users
auth [default=die] pam_faillock.so authfail deny=5 unlock_time=60 fail_interval=120
auth required pam_deny.so
account required pam_unix.so
# Don't fail if the user is unknown to sssd or if sssd isn't running
account required pam_sss.so ignore_unknown_user ignore_authinfo_unavail
account required pam_faillock.so
account optional pam_permit.so
password sufficient pam_unix.so try_first_pass nullok sha512 shadow minlen=8
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
session optional pam_sss.so
-session optional pam_systemd.so