Skip to content

pam.d: fix sssd LDAP auth with sudo#18

Merged
pothos merged 1 commit intoflatcar-masterfrom
kai/sssd-faillock
Aug 9, 2021
Merged

pam.d: fix sssd LDAP auth with sudo#18
pothos merged 1 commit intoflatcar-masterfrom
kai/sssd-faillock

Conversation

@pothos
Copy link
Copy Markdown
Member

@pothos pothos commented Aug 5, 2021
edited
Loading

As reported in
flatcar/Flatcar#471
the order which executed faillock before sssd caused "sudo -i" auth to
fail for LDAP users.

Move sssd up behind the unix password auth, so that it gets a chance to
run before faillock.

How to use

Testing done

With the image from http://jenkins.infra.kinvolk.io:8080/job/os/job/manifest/3218/cldsv/
I tried whether enforcement still works for a non-LDAP user (no ssh key, just a password):

$ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -p 2222 test@127.0.0.1  
Warning: Permanently added '[127.0.0.1]:2222' (ED25519) to the list of known hosts.
The account is locked due to 5 failed logins.
(1 minutes left to unlock)

The account is locked due to 5 failed logins.
(1 minutes left to unlock)

The account is locked due to 5 failed logins.
(1 minutes left to unlock)

test@127.0.0.1's password: 
Received disconnect from 127.0.0.1 port 2222:2: Too many authentication failures
Disconnected from 127.0.0.1 port 2222

It still allows to enter a password even though the account is locked but still it doesn't authenticate with the right password, so no regression here.

@pothos
pam.d: fix sssd LDAP auth with sudo
989764c 
As reported in
flatcar/Flatcar#471
the order which executed faillock before sssd caused "sudo -i" auth to
fail for LDAP users.

Move sssd up behind the unix password auth, so that it gets a chance to
run before faillock.
@pothos pothos mentioned this pull request Aug 5, 2021
Closed
pothos added a commit to flatcar-archive/coreos-overlay that referenced this pull request Aug 5, 2021
@pothos
sys-apps/baselayout: fix sssd LDAP auth with sudo
27bd47b 
This pulls in
flatcar/baselayout#18
@pothos pothos mentioned this pull request Aug 5, 2021
Merged
@pothos pothos requested a review from a team August 6, 2021 13:35
@pothos pothos marked this pull request as ready for review August 6, 2021 13:35
@pothos pothos merged commit 02af6a4 into flatcar-master Aug 9, 2021
@pothos pothos deleted the kai/sssd-faillock branch August 9, 2021 14:16
pothos added a commit to flatcar-archive/coreos-overlay that referenced this pull request Aug 9, 2021
@pothos
sys-apps/baselayout: fix sssd LDAP auth with sudo
0a5e096 
This pulls in
flatcar/baselayout#18
pothos added a commit to flatcar-archive/coreos-overlay that referenced this pull request Aug 9, 2021
@pothos
sys-apps/baselayout: fix sssd LDAP auth with sudo
b432bff 
This pulls in
flatcar/baselayout#18
pothos added a commit to flatcar-archive/coreos-overlay that referenced this pull request Aug 9, 2021
@pothos
sys-apps/baselayout: fix sssd LDAP auth with sudo
8fbf6ca 
This pulls in
flatcar/baselayout#18
pothos added a commit to flatcar-archive/coreos-overlay that referenced this pull request Aug 9, 2021
@pothos
sys-apps/baselayout: fix sssd LDAP auth with sudo
d5abd12 
This pulls in
flatcar/baselayout#18
t-lo pushed a commit to flatcar/scripts that referenced this pull request Apr 17, 2023
@pothos
sys-apps/baselayout: fix sssd LDAP auth with sudo
261ec85 
This pulls in
flatcar/baselayout#18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krnowak krnowak krnowak approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pothos @krnowak @vbatts @dongsupark