Understanding PAM authentication procedure on FreeBSD with security/sssd
I'm trying to understand what's behaving errantly on my PAM configuration on FreeBSD 10.0
The machine is configured with two different authentication realms, one is the default Unix authentication and the other one is using the System Security Services Daemon (sssd).
At this moment I'm using this configuration in /etc/pam.d/sshd since I just want to allow sssd logins from ssh.
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_sss.so
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn use_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session optional /usr/local/lib/pam_sss.so
session optional /usr/local/lib/pam_mkhomedir.so mode=0700
session required pam_permit.so
# password
password sufficient /usr/local/lib/pam_sss.so use_authtok
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
If I understood correctly, when a sssd user logs on the machine it will hit the auth sufficient /usr/local/lib/pam_sss.so line and since this is sufficientit will login without any problems. When a local user account tries to login it will fail in the sssd check but will succeed in pam_unix.so using the password entered for the first time, without asking for the password again.
But it's not what's happening. To successfully login as a local account, I must remove use_first_pass from pam_unix.so optiions in auth realm and when the user logins, the system first asks for the sssd account, failing since the local users doesn't exists in the external authentication service. Then the system asks again for the same password, but authenticating on the pam_unix.so module. And finally the access is granted.
As example, it behaves in this manner:
ssh sssd-test.example.com -l local-user-account
Password:
Password for [email protected]:
Last login: Sat May 24 16:22:40 2014 from 192.168.1.100
FreeBSD 10.0-RELEASE-p1 (GENERIC) #0: Tue Apr 8 06:45:06 UTC 2014
Welcome to FreeBSD!
$
I don't exactly why this happens or if it has something to do with the account session. As for my understand about PAM, the configuration should be right.
Thanks in advance,
Solution 1:
Well my premises about the workings of PAM were right.
The pam_sss.so module was expecting the argument forward_pass to relay to password for other PAM modules, as the pam_unix.somodule. So just putting this option do the job. The resultant line was:
auth sufficient /usr/local/lib/pam_sss.so forward_pass
Which ended in another problem. If sssd or even then authentication realm of sssd are down you'll be unable to login, since the pam_sss.so module will no work as and consequently the password will not be forwarded.
So the obvious choice was to put pam_unix.so before pam_sss.so and let everything be "sufficient" with a nicely pam_deny.so at the end. That's the Linux way to solve to problem, but this does not appears to work on FreeBSD.
After some googling through mailing lists the proper way to do this on FreeBSD is using the strange order in PAM:
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_unix.so no_warn
auth sufficient /usr/local/lib/pam_sss.so use_first_pass
auth required pam_unix.so no_warn use_first_pass
So putting pam_unix.so two times in PAM, the first one as sufficient and the last one as required do the trick. I don't know why this happens but it's working and appears to be right way to do.