[Bug 2075389] [NEW] pam-auth-update lacks flexibility needed to support sss + foo-auth-module cleanly

Kodiak Firesmith 2075389 at bugs.launchpad.net
Wed Jul 31 20:55:22 UTC 2024 

Public bug reported:

Working with pam-auth-update and custom profiles in /usr/share/pam-
configs I'm discovering a lack of flexibility with regard to ordering
and being able to cleanly stack different auth modules.

This relates to both unix and sss profiles using '[success=end
default=ignore]'.

Say my goal is to add MFA as a subsequent requirement to authenticate
after successfully authenticating to AD via pam_sss.so.

I can't simply have a profile called 'duo' that will come in at a
slightly lower priority and land under pam_sss.so as a subsequent
authentication because it'll get skipped in the stack by pam_sss's
[success=2] jump placed dynamically by [success=end] in the sss
template.

The same applies to pam_unix.so's template, since it also uses
[success=end].

I think that the template process needs to be reworked to be able to
denote that a subsequent module is mandatory and can't be skipped in the
stack, or that it's at least a mandatory follow up to specific prior
modules (eg allow unix to [success=2] over both pam_sss.so and
pam_duo.so to permit.so).

The only way I have to work around this while still doing things the
pam-auth-update way instead of hacking  common-auth in place is to
create a conflicting template called 'duo-sss' that conflicts with
'sss', and reimplement it's contents but with a stack skip tweak like
so:

```
Name: DUO authentication with combined SSSD
Default: no
Priority: 192
Conflicts: sss

Auth-Type: Primary
Auth:
        [default=ignore]    pam_sss.so use_first_pass
        [success=end]                      /usr/lib64/security/pam_duo.so
```

As you can imagine, this can get complicated the more prior modules I
need to override.

Now it very well could be that I'm misunderstanding how to use pam-auth-
update profiles.  The PAMConfigFramework Spec is very minimal so I've
pored over that a few times and supplemented what I learned with the
perl content of pam-auth-update itself but I'm also no Perl monk.

Assuming this is a legitimate request and I'm not missing some way to
more cleanly achieve my flexibility goals, here is the required bug
info:

VERSION="20.04.6 LTS (Focal Fossa)"

libpam-runtime:
  Installed: 1.3.1-5ubuntu4.7

** Affects: pam (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: pam pam-auth-update

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2075389

Title:
  pam-auth-update lacks flexibility needed to support sss + foo-auth-
  module cleanly

Status in pam package in Ubuntu:
  New

Bug description:
  Working with pam-auth-update and custom profiles in /usr/share/pam-
  configs I'm discovering a lack of flexibility with regard to ordering
  and being able to cleanly stack different auth modules.

  This relates to both unix and sss profiles using '[success=end
  default=ignore]'.

  Say my goal is to add MFA as a subsequent requirement to authenticate
  after successfully authenticating to AD via pam_sss.so.

  I can't simply have a profile called 'duo' that will come in at a
  slightly lower priority and land under pam_sss.so as a subsequent
  authentication because it'll get skipped in the stack by pam_sss's
  [success=2] jump placed dynamically by [success=end] in the sss
  template.

  The same applies to pam_unix.so's template, since it also uses
  [success=end].

  I think that the template process needs to be reworked to be able to
  denote that a subsequent module is mandatory and can't be skipped in
  the stack, or that it's at least a mandatory follow up to specific
  prior modules (eg allow unix to [success=2] over both pam_sss.so and
  pam_duo.so to permit.so).

  The only way I have to work around this while still doing things the
  pam-auth-update way instead of hacking  common-auth in place is to
  create a conflicting template called 'duo-sss' that conflicts with
  'sss', and reimplement it's contents but with a stack skip tweak like
  so:

  ```
  Name: DUO authentication with combined SSSD
  Default: no
  Priority: 192
  Conflicts: sss

  Auth-Type: Primary
  Auth:
          [default=ignore]    pam_sss.so use_first_pass
          [success=end]                      /usr/lib64/security/pam_duo.so
  ```

  As you can imagine, this can get complicated the more prior modules I
  need to override.

  Now it very well could be that I'm misunderstanding how to use pam-
  auth-update profiles.  The PAMConfigFramework Spec is very minimal so
  I've pored over that a few times and supplemented what I learned with
  the perl content of pam-auth-update itself but I'm also no Perl monk.

  Assuming this is a legitimate request and I'm not missing some way to
  more cleanly achieve my flexibility goals, here is the required bug
  info:

  VERSION="20.04.6 LTS (Focal Fossa)"

  libpam-runtime:
    Installed: 1.3.1-5ubuntu4.7

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2075389/+subscriptions

More information about the foundations-bugs mailing list