[sssd PR#159][opened] pam: use authtok from PAM stack if available
by sumit-bose
URL: https://github.com/SSSD/sssd/pull/159
Author: sumit-bose
Title: #159: pam: use authtok from PAM stack if available
Action: opened
PR body:
"""
With this patch the behavior of pam_sss is slightly changed to be more
similar to the behavior of other PAM modules. Currently pam_sss expects
that there is a authtok (password) on the PAM stack if the
'use_first_pass' option was used. Without the option pam_sss
unconditionally prompts for credentials.
With this patch pam_sss will use an authtok from the PAM stack even if
'use_first_pass' is not set but it will assume that it is a password. To
return to the previous behavior the new 'prompt_always' can be used.
Resolves https://fedorahosted.org/sssd/ticket/2984
Besides the use-case mentioned in the ticket with this change it should be
possible to change the default PAM configuration in Fedora and RHEL to allow a
fallback to pam_sss if pam_unix fails, so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
can be changed to
auth [sufficient] pam_unix.so nullok try_first_pass
'sufficient' is equivalent to '[success=done new_authtok_reqd=done
default=ignore]' so the 'default=die' is remove here and the next PAM modules
is called.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/159/head:pr159
git checkout pr159
7 years, 1 month