URL: https://github.com/SSSD/sssd/pull/159 Author: sumit-bose Title: #159: pam: use authtok from PAM stack if available Action: opened
PR body: """ With this patch the behavior of pam_sss is slightly changed to be more similar to the behavior of other PAM modules. Currently pam_sss expects that there is a authtok (password) on the PAM stack if the 'use_first_pass' option was used. Without the option pam_sss unconditionally prompts for credentials.
With this patch pam_sss will use an authtok from the PAM stack even if 'use_first_pass' is not set but it will assume that it is a password. To return to the previous behavior the new 'prompt_always' can be used.
Resolves https://fedorahosted.org/sssd/ticket/2984
Besides the use-case mentioned in the ticket with this change it should be possible to change the default PAM configuration in Fedora and RHEL to allow a fallback to pam_sss if pam_unix fails, so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
can be changed to
auth [sufficient] pam_unix.so nullok try_first_pass
'sufficient' is equivalent to '[success=done new_authtok_reqd=done default=ignore]' so the 'default=die' is remove here and the next PAM modules is called. """
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/159/head:pr159 git checkout pr159
URL: https://github.com/SSSD/sssd/pull/159 Title: #159: pam: use authtok from PAM stack if available
pbrezina commented: """ Will this fix https://bugzilla.redhat.com/show_bug.cgi?id=1329598 ? """
See the full comment at https://github.com/SSSD/sssd/pull/159#issuecomment-281647271
URL: https://github.com/SSSD/sssd/pull/159 Title: #159: pam: use authtok from PAM stack if available
sumit-bose commented: """
Will this fix https://bugzilla.redhat.com/show_bug.cgi?id=1329598 ?
Yes, if the control of the pam_unix auth is changed in authconfig as described above (die->ignore). """
See the full comment at https://github.com/SSSD/sssd/pull/159#issuecomment-281663151
URL: https://github.com/SSSD/sssd/pull/159 Title: #159: pam: use authtok from PAM stack if available
pbrezina commented: """ Ack. """
See the full comment at https://github.com/SSSD/sssd/pull/159#issuecomment-283621166
URL: https://github.com/SSSD/sssd/pull/159 Title: #159: pam: use authtok from PAM stack if available
Label: +Accepted
URL: https://github.com/SSSD/sssd/pull/159 Title: #159: pam: use authtok from PAM stack if available
lslebodn commented: """ On (02/03/17 02:51), Pavel Březina wrote:
Ack.
master:
* 6dd271fdcf6ceb0afd77e703c98897672da3671a
Do you patch also into oder branches?
LS
"""
See the full comment at https://github.com/SSSD/sssd/pull/159#issuecomment-283626871
URL: https://github.com/SSSD/sssd/pull/159 Title: #159: pam: use authtok from PAM stack if available
Label: +Pushed
URL: https://github.com/SSSD/sssd/pull/159 Author: sumit-bose Title: #159: pam: use authtok from PAM stack if available Action: closed
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/159/head:pr159 git checkout pr159
URL: https://github.com/SSSD/sssd/pull/159 Title: #159: pam: use authtok from PAM stack if available
lslebodn commented: """ On (02/03/17 02:51), Pavel Březina wrote:
Ack.
master:
* 6dd271fdcf6ceb0afd77e703c98897672da3671a
Do you patch also into oder branches?
LS
"""
See the full comment at https://github.com/SSSD/sssd/pull/159#issuecomment-283626871
sssd-devel@lists.fedorahosted.org
-
lslebodn -
pbrezina
-
sumit-bose