10:01 a.m.
Hello,
I would like to configure pam_sss.so as to separate authentication methods ;
in my case i use both password and smartcard.
My problem is that when a smartcard is inserted, you can't use password
anymore because
it will prompt for the PIN and fail without fallback.
Ideally i'd like to configure pam/sssd/sddm to try the "password" as a
password, then try as a PIN for inserted smartcards.
Can i configure sssd to do that ?
My understanding in that even if you set pam_sss to/try_cert_auth/, it will
not fallback to password if a smartcard is inserted.
Thanks for your help,
Marc
10:49 a.m.
On Fri, Dec 18, 2020 at 05:01:48PM +0100, mbalembo wrote:
Hello,
I would like to configure pam_sss.so as to separate authentication methods ;
in my case i use both password and smartcard.
My problem is that when a smartcard is inserted, you can't use password
anymore because
it will prompt for the PIN and fail without fallback.
Ideally i'd like to configure pam/sssd/sddm to try the "password" as a
password, then try as a PIN for inserted smartcards.
Can i configure sssd to do that ?
My understanding in that even if you set pam_sss to/try_cert_auth/, it will
not fallback to password if a smartcard is inserted.
Hi,
this is currently not possible because SSSD strongly tries to avoid
try-and-error methods. Imo your use case is even a good example why this
should be avoided.
Assuming that you have a Smartcard inserted but you use your password
for authentication. Since SSSD cannot know if it is the PIN or the
password it will try the input as PIN first and then tries password
verification. Depending on your Smartcard settings there is a fair
chance that your Smartcard will be locked after doing this 3 or 5 times.
If the password is checked first there is the same chance that your
account will be locked on the server side if you use the PIN for
authentication.
bye,
Sumit
Thanks for your help,
Marc
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
11:32 a.m.
Marc,
Sumit raises a good point about account lock-outs. But if that is not a
concern for you, it seems that you could accomplish this in your PAM stack.
Right now, you probably have something like:
...
auth sufficient pam_sss.so
forward_pass try_cert_auth
...
account [default=ignore perm_denied=bad success=ok user_unknown=ignore]
pam_sss.so quiet
So you could change this first pam_sss auth line to something like:
auth sufficient pam_sss.so
forward_pass try_cert_auth
auth sufficient pam_sss.so
forward_pass
That is, try smart card first and if it fails, invoke pam_sss again,
specifying password auth.
This has the disadvantage of calling pam_sss twice (which should not be too
costly due to sssd's local cache). It also could have 2x the failure
attempts, but if you rely on another PAM module for lock-out (like
pam_faillock), you'll increment your failures only once.
Spike
On Fri, Dec 18, 2020 at 10:49 AM Sumit Bose <sbose(a)redhat.com> wrote:
On Fri, Dec 18, 2020 at 05:01:48PM +0100, mbalembo wrote:
> Hello,
>
>
> I would like to configure pam_sss.so as to separate authentication
methods ;
> in my case i use both password and smartcard.
>
> My problem is that when a smartcard is inserted, you can't use password
> anymore because
> it will prompt for the PIN and fail without fallback.
>
> Ideally i'd like to configure pam/sssd/sddm to try the "password" as
a
> password, then try as a PIN for inserted smartcards.
> Can i configure sssd to do that ?
> My understanding in that even if you set pam_sss to/try_cert_auth/, it
will
> not fallback to password if a smartcard is inserted.
Hi,
this is currently not possible because SSSD strongly tries to avoid
try-and-error methods. Imo your use case is even a good example why this
should be avoided.
Assuming that you have a Smartcard inserted but you use your password
for authentication. Since SSSD cannot know if it is the PIN or the
password it will try the input as PIN first and then tries password
verification. Depending on your Smartcard settings there is a fair
chance that your Smartcard will be locked after doing this 3 or 5 times.
If the password is checked first there is the same chance that your
account will be locked on the server side if you use the PIN for
authentication.
bye,
Sumit
>
>
> Thanks for your help,
> Marc
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
10:23 a.m.
Hi,
My case comme from GUI login (sddm) not talking with the pam stack like
login/ssh
do (with login you got a prompt for a password or for a PIN with the
token/smarcard
name displayed to the user).
This way, there is no lock-out problem.
Currently, my pam_sss.so does not have the try_cert_auth option,
and sssd.conf seems to do all the work.
I will change that to use Spike solution.
My goal is to modify sddm so you chose how you want to authenticate before
going to the pam/sssd stack so you can select the right token between
multiple plugged
smartcards or plain password and avoiding lock-outs.
Thanks for the help !
Marc
3:21 a.m.
On Mon, Jan 04, 2021 at 05:23:58PM +0100, mbalembo wrote:
Hi,
My case comme from GUI login (sddm) not talking with the pam stack like
login/ssh
do (with login you got a prompt for a password or for a PIN with the
token/smarcard
name displayed to the user).
This way, there is no lock-out problem.
Currently, my pam_sss.so does not have the try_cert_auth option,
and sssd.conf seems to do all the work.
I will change that to use Spike solution.
My goal is to modify sddm so you chose how you want to authenticate before
going to the pam/sssd stack so you can select the right token between
multiple plugged
smartcards or plain password and avoiding lock-outs.
Hi,
this sounds similar to what gdm is already doing. E.g. for selecting the right
certificate gdm offers a PAM extension, see
https://gitlab.gnome.org/GNOME/gdm/-/tree/master/pam-extensions and
https://github.com/SSSD/sssd/blob/master/src/sss_client/pam_sss.c#L1672
for how SSSD is using it.
bye,
Sumit
Thanks for the help !
Marc
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
1197
days inactive
1222
days old
sssd-users@lists.fedorahosted.org
4 comments
3 participants
participants (3)
-
mbalembo -
Spike White -
Sumit Bose