Learn more about these different git repos.
Other Git URLs
The pam_sss.so has got a use_first_pass option which makes the module use previously stacked password, but fails if none (or bad one) is stacked. Unlike many modules, it does not have a try_first_pass option, which does the same, but asks for new password instead of failing.
pam_sss.so
use_first_pass
try_first_pass
Such option can be useful for password module type, because it will then ask for current password if user request a password change (using passwd command), but will not ask the password twice if it is expired at login time.
password
passwd
This configuration, for example, is working directly using pam_krb5.so: if password is expired at login time, it will not require the login password twice. But if we replace pam_krb5.so with pam_sss.so, try_first_pass is ignored, and the password is always asked by the module:
pam_krb5.so
auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so password sufficient pam_unix.so try_first_pass sha512 shadow password sufficient pam_krb5.so try_first_pass password required pam_deny.so
Following snippet works well for me with password
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
@lslebodn do you mean that try_first_pass is the default (and prompt_always must be used to prevent this behavior)? If this is the case, do you have an idea why it asks me my expired password twice at login time (once for login, once for changing password) with pam_sss.so and not with pam_krb5.so? I tried to add the forward_pass to auth module type with no more success.
prompt_always
forward_pass
Metadata Update from @pbrezina: - Issue tagged with: Canditate to close
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Thank you for understanding.
Metadata Update from @pbrezina: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/5023
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.