#4174 id_provider = proxy proxy_lib_name = files returns * in password field, breaking PAM authentication
Closed: Fixed 2 years ago by pbrezina. Opened 2 years ago by pbrezina.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1815584

Description of problem:

The sssd.conf(5) says:

       pwfield (string)
           The value that NSS operations that return users or groups will
return for the “password” field.

           This option can also be set per-domain.

           Default: “*” (remote domains) or “x” (the files domain)

However, for users returned via proxy files id_provider, * is returned. That in
turn breaks PAM authentication.

Version-Release number of selected component (if applicable):

sssd-2.2.3-20.el8.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have system without SSSD configured and started.
2. Set password for user test: passwd test
3. Test that PAM authentication or user test works:
   echo $THE_PASSWORD | pamtester sssd-shadowutils test authenticate
   If you don't like to use pamtester from EPEL, just use ssh test@localhost.
4. getent passwd test, check that the output is
   test:x:1000:1000::/home/test:/bin/bash
5. Configure SSSD, create /etc/sssd/sssd.conf with:

[sssd]
 domains = PROXY_PROXY
 services = nss

[domain/PROXY_PROXY]
 id_provider = proxy
 proxy_lib_name = files
 proxy_pam_target = sssd-shadowutils

6. chmod 600 /etc/sssd/sssd.conf or SSSD refuses to start.
7. systemctl restart sssd
8. getent passwd test
9. echo $THE_PASSWORD | pamtester sssd-shadowutils test authenticate

Actual results:

test:*:1000:1000::/home/test:/bin/bash

Password: pamtester: Authentication failure

Expected results:

test:x:1000:1000::/home/test:/bin/bash

Password: pamtester: successfully authenticated

Additional info:

It is possible to force the expected behaviour by adding line

 pwfield = x

to the [domain/...] section. But SSSD should obey what it says in the man page,
and it should not as easily break PAM authentication of unrelated services.

Metadata Update from @pbrezina:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1815584

2 years ago

Metadata Update from @pbrezina:
- Issue assigned to pbrezina

2 years ago
  • master
    • ae5a2cd - proxy: set pwfield to x for files library

Metadata Update from @pbrezina:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5129

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata