Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1513062 - authconfig --enablesssd --enablesssdauth --update breaks previous behavior
Summary: authconfig --enablesssd --enablesssdauth --update breaks previous behavior
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: authconfig
Version: 7.4
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Pavel Březina
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-14 16:57 UTC by Andreas Bleischwitz
Modified: 2017-11-17 16:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-17 16:41:08 UTC


Attachments (Terms of Use)

Description Andreas Bleischwitz 2017-11-14 16:57:47 UTC
Description of problem:
'authconfig' changed it's behaviour on how PAM is configured between RHEL 7.3 and RHEL 7.4.
From a users point of view that should be consistent within a major release.

Version-Release number of selected component (if applicable):
authconfig-6.2.8-14.el7.x86_64 -> authconfig-6.2.8-30.el7.x86_64

How reproducible:
Install RHEL 7.3 system and run "authconfig --enablesssd --enablesssdauth --disablecachecreds --update"
Install RHEL 7.4 system and run the same command
Find a different configuration of /etc/pam.d/system-auth-ac on both systems

Steps to Reproduce:
1. Install RHEL7.3, run "authconfig --enablesssd --enablesssdauth --disablecachecreds --update"
2. Install RHEL7.4, run "authconfig --enablesssd --enablesssdauth --disablecachecreds --update"
3. Find different pam-config and system-login behavior.

Actual results:
authconfig creates different configuration and system behavior on newer minor-release

Expected results:
authconfig creates stable system behavior on different minor releases.

Additional info:
system-auth-ac from RHEL7.3:
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

remote user with uid<1000 are able to login


system-auth-ac from RHEL7.4:
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

If I understood that stack correctly, remote users with uid<1000 are no longer able to login.
Tests using remote-sssd users with uid<1000 have shown that ssh-logins are no longer possible.

Comment 3 Andreas Bleischwitz 2017-11-17 16:41:08 UTC
Validated the RHEL7.3 setup with a remote user with uid<1000: also not able to login.

So according to this, the configuration may have changed, but the behavior of pam has not been changed.

Sorry for the inconvenience that may have created.


Note You need to log in before you can comment on or make changes to this bug.