What were you trying to do that didn't work?

Getting single password prompt for invalid user with the below sequence  in /etc/pam.d/password-auth

auth        required      pam_sss.so
auth        required      pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list

Which can lead attacker to identify that its a invalid user.

It works as expected with the below sequence: 

auth        required      pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list

auth        required      pam_sss.so

Please provide the package NVR for which bug is seen:

Behaviour is observed irrespective of the pam & sssd versions

How reproducible:

• Invalid user is getting single prompt for password with the below  sequence:

auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=4 success=ignore] pam_localuser.so
auth        required      pam_faillock.so preauth deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 silent
auth        [success=1 default=bad] pam_unix.so try_first_pass
auth        [default=die] pam_faillock.so authfail deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 silent
auth        sufficient    pam_faillock.so authsucc deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900
auth        required      pam_sss.so
auth        required      pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list
auth        sufficient    pam_succeed_if.so uid >= 200 quiet
auth        required      pam_deny.so

- Invalid user prompts for 3 times with the below sequence as expected:

auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=4 success=ignore] pam_localuser.so
auth        required      pam_faillock.so preauth deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 silent
auth        [success=1 default=bad] pam_unix.so try_first_pass
auth        [default=die] pam_faillock.so authfail deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 silent
auth        sufficient    pam_faillock.so authsucc deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900
auth        required      pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list
auth        required      pam_sss.so
auth        sufficient    pam_succeed_if.so uid >= 200 quiet
auth        required      pam_deny.so

Steps to reproduce

Expected results

Invalid user should give 3 time password prompt.

As its giving 3 times password prompt in RHEL 7 for both the cases irrespective of sequence.

NOTE: Its works as expected with the default RHEL 8 config irrespective of sequence.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        required      pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so