-
Bug
-
Resolution: Won't Do
-
Undefined
-
None
-
rhel-10.0.beta
-
No
-
None
-
rhel-sst-idm-sssd
-
ssg_idm
-
0
-
False
-
-
None
-
None
-
None
-
None
-
-
x86_64
-
None
What were you trying to do that didn't work?
`authselect check` is not able to detect misconfiguration in PAM
Please provide the package NVR for which bug is seen:
*auth*select-1.5.0-6.el10.x86_64
*auth*select-libs-1.5.0-6.el10.x86_64
# cat /etc/redhat-release Red Hat Enterprise Linux release 10.0 Beta (Coughlan)
How reproducible:
Steps to reproduce
Modify the PAM configuration.
1] Edit /etc/pam.d/password-auth and mix sssd and winbind or put some junk entries.
[root@permanent-rhel10z-abroy ~]# authselect check Current configuration is valid. [root@permanent-rhel10z-abroy ~]# cat /etc/pam.d/password-auth auth required pam_env.so auth required pam_faillock.so preauth silent auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so auth [default=die] pam_faillock.so authfail auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_pwquality.so local_users_only minlen=15 ucredit=0 ocredit=0 lcredit=-1 dcredit=-1 reject_username password requisite pam_pwquality.so local_users_only password sufficient pam_unix.so sha512 shadow remember=10 nullok use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so [root@permanent-rhel10z-abroy ~]#
With same file in `RHEL8` authselect detects misconfiguration.
# cat /etc/pam.d/password-auth /etc/authselect/password-auth # Generated by authselect on Sun Oct 1 13:19:39 2023 # Do not modify this file manually. auth required pam_env.so auth required pam_faillock.so preauth silent auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so auth [default=die] pam_faillock.so authfail auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so local_users_only minlen=15 ucredit=0 ocredit=0 lcredit=-1 dcredit=-1 reject_username password requisite pam_pwquality.so local_users_only password sufficient pam_unix.so sha512 shadow remember=10 nullok use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so # Generated by authselect on Sun Oct 1 13:19:39 2023 # Do not modify this file manually. auth required pam_env.so auth required pam_faillock.so preauth silent auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so auth [default=die] pam_faillock.so authfail auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so local_users_only minlen=15 ucredit=0 ocredit=0 lcredit=-1 dcredit=-1 reject_username password requisite pam_pwquality.so local_users_only password sufficient pam_unix.so sha512 shadow remember=10 nullok use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so [root@~]# [root@~]# authselect check [error] [/etc/authselect/system-auth] has unexpected content! [error] [/etc/authselect/password-auth] has unexpected content! Current configuration is not valid. It was probably modified outside authselect.
