Been trying to figure this out for a week. I recently setup an ipa server as a test. The server setup and install was pretty straight forward. I got the client setup to authenticate and do sudo, etc. The issue I am having is that once the password is reset for a user, or if their password expires, they can still authenticate successfully via ssh.
I can see that pam states that a new toekn is required, but works anyway.
Oct 26 13:29:15 ipaserv sshd[23779]: pam_sss(sshd:auth): received for user testuser: 12 (Authentication token is no longer valid; new one required) Oct 26 13:29:15 ipaserv sshd[23779]: Accepted password for testuser from 10.96.103.235 port 58321 ssh2 UsePAM is set to yes in sshd_config. And the pam files look correct to me. They are set similar to an RHDS enviroenment I have running. At this point I am not sure if it is an RHEL7/OEL7 sssd issue, or if my config is incorrect. I have scoured the web, but only have seen mention of the issue, and a few dead ends about pam config.
/etc/pam.d/password-auth
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so /etc/pam.d/sshd
#%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session include postlogin /etc/sssd/sssd.conf
[domain/ux.test.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ux.test.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipaserv.test.com chpass_provider = ipa ipa_server = ipaserv.test.com ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] config_file_version = 2 debug_level = 9 services = nss, sudo, pam, ssh domains = ux.test.com [nss] [pam] [ssh] [sudo] Any ideas?
[link][8 comments]