Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: default PAM / authselect profiles #218

Open
breakwaterlabs opened this issue Feb 23, 2022 · 5 comments
Open

Feature request: default PAM / authselect profiles #218

breakwaterlabs opened this issue Feb 23, 2022 · 5 comments

Comments

@breakwaterlabs
Copy link

Out of the box, the CentOS / RedHat (and I assume Debian, etc) packages do not configure PAM for 2fa. Instead, the documentation instructs the user to,

modify your system's PAM configuration to include a line like the following...

auth required pam_duo.so

This is not only vague and unhelpful for many administrators (who may not frequently visit PAM and its eccentricities), it is incorrect on systems like RHEL / CentOS / Rocky 8 where authselect controls the /etc/pam.d directory and all of its files. In particular, someone modifying e.g. /etc/pam.d/system-auth to require 2fa may find that their change gets overwritten on a system update or on enabling smartcard login when authselect helpfully reapplies the current profile.

A better option-- at least on RPM systems-- would be to ship an authselect profile at /usr/share/authselect/duo or /etc/authselect/custom/duo-local. Authselect allows creating option-driven PAM templates; as an example, take the following snippet from a modified, duo-compatible sssd authselect profile:

auth  required     pam_env.so
auth  required     pam_faildelay.so delay=2000000
auth  required     pam_deny.so # Smartcard authentication is required     {include if "with-smartcard-required"}
auth  required     pam_faillock.so preauth silent deny=4 unlock_time=120  {include if "with-faillock"}
auth  sufficient   pam_u2f.so cue                                         {include if "with-pam-u2f"}
auth  required     pam_u2f.so cue nouserok                                {include if "with-pam-u2f-2fa"}
....
....
auth  requisite    pam_succeed_if.so uid >= 1000 quiet_success
auth  sufficient   pam_sss.so forward_pass                                {exclude if "with-duo"}
auth  requisite    pam_sss.so forward_pass                                {include if "with-duo"}
auth  sufficient   pam_duo.so                                             {include if "with-duo"}
auth  required     pam_faillock.so authfail deny=4 unlock_time=120        {include if "with-faillock"}
auth  required     pam_deny.so

One can enable this profile with several options, which control the inclusion or exclusion of the corresponding lines. For instance if one were to enable the profile with, authselect select sssd, you would get the basic SSSD PAM profile without any of the 'include-if' lines:

auth  required     pam_env.so
auth  required     pam_faildelay.so delay=2000000
auth  requisite    pam_succeed_if.so uid >= 1000 quiet_success
auth  sufficient   pam_sss.so forward_pass
auth  required     pam_deny.so

If you were to enable the profile with authselect select sssd with-duo, the resultant PAM file would look something like this:

auth  required     pam_env.so
auth  required     pam_faildelay.so delay=2000000
auth  requisite    pam_succeed_if.so uid >= 1000 quiet_success
auth  requisite    pam_sss.so forward_pass 
auth  sufficient   pam_duo.so  
auth  required     pam_deny.so

Red Hat has committed to using authselect at least with 8 and on, and creating a custom authselect profile to cover the basic use cases (SSSD, winbind, local) is a minor task that would drastically simplify the process of enabling duo while avoiding pitfalls of conflicting PAM file modification.

@breakwaterlabs
Copy link
Author

If there is interest in this feature I would be happy to write the code and issue a pull request.

@Sepiidae
Copy link

Sepiidae commented Jan 2, 2023

This is an older feature request, but I agree this is needed. We deploy IPA on an HPC cluster and activating ipa disables Duo upon enrollment.

AUTH profiles do a great job of decreasing the risk of really messing up your PAM configuration. I know certain admin (me) who's initial setup disabled password authentication in favor of just using duo. Oppps...

@AaronAtDuo
Copy link
Contributor

Thanks for the offers and interest, but we are unlikely to proceed with this feature request.

On paper this seems like a great idea. However, multiple years of handling questions from customers about their PAM stacks has taught us that Duo trying to be helpful with PAM configuration actually just makes things worse. It seems like every customer wants something different from their PAM stack; while the authselect templates address that, it requires those admins to have to understand both the authselect mechanisms and the resultant PAM stack in order to configure their system appropriately. So instead, many admins, in a rush, just copy anything Duo provides and this leads to a worse outcome for both them and us.

That being said, if there's a way to introduce authselect profiles in a way that makes it easier for admins to get the correct PAM configuration, while having to understand PAM and authselect less, that would be ideal!

@breakwaterlabs
Copy link
Author

breakwaterlabs commented Mar 30, 2023 via email

@kfiresmith
Copy link

Basically what @breakwaterlabs said in their prior comment, but from the Ubuntu perspective.

Ubuntu uses pam-auth-update via profiles that are created specifically to prevent future landmines when something else changes the stack the right way - via package provided profiles.

You can read more about this at https://wiki.ubuntu.com/PAMConfigFrameworkSpec

Authselect and pam-auth-update were created specifically to do what @AaronAtDuo mentioned in his last comment:

if there's a way to introduce authselect profiles in a way that makes it easier for admins to get the correct PAM configuration, while having to understand PAM and authselect less, that would be ideal!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants