Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add pam.d flags to maintain compatiblity with FreeIPA deployments. #753

Open
BlamKiwi opened this issue Mar 21, 2024 · 1 comment
Open

Comments

@BlamKiwi
Copy link

Description

FreeIPA uses authselect to enforce various system policies, such as creating a home directory or enabling sudo support for users. dev-sec.os_hardening unconditionally overrides various system links such as:

  • /etc/pam.d/rhel_auth.j2
  • /etc/pam.d/password-auth
  • /etc/pam.d/system-auth

This breaks FreeIPA, as the authselect tool expects the system to be in a particular state. This makes use of dev-sec-os_hardening tricky when used in conjunction with FreeIPA domain management.

Solution

Add additional flags to control this behaviour as FreeIPA assumes it has control over pam.d once deployed.

Alternatives

Add additional variables to supply a path that overrides the pam.d links.

Additional information

This is the output of sudo authselect enable-feature with-mkhomedir on a AlmaLinux 9.3 Server after joining a FreeIPA domain:

[error] Link [/etc/pam.d/system-auth] does not point to [/etc/authselect/system-auth]
[error] [/etc/pam.d/system-auth] was not created by authselect!
[error] Link [/etc/pam.d/password-auth] does not point to [/etc/authselect/password-auth]
[error] [/etc/pam.d/password-auth] was not created by authselect!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
Unable to enable feature [17]: File exists
@BlamKiwi
Copy link
Author

BlamKiwi commented Mar 21, 2024

I should also add, existing variables such as os_auth_pam_oddjob_mkhomedir are insufficient, as commands such as authselect enable-feature with-sudo are also required to manage practical deployments. authselect also controls smart cards, finger print readers setc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant