[Bug 2081129] Re: libpam-sss: require_cert_auth is not absolute, will fall back to password auth on smartcard removal

Thu, 17 Oct 2024 11:20:38 -0700 

I understand the hesitation in changing the behaviour in such a way, but
in general I agree with this case. That fallback to password
authentication sounds like a vulnerability even.

a) could we get #security to chime in, on whether this is an actual
vulnerability or not?

b) At the gdm login prompt, the cert is absolutely necessary, no
fallback is happening there? Just in other post-login apps, like sudo?
What about the screen saver, or when the desktop is locked? Is the smart
card required to unlock the screen, or is there also a fallback there
due to this bug?

c) Any particular reason to need the yubikey ppa? I see we have 2.2.0 in
jammy and noble, just oracular has 2.5.2. Do we need a higher version
than what's available in jammy for this test plan?

d) I noticed that in the pam config from the bug description, pam_sss is
invoked twice:

    auth [success=3 ignore=ignore default=die] pam_sss.so allow_missing_name 
require_cert_auth
...
    auth [success=1 default=ignore] pam_sss.so use_first_pass


I was wondering why that second line with use_first_pass is necessary, and also 
wondered if that wasn't the source of the bug. When going the pam-auth-update 
route in noble, that's how it leaves the config, with two calls to pam_sss in 
the auth section? And is the second one correct? Perhaps something changed in 
noble's version, that's not necessary in jammy?

e) What do you think about pulling into this SRU the extra smart card
tests that were added to sssd in later releases? Noble has them since
2.9.2-1ubuntu1.

f) On the testing note, we should also augment the test plan with non-
smartcard tests. Perform that join, for example, but without the
smartcard requirement, just password auth. The existing dep8 tests cover
that for the kerberos/ldap standalone case, but not active directory.


** Changed in: sssd (Ubuntu Jammy)
       Status: In Progress => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2081129

Title:
  libpam-sss: require_cert_auth is not absolute, will fall back to
  password auth on smartcard removal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2081129/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to