the current pam configuration allows login with wrong password (via ssh at least, not sure about local tty). i have changed: auth sufficient pam_deny.so to auth required pam_deny.so this does seem to fix it, im also still able to login with local accounts after this change. i am, however, not 100 % confident about this change being right, i don't mess with the PAM config usually. Reproducible: Always
That fix sounds right. I'm away for a few hours but I'll fix this later. This gives Christopher a chance to comment too.
Thank you for testing. I check a Fedora VM and yes, it should have been "required" not "sufficient"
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/proj/pambase.git/commit/?id=f6e52e5b96c20426687bc8041b171c9b788d7910 commit f6e52e5b96c20426687bc8041b171c9b788d7910 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-01-28 08:14:35 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-28 08:14:35 +0000 system-auth.tpl: fix sssd's pam_deny Closes: https://bugs.gentoo.org/922918 Signed-off-by: Sam James <sam@gentoo.org> templates/system-auth.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c465affcd56d897d3e69b8bc2f072bb6e9271857 commit c465affcd56d897d3e69b8bc2f072bb6e9271857 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-01-28 08:15:50 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-28 08:16:01 +0000 sys-auth/pambase: add 20240128, drop 20240119 Sam James (1): system-auth.tpl: fix sssd's pam_deny Closes: https://bugs.gentoo.org/922918 Signed-off-by: Sam James <sam@gentoo.org> sys-auth/pambase/Manifest | 2 +- sys-auth/pambase/{pambase-20240119.ebuild => pambase-20240128.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-)