pam_sss Does not prompt for password on unknown user
We have the following configuration to allow for local users to be authenticated locally first and then via SSSD (Active Directory) if they are not a local user:
auth [default=3 success=ok] pam_localuser.so
auth [success=1 default=bad] pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth sufficient pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth requisite pam_succeedif.so uid>=1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
This configuration works as expected for authenticating valid users. The issue is that, when logging into the system console, a user can enter an invalid username and is IMMEDIATELY notified that that 'Login incorrect'. It seems that pam_sss does not prompt for a password for an unknown user like pam_unix will do. This allows for someone to keep trying usernames until they find a valid one. Is there a recommended way to make pam_sss (or a following module) prompt for a password even when the user is not known?
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
