Skip to content

Instantly share code, notes, and snippets.

@cweiland

cweiland/sss_local

Created August 2, 2025 22:48
Show Gist options
  • Save cweiland/f21b6b16143de33946ef4c1091df5476 to your computer and use it in GitHub Desktop.
Save cweiland/f21b6b16143de33946ef4c1091df5476 to your computer and use it in GitHub Desktop.
Download ZIP
PAM config file for local auth using pam_sss.so on debian
Raw
sss_local
Name: Unix for local and sss for remote/OTP authentication
Default: yes
Priority: 256
Conflicts: unix, sss
Auth-Type: Primary
Auth:
[default=1 success=ok] pam_localuser.so
[success=end default=ignore] pam_unix.so nullok_secure
try_first_pass
requisite pam_succeed_if.so uid >= 1000 quiet_success
[success=end default=ignore] pam_sss.so forward_pass
Auth-Initial:
[default=1 success=ok] pam_localuser.so
[success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
requisite pam_succeed_if.so uid >= 1000 quiet_success
sufficient pam_sss.so forward_pass
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
sufficient pam_localuser.so
[default=bad success=ok user_unknown=ignore] pam_sss.so
Account-Initial:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
sufficient pam_localuser.so
[default=bad success=ok user_unknown=ignore] pam_sss.so
Session-Type: Additional
Session:
required pam_unix.so
optional pam_sss.so
Session-Initial:
required pam_unix.so
optional pam_sss.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_unix.so obscure use_authtok
try_first_pass sha512
sufficient pam_sss.so use_authtok
Password-Initial:
[success=end default=ignore] pam_unix.so obscure sha512
sufficient pam_sss.so
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment