Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option.

[Ludovic Courtès]

John Darrington <address@hidden> skribis:

> On Sun, Oct 23, 2016 at 05:45:50PM -0400, Leo Famulari wrote:
>
>      > diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
>      > index 4546c1a..0278db6 100644
>      > --- a/gnu/system/pam.scm
>      > +++ b/gnu/system/pam.scm
>      > @@ -217,7 +217,7 @@ should be a file-like object used as the 
> message-of-the-day."
>      >                           (pam-entry
>      >                            (control "required")
>      >                            (module "pam_unix.so")
>      > -                          (arguments '("nullok")))
>      > +                          (arguments '("nullok" "use_first_pass")))
>      
>      pam_unix(8) says:
>      
>      use_first_pass
>          The argument use_first_pass forces the module to use a previous 
> stacked modules
>          password and will never prompt the user - if no password is 
> available or the
>          password is not appropriate, the user will be denied access.
>      
>      I don't understand exactly what this means for GuixSD. Can you explain
>      it to us? :)
>
> On its own it does nothing.  It makes more sense in context with the other 
> patch I sent.
> With this option in place, one can extend the unix-pam-service with another 
> pam service
> (such as krb5-pam), and if the krb5 authentication fails (for example because 
> I am not
> at work) then the password I gave will be presented to the regular pam_unix 
> login. 
> I won't be prompted for it again.

In that case, instead of hardcoding “use_first_pass” here, would it be
possible for the pam-krb5 service to extend ‘pam-root-service-type’ with
a procedure that automatically adds “use_first_pass” where needed?

See elogind and ‘pam-extension-procedure’ in (gnu services desktop) for
an example of that.

Thanks,
Ludo’.