[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question about PAM service
|
From: |
Fredrik Salomonsson |
|
Subject: |
Re: Question about PAM service |
|
Date: |
Wed, 07 Aug 2024 23:26:04 +0000 |
Hi Felix,
Felix Lechner <felix.lechner@lease-up.com> writes:
>> it does not look supertrivial to modify a PAM service.
>
> One way in Linux-PAM would be to skip the pam_unix.so module when the
> pam_u2f.so module returned PAM_SUCCESS, like this
>
> auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_u2f.so
> auth required pam_unix.so
>
> The mechanism is described here [1] but I haven't used in a while.
Thanks! I'll try that ones I get some time I can sit down and tinker
with this.
> I'd probably do that only for the 'auth' stage, so that a locked or
> expired password still prevents logins during the 'account' stage,
> although it would be a matter of personal preference.
Yeah, my idea is to just have this for swaylock i.e. when the
screensaver kicks in. And let the rest be guarded by a password.
> In Guix, you'll probably end up replacing 'pam-services' in your
> operating-system record.
>
> As an aside, I am also the upstream author of Guile-PAM [1] which could
> potentially allow you to write something like this:
>
> (lambda (action handle flags options)
> (case action
> ((pam_sm_authenticate)
> (if (or (eq? 'PAM_SUCCESS (call-legacy-module "pam_u2f.so"))
> (eq? 'PAM_SUCCESS (call-legacy-module "pam_unix.so"))
> 'PAM_SUCCESS
> 'PAM_AUTH_DENIED)))
> (else
> ...)))
>
> Guile-PAM is experimental, however, and the code above is untested.
Interesting. I would not mind testing this out. But I think I'll do
this in stages. First get things working with plain old Linux-PAM then
I might test out Guile-PAM. Is it packaged for Guix?
> [1]
> https://www.chiark.greenend.org.uk/doc/libpam-doc/html/sag-configuration-file.html
> [2] https://juix.org/guile-pam/
--
s/Fred[re]+i[ck]+/Fredrik/g