[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question about PAM service
From: |
Fredrik Salomonsson |
Subject: |
Re: Question about PAM service |
Date: |
Tue, 03 Sep 2024 05:11:29 +0000 |
Just to follow up as I finally got some time to sit down and tinker with
this.
Fredrik Salomonsson <plattfot@posteo.net> writes:
> Hi Felix,
>
> Felix Lechner <felix.lechner@lease-up.com> writes:
>
>>> it does not look supertrivial to modify a PAM service.
>>
>> One way in Linux-PAM would be to skip the pam_unix.so module when the
>> pam_u2f.so module returned PAM_SUCCESS, like this
>>
>> auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_u2f.so
>> auth required pam_unix.so
>>
>> The mechanism is described here [1] but I haven't used in a while.
>
> Thanks! I'll try that ones I get some time I can sit down and tinker
> with this.
>
>> I'd probably do that only for the 'auth' stage, so that a locked or
>> expired password still prevents logins during the 'account' stage,
>> although it would be a matter of personal preference.
>
> Yeah, my idea is to just have this for swaylock i.e. when the
> screensaver kicks in. And let the rest be guarded by a password.
>
>> In Guix, you'll probably end up replacing 'pam-services' in your
>> operating-system record.
>>
>> As an aside, I am also the upstream author of Guile-PAM [1] which could
>> potentially allow you to write something like this:
>>
>> (lambda (action handle flags options)
>> (case action
>> ((pam_sm_authenticate)
>> (if (or (eq? 'PAM_SUCCESS (call-legacy-module "pam_u2f.so"))
>> (eq? 'PAM_SUCCESS (call-legacy-module "pam_unix.so"))
>> 'PAM_SUCCESS
>> 'PAM_AUTH_DENIED)))
>> (else
>> ...)))
>>
>> Guile-PAM is experimental, however, and the code above is untested.
>
> Interesting. I would not mind testing this out. But I think I'll do
> this in stages. First get things working with plain old Linux-PAM then
> I might test out Guile-PAM. Is it packaged for Guix?
>
>> [1]
>> https://www.chiark.greenend.org.uk/doc/libpam-doc/html/sag-configuration-file.html
>> [2] https://juix.org/guile-pam/
I ended up just writing service that modifies a `unix-pam-service`, you
can find it here [1]. Then use that instead of the pam service the
`screen-locker-service-type` generates. Works quite well, I need to hit
enter to activate the u2f key when the screen is locked. And also wait
for u2f to timeout if I want to log in with just the password. But
quite nice to not needing to type in my password to unlock the screen.
Anyone know if it is a good idea to check in the u2f_keys mapping file?
I have not find any info if that file contains any sensitive information
sensitive or not. Would be nice to have all that configured with guix.
[1]
https://git.sr.ht/~plattfot/plt/tree/edc7b4da848b31926ae5cb8bb4d92f33c7e65d70/item/plt/system/u2f.scm
[2]
https://git.sr.ht/~plattfot/plt/tree/edc7b4da848b31926ae5cb8bb4d92f33c7e65d70/item/plt/system/machines.scm
--
s/Fred[re]+i[ck]+/Fredrik/g
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Question about PAM service,
Fredrik Salomonsson <=