help-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question about PAM service

From: Felix Lechner
Subject: Re: Question about PAM service
Date: Mon, 05 Aug 2024 12:26:23 -0700 
Hi Fredrik,

On Fri, Aug 02 2024, Fredrik Salomonsson wrote:

> it does not look supertrivial to modify a PAM service.

One way in Linux-PAM would be to skip the pam_unix.so module when the
pam_u2f.so module returned PAM_SUCCESS, like this

    auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_u2f.so
    auth required pam_unix.so

The mechanism is described here [1] but I haven't used in a while.

I'd probably do that only for the 'auth' stage, so that a locked or
expired password still prevents logins during the 'account' stage,
although it would be a matter of personal preference.

In Guix, you'll probably end up replacing 'pam-services' in your
operating-system record.

As an aside, I am also the upstream author of Guile-PAM [1] which could
potentially allow you to write something like this:

    (lambda (action handle flags options)
        (case action
          ((pam_sm_authenticate)
            (if (or (eq? 'PAM_SUCCESS (call-legacy-module "pam_u2f.so"))
                    (eq? 'PAM_SUCCESS (call-legacy-module "pam_unix.so"))
                'PAM_SUCCESS
                'PAM_AUTH_DENIED)))
           (else
               ...)))

Guile-PAM is experimental, however, and the code above is untested.

Kind regards
Felix

[1] 
https://www.chiark.greenend.org.uk/doc/libpam-doc/html/sag-configuration-file.html
[2] https://juix.org/guile-pam/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]