diff mbox

[2/3] gnu: pam_unix.so Add use_first_pass option.

Message ID 1477150080-17187-2-git-send-email-jmd@gnu.org
State New
Headers show

Commit Message

John Darrington Oct. 22, 2016, 3:27 p.m. UTC
* gnu/system/pam.scm (unix-pam-service) [auth]: Add "use_first_pass" option.
---
 gnu/system/pam.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Leo Famulari Oct. 23, 2016, 9:45 p.m. UTC | #1
On Sat, Oct 22, 2016 at 05:27:59PM +0200, John Darrington wrote:
> * gnu/system/pam.scm (unix-pam-service) [auth]: Add "use_first_pass" option.
> ---
>  gnu/system/pam.scm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
> index 4546c1a..0278db6 100644
> --- a/gnu/system/pam.scm
> +++ b/gnu/system/pam.scm
> @@ -217,7 +217,7 @@ should be a file-like object used as the message-of-the-day."
>                           (pam-entry
>                            (control "required")
>                            (module "pam_unix.so")
> -                          (arguments '("nullok")))
> +                          (arguments '("nullok" "use_first_pass")))

pam_unix(8) says:

use_first_pass
    The argument use_first_pass forces the module to use a previous stacked modules
    password and will never prompt the user - if no password is available or the
    password is not appropriate, the user will be denied access.

I don't understand exactly what this means for GuixSD. Can you explain
it to us? :)
John Darrington Oct. 24, 2016, 4:56 a.m. UTC | #2
On Sun, Oct 23, 2016 at 05:45:50PM -0400, Leo Famulari wrote:

     > diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
     > index 4546c1a..0278db6 100644
     > --- a/gnu/system/pam.scm
     > +++ b/gnu/system/pam.scm
     > @@ -217,7 +217,7 @@ should be a file-like object used as the message-of-the-day."
     >                           (pam-entry
     >                            (control "required")
     >                            (module "pam_unix.so")
     > -                          (arguments '("nullok")))
     > +                          (arguments '("nullok" "use_first_pass")))
     
     pam_unix(8) says:
     
     use_first_pass
         The argument use_first_pass forces the module to use a previous stacked modules
         password and will never prompt the user - if no password is available or the
         password is not appropriate, the user will be denied access.
     
     I don't understand exactly what this means for GuixSD. Can you explain
     it to us? :)

On its own it does nothing.  It makes more sense in context with the other patch I sent.
With this option in place, one can extend the unix-pam-service with another pam service
(such as krb5-pam), and if the krb5 authentication fails (for example because I am not
at work) then the password I gave will be presented to the regular pam_unix login. 
I won't be prompted for it again.

J'
Ludovic Courtès Oct. 27, 2016, 12:51 p.m. UTC | #3
John Darrington <john@darrington.wattle.id.au> skribis:

> On Sun, Oct 23, 2016 at 05:45:50PM -0400, Leo Famulari wrote:
>
>      > diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
>      > index 4546c1a..0278db6 100644
>      > --- a/gnu/system/pam.scm
>      > +++ b/gnu/system/pam.scm
>      > @@ -217,7 +217,7 @@ should be a file-like object used as the message-of-the-day."
>      >                           (pam-entry
>      >                            (control "required")
>      >                            (module "pam_unix.so")
>      > -                          (arguments '("nullok")))
>      > +                          (arguments '("nullok" "use_first_pass")))
>      
>      pam_unix(8) says:
>      
>      use_first_pass
>          The argument use_first_pass forces the module to use a previous stacked modules
>          password and will never prompt the user - if no password is available or the
>          password is not appropriate, the user will be denied access.
>      
>      I don't understand exactly what this means for GuixSD. Can you explain
>      it to us? :)
>
> On its own it does nothing.  It makes more sense in context with the other patch I sent.
> With this option in place, one can extend the unix-pam-service with another pam service
> (such as krb5-pam), and if the krb5 authentication fails (for example because I am not
> at work) then the password I gave will be presented to the regular pam_unix login. 
> I won't be prompted for it again.

In that case, instead of hardcoding “use_first_pass” here, would it be
possible for the pam-krb5 service to extend ‘pam-root-service-type’ with
a procedure that automatically adds “use_first_pass” where needed?

See elogind and ‘pam-extension-procedure’ in (gnu services desktop) for
an example of that.

Thanks,
Ludo’.
John Darrington Oct. 28, 2016, 5:22 a.m. UTC | #4
On Thu, Oct 27, 2016 at 02:51:02PM +0200, Ludovic Court??s wrote:
     >
     > On its own it does nothing.  It makes more sense in context with the other patch I sent.
     > With this option in place, one can extend the unix-pam-service with another pam service
     > (such as krb5-pam), and if the krb5 authentication fails (for example because I am not
     > at work) then the password I gave will be presented to the regular pam_unix login. 
     > I won't be prompted for it again.
     
     In that case, instead of hardcoding ???use_first_pass??? here, would it be
     possible for the pam-krb5 service to extend ???pam-root-service-type??? with
     a procedure that automatically adds ???use_first_pass??? where needed?
     

I will look into it.  But almost any other pam module will want to do the same - at least
any other which uses passphrase based authentication.  So I thought why put the onus on 
every other module to do this?


J'
Ludovic Courtès Oct. 28, 2016, 12:48 p.m. UTC | #5
John Darrington <john@darrington.wattle.id.au> skribis:

> On Thu, Oct 27, 2016 at 02:51:02PM +0200, Ludovic Court??s wrote:
>      >
>      > On its own it does nothing.  It makes more sense in context with the other patch I sent.
>      > With this option in place, one can extend the unix-pam-service with another pam service
>      > (such as krb5-pam), and if the krb5 authentication fails (for example because I am not
>      > at work) then the password I gave will be presented to the regular pam_unix login. 
>      > I won't be prompted for it again.
>      
>      In that case, instead of hardcoding ???use_first_pass??? here, would it be
>      possible for the pam-krb5 service to extend ???pam-root-service-type??? with
>      a procedure that automatically adds ???use_first_pass??? where needed?
>      
>
> I will look into it.  But almost any other pam module will want to do
> the same

Yes, and what I suggest will allow you to do that.

> - at least
> any other which uses passphrase based authentication.  So I thought why put the onus on 
> every other module to do this?

It’s not entirely clear that ‘use_first_pass’ is generally desirable,
Kerberos aside.  So I think it makes more sense to add it as part of the
Kerberos service, with an explanation of why it’s important in this
context.

Ludo’.
diff mbox

Patch

diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 4546c1a..0278db6 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -217,7 +217,7 @@  should be a file-like object used as the message-of-the-day."
                          (pam-entry
                           (control "required")
                           (module "pam_unix.so")
-                          (arguments '("nullok")))
+                          (arguments '("nullok" "use_first_pass")))
                          unix)))
          (password (list (pam-entry
                           (control "required")