Trying to get make automatic keyring unlock work with pam_sss and it fails :)
I have in my pam conf: auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_sss.so forward_pass use_first_pass auth optional pam_gnome_keyring.so auth optional pam_group.so auth required pam_deny.so
But this fails to unlock the keyring, but if I move pam_gnome_keyring.so before pam_sss.so it works. It looks to as the forward_pass option fails to preserve the password. Any pointers?
Jocke
On Fri, Jul 22, 2016 at 01:31:02PM +0000, Joakim Tjernlund wrote:
Trying to get make automatic keyring unlock work with pam_sss and it fails :)
I have in my pam conf: auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_sss.so forward_pass use_first_pass auth optional pam_gnome_keyring.so auth optional pam_group.so auth required pam_deny.so
But this fails to unlock the keyring, but if I move pam_gnome_keyring.so before pam_sss.so it works. It looks to as the forward_pass option fails to preserve the password. Any pointers?
I think what you see is the behaviour of 'sufficient' control value.
From man pam.conf """ sufficient if such a module succeeds and no prior required module has failed the PAM framework returns success to the application or to the superior PAM stack immediately without calling any further modules in the stack. A failure of a sufficient module is ignored and processing of the PAM module stack continues unaffected. """
So it makes sense to put pam_gnome_keyring.so before pam_sss and before pam_unix as well for local users.
HTH
bye, Sumit
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Fri, 2016-07-22 at 17:58 +0200, Sumit Bose wrote:
On Fri, Jul 22, 2016 at 01:31:02PM +0000, Joakim Tjernlund wrote:
Trying to get make automatic keyring unlock work with pam_sss and it fails :)
I have in my pam conf: auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_sss.so forward_pass use_first_pass auth optional pam_gnome_keyring.so auth optional pam_group.so auth required pam_deny.so
But this fails to unlock the keyring, but if I move pam_gnome_keyring.so before pam_sss.so it works. It looks to as the forward_pass option fails to preserve the password. Any pointers?
I think what you see is the behaviour of 'sufficient' control value.
From man pam.conf """ sufficient if such a module succeeds and no prior required module has failed the PAM framework returns success to the application or to the superior PAM stack immediately without calling any further modules in the stack. A failure of a sufficient module is ignored and processing of the PAM module stack continues unaffected. """
Right! That was it, thanks
So it makes sense to put pam_gnome_keyring.so before pam_sss and before pam_unix as well for local users.
I don't want to do that, if the user logs in for the first time and mistypes the passwd an empty login ring will be created with the mistyped passwd!
So I really want to keep keyring after successful auth, not sure how to do that though. One way would be auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth required pam_sss.so forward_pass use_first_pass auth optional pam_gnome_keyring.so auth optional pam_group.so
but that skips keyring for plain unix users, hmmm ... Ideas?
Jocke
On (22/07/16 17:55), Joakim Tjernlund wrote:
On Fri, 2016-07-22 at 17:58 +0200, Sumit Bose wrote:
On Fri, Jul 22, 2016 at 01:31:02PM +0000, Joakim Tjernlund wrote:
Trying to get make automatic keyring unlock work with pam_sss and it fails :)
I have in my pam conf: auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_sss.so forward_pass use_first_pass auth optional pam_gnome_keyring.so auth optional pam_group.so auth required pam_deny.so
But this fails to unlock the keyring, but if I move pam_gnome_keyring.so before pam_sss.so it works. It looks to as the forward_pass option fails to preserve the password. Any pointers?
I think what you see is the behaviour of 'sufficient' control value.
From man pam.conf """ sufficient if such a module succeeds and no prior required module has failed the PAM framework returns success to the application or to the superior PAM stack immediately without calling any further modules in the stack. A failure of a sufficient module is ignored and processing of the PAM module stack continues unaffected. """
Right! That was it, thanks
So it makes sense to put pam_gnome_keyring.so before pam_sss and before pam_unix as well for local users.
I don't want to do that, if the user logs in for the first time and mistypes the passwd an empty login ring will be created with the mistyped passwd!
So I really want to keep keyring after successful auth, not sure how to do that though. One way would be auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth required pam_sss.so forward_pass use_first_pass auth optional pam_gnome_keyring.so auth optional pam_group.so
but that skips keyring for plain unix users, hmmm ... Ideas?
You might try to play with extended control values instead of default keywords (sufficient, optional ...)
e.g. [success=ok new_authtok_reqd=done default=ignore]
You might see more details in man pam.conf There are also equivalent expressions for standard keywords in term of [...] syntax required [success=ok new_authtok_reqd=ok ignore=ignore default=bad]
requisite [success=ok new_authtok_reqd=ok ignore=ignore default=die]
sufficient [success=done new_authtok_reqd=done default=ignore]
optional [success=ok new_authtok_reqd=ok default=ignore]
HTH
LS
On Fri, Jul 22, 2016 at 05:55:38PM +0000, Joakim Tjernlund wrote:
On Fri, 2016-07-22 at 17:58 +0200, Sumit Bose wrote:
On Fri, Jul 22, 2016 at 01:31:02PM +0000, Joakim Tjernlund wrote:
Trying to get make automatic keyring unlock work with pam_sss and it fails :)
I have in my pam conf: auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_sss.so forward_pass use_first_pass auth optional pam_gnome_keyring.so auth optional pam_group.so auth required pam_deny.so
But this fails to unlock the keyring, but if I move pam_gnome_keyring.so before pam_sss.so it works. It looks to as the forward_pass option fails to preserve the password. Any pointers?
I think what you see is the behaviour of 'sufficient' control value.
From man pam.conf """ sufficient if such a module succeeds and no prior required module has failed the PAM framework returns success to the application or to the superior PAM stack immediately without calling any further modules in the stack. A failure of a sufficient module is ignored and processing of the PAM module stack continues unaffected. """
Right! That was it, thanks
So it makes sense to put pam_gnome_keyring.so before pam_sss and before pam_unix as well for local users.
I don't want to do that, if the user logs in for the first time and mistypes the passwd an empty login ring will be created with the mistyped passwd!
So I really want to keep keyring after successful auth, not sure how to do that though. One way would be auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth required pam_sss.so forward_pass use_first_pass auth optional pam_gnome_keyring.so auth optional pam_group.so
but that skips keyring for plain unix users, hmmm ... Ideas?
Maybe https://wiki.gnome.org/Projects/GnomeKeyring/Pam can help.
bye, Sumit
Jocke
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Fri, 2016-07-22 at 20:45 +0200, Sumit Bose wrote:
On Fri, Jul 22, 2016 at 05:55:38PM +0000, Joakim Tjernlund wrote:
On Fri, 2016-07-22 at 17:58 +0200, Sumit Bose wrote:
On Fri, Jul 22, 2016 at 01:31:02PM +0000, Joakim Tjernlund wrote:
Trying to get make automatic keyring unlock work with pam_sss and it fails :)
I have in my pam conf: auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_sss.so forward_pass use_first_pass auth optional pam_gnome_keyring.so auth optional pam_group.so auth required pam_deny.so
But this fails to unlock the keyring, but if I move pam_gnome_keyring.so before pam_sss.so it works. It looks to as the forward_pass option fails to preserve the password. Any pointers?
I think what you see is the behaviour of 'sufficient' control value.
From man pam.conf """ sufficient if such a module succeeds and no prior required module has failed the PAM framework returns success to the application or to the superior PAM stack immediately without calling any further modules in the stack. A failure of a sufficient module is ignored and processing of the PAM module stack continues unaffected. """
Right! That was it, thanks
So it makes sense to put pam_gnome_keyring.so before pam_sss and before pam_unix as well for local users.
I don't want to do that, if the user logs in for the first time and mistypes the passwd an empty login ring will be created with the mistyped passwd!
So I really want to keep keyring after successful auth, not sure how to do that though. One way would be auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth required pam_sss.so forward_pass use_first_pass auth optional pam_gnome_keyring.so auth optional pam_group.so
but that skips keyring for plain unix users, hmmm ... Ideas?
Maybe https://wiki.gnome.org/Projects/GnomeKeyring/Pam can help.
It does, one need to use PAM "substack". Thanks
Jocke
sssd-users@lists.fedorahosted.org