On Fri, 2016-07-22 at 17:58 +0200, Sumit Bose wrote:
On Fri, Jul 22, 2016 at 01:31:02PM +0000, Joakim Tjernlund wrote:
>
> Trying to get make automatic keyring unlock work with pam_sss and it fails :)
>
> I have in my pam conf:
> auth required pam_env.so
> auth sufficient pam_unix.so try_first_pass likeauth nullok
> auth sufficient pam_sss.so forward_pass use_first_pass
> auth optional pam_gnome_keyring.so
> auth optional pam_group.so
> auth required pam_deny.so
>
> But this fails to unlock the keyring, but if I move pam_gnome_keyring.so before
pam_sss.so
> it works. It looks to as the forward_pass option fails to preserve the password.
> Any pointers?
I think what you see is the behaviour of 'sufficient' control value.
From man pam.conf
"""
sufficient
if such a module succeeds and no prior required module has failed
the PAM framework returns success to the application or to the superior
PAM stack immediately without calling any further modules in the stack.
A failure of a sufficient module is ignored and processing of the PAM
module stack continues unaffected.
"""
Right! That was it, thanks
So it makes sense to put pam_gnome_keyring.so before pam_sss and before
pam_unix as well for local users.
I don't want to do that, if the user logs in for the first time and mistypes the
passwd
an empty login ring will be created with the mistyped passwd!
So I really want to keep keyring after successful auth, not sure how to do that though.
One way would be
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_sss.so forward_pass use_first_pass
auth optional pam_gnome_keyring.so
auth optional pam_group.so
but that skips keyring for plain unix users, hmmm ...
Ideas?
Jocke