On Fri, Jul 22, 2016 at 05:55:38PM +0000, Joakim Tjernlund wrote:
>
> On Fri, 2016-07-22 at 17:58 +0200, Sumit Bose wrote:
> >
> > On Fri, Jul 22, 2016 at 01:31:02PM +0000, Joakim Tjernlund wrote:
> > >
> > >
> > > Trying to get make automatic keyring unlock work with pam_sss and it fails
:)
> > >
> > > I have in my pam conf:
> > > auth required pam_env.so
> > > auth sufficient pam_unix.so try_first_pass likeauth
nullok
> > > auth sufficient pam_sss.so forward_pass use_first_pass
> > > auth optional pam_gnome_keyring.so
> > > auth optional pam_group.so
> > > auth required pam_deny.so
> > >
> > > But this fails to unlock the keyring, but if I move pam_gnome_keyring.so
before pam_sss.so
> > > it works. It looks to as the forward_pass option fails to preserve the
password.
> > > Any pointers?
> >
> > I think what you see is the behaviour of 'sufficient' control value.
> >
> > From man pam.conf
> > """
> > sufficient
> > if such a module succeeds and no prior required module has failed
> > the PAM framework returns success to the application or to the superior
> > PAM stack immediately without calling any further modules in the stack.
> > A failure of a sufficient module is ignored and processing of the PAM
> > module stack continues unaffected.
> > """
>
> Right! That was it, thanks
>
> >
> >
> > So it makes sense to put pam_gnome_keyring.so before pam_sss and before
> > pam_unix as well for local users.
>
> I don't want to do that, if the user logs in for the first time and mistypes the
passwd
> an empty login ring will be created with the mistyped passwd!
>
> So I really want to keep keyring after successful auth, not sure how to do that
though.
> One way would be
> auth required pam_env.so
> auth sufficient pam_unix.so try_first_pass likeauth nullok
> auth required pam_sss.so forward_pass use_first_pass
> auth optional pam_gnome_keyring.so
> auth optional pam_group.so
>
> but that skips keyring for plain unix users, hmmm ...
> Ideas?
Maybe
https://wiki.gnome.org/Projects/GnomeKeyring/Pam can help.
It does, one need to use PAM "substack". Thanks
Jocke