LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 02-14-2020, 05:33 PM   #16
hitest
Guru
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, OpenBSD
Posts: 6,088

Rep: Reputation: 2311Reputation: 2311Reputation: 2311Reputation: 2311Reputation: 2311Reputation: 2311Reputation: 2311Reputation: 2311Reputation: 2311Reputation: 2311Reputation: 2311
Cool


Quote:
Originally Posted by Alien Bob View Post
How funny, I feel exactly the opposite...
Same. I'm looking forward to running KDE5 when it arrives in the -current branch.
 
Old 02-14-2020, 09:03 PM   #17
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS
Posts: 1,454

Rep: Reputation: 806Reputation: 806Reputation: 806Reputation: 806Reputation: 806Reputation: 806Reputation: 806
Quote:
(OTOH, KDE5 is just plain bone ugly )
How funny, I feel exactly the opposite...
Beauty is in the eye of the beholder?

No matter where you go, there you are!
 
1 members found this post helpful.
Old 02-15-2020, 03:59 AM   #18
chrisretusn
Senior Member
 
Registered: Dec 2005
Location: Philippines
Distribution: Slackware64-current
Posts: 1,045

Rep: Reputation: 423Reputation: 423Reputation: 423Reputation: 423Reputation: 423
Quote:
Originally Posted by cwizardone View Post
Ditto.
Completely transparent.
(OTOH, KDE5 is just plain bone ugly )
I think it looks great!
 
Old 02-16-2020, 11:52 AM   #19
ivandi
Member
 
Registered: Jul 2009
Location: Québec, Canada
Distribution: CRUX, Debian, Slackware64-current
Posts: 500

Original Poster
Rep: Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818
I am confused looking at system-auth.

Putting pam_tally2 in system-auth makes it system wide.
A mail client with stored old password will lock the user out.

I also dont understand this:
Code:
auth        sufficient    pam_unix.so likeauth nullok
auth        required      pam_deny.so
auth        optional      pam_gnome_keyring.so
From man pam.conf:
Code:
sufficient
           [success=done new_authtok_reqd=done default=ignore]
done
           equivalent to ok with the side effect of terminating the module stack
           and PAM immediately returning to the application
substack
           This differs from include in that evaluation of the done and die 
           actions in a substack does not cause skipping the rest of the complete
           module stack, but only of the substack.
This means that system-auth has to be substack-ed and not included if it is not the last in the stack.
The stack wont reach pam_gnome_keyring.so. I wonder why this module is here. Why checking my mail should open gnome keyring.

The auth group is the suggested place by the man page for pam_nologin.so (in the account group one most likely wont see the nologin message).
Also some services like screensavers wont use the account group. But for some services like atd it has to be in the account group.
So system-auth is not the best place for pam_nologin.so.

Overall I think that system-auth should include only the authentication method specific modules (pam_unix.so or pam_winbind or pam_krb5 ...).


Cheers
 
1 members found this post helpful.
Old 02-16-2020, 02:34 PM   #20
mumahendras3
Member
 
Registered: Feb 2018
Location: Indonesia
Distribution: Slackware
Posts: 40

Rep: Reputation: Disabled
I was trying to use the gnome-keyring auto unlocking feature which doesn't work with the default pam configuration shipped by testing/PAM. Then, just like ivandi, I found out that pam_gnome_keyring.so module was listed after pam_unix.so with sufficient as its control type. The same system-auth configuration file also has

Code:
session     required      pam_limits.so
session     required      pam_unix.so
#session     required      pam_lastlog.so showfailed
#session     optional      pam_mail.so standard
session     optional      pam_gnome_keyring.so auto_start
which will automatically start gnome-keyring-daemon in the background. But, because pam_gnome_keyring.so is not loaded at authentication phase (just like what ivandi said), the default "login" keyring is still locked thus I have to enter the keyring password manually.

So, assuming that we want the full gnome-keyring and PAM integration, I suggest two alternatives:

1. Change the sufficient control type of relevant pam_unix.so with [success=1 default=ignore] and change pam_deny.so control type to [default=die], that way if pam_unix.so returns success, pam_deny.so will be skipped and pam_gnome_keyring.so will be loaded (and thus unlocking the "login" keyring). Else, it will load pam_deny.so and return immediately with PAM_AUTH_ERR as its return value. Also, add "password optional pam_gnome_keyring.so" to system-auth, which will make gnome-keyring automatically change the "login" keyring password to match the user's new password if the user decides to change his/her password.

Code:
--- system-auth	2020-02-11 05:54:26.000000000 +0700
+++ system-auth.new	2020-02-17 02:05:49.888109565 +0700
@@ -14,8 +14,8 @@
 auth        required      pam_env.so
 auth        required      pam_tally2.so
 #
-auth        sufficient    pam_unix.so likeauth nullok
-auth        required      pam_deny.so
+auth        [success=1 default=ignore]    pam_unix.so likeauth nullok
+auth        [default=done]      pam_deny.so
 auth        optional      pam_gnome_keyring.so
 
 ##################
@@ -52,14 +52,15 @@
 # password quality checking, comment out these two lines and uncomment the
 # traditional password handling line below.
 password    requisite     pam_pwquality.so minlen=6 retry=3
-password    sufficient    pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
+password    [success=1 default=ignore]    pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
 
 # Traditional password handling without pam_pwquality password checking.
 # Commented out by default to use the two pam_pwquality lines above.
 #password    sufficient    pam_unix.so nullok sha512 shadow minlen=6
 
 # ATTENTION: always keep this line for pam_deny.so:
-password    required      pam_deny.so
+password    [default=done]      pam_deny.so
+password    optional      pam_gnome_keyring.so
 
 #########################
 # Session Configuration #
2. Just like the first alternative but instead of putting pam_gnome_keyring.so in system-auth, put it somewhere else. For example, I think "auth optional pam_gnome_keyring.so" and "session optional pam_gnome_keyring.so auto_start" are better to be put inside /etc/pam.d/login and other login methods' PAM config files like /etc/pam.d/sddm. As for "password optional pam_gnome_keyring.so", it can be put inside /etc/pam.d/passwd (as suggested by the GNOME wiki: https://wiki.gnome.org/Projects/GnomeKeyring/Pam). The advantage of this approach is that pam_gnome_keyring.so will only be loaded when it's needed (i.e. when first logging in to the system, which is probably the only time it's needed) and thus avoiding what ivandi had said. Of course this will mean additional PAM config files need to be maintained instead of just using the "<type> include system-auth" entries.

Cheers

Last edited by mumahendras3; 02-16-2020 at 02:35 PM. Reason: Wrong [CODE] closing tag
 
1 members found this post helpful.
Old 02-16-2020, 02:41 PM   #21
ivandi
Member
 
Registered: Jul 2009
Location: Québec, Canada
Distribution: CRUX, Debian, Slackware64-current
Posts: 500

Original Poster
Rep: Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818Reputation: 818
Hm, I don't see pam_access and pam_group being used. Well, looks like PAM will stay in testing for a little while.


Cheers
 
1 members found this post helpful.
Old 02-16-2020, 02:47 PM   #22
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,433

Rep: Reputation: 2085Reputation: 2085Reputation: 2085Reputation: 2085Reputation: 2085Reputation: 2085Reputation: 2085Reputation: 2085Reputation: 2085Reputation: 2085Reputation: 2085
Quote:
Originally Posted by Alien Bob View Post
How funny, I feel exactly the opposite...
+1 on that. Moved to KDE5 in late 2018, and I've never had such a perfect desktop. Love it.
 
Old 02-17-2020, 01:14 AM   #23
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current (servers) / Ubuntu (workstations)
Posts: 128

Rep: Reputation: 66
Quote:
Originally Posted by ivandi View Post
Hm, I don't see pam_access and pam_group being used. Well, looks like PAM will stay in testing for a little while.
Cheers
I agree with you. It will take some time to get everything right!
 
Old 02-17-2020, 07:32 AM   #24
bartgymnast
Member
 
Registered: Feb 2003
Location: Almere, Netherlands
Distribution: slack 7.1 till latest and -current, LFS
Posts: 366

Rep: Reputation: 164Reputation: 164
1 of the missing things I find is in the shadow package.
I would like to have the following option.
especially when integrating with AD.

Quote:
--with-group-name-max-length=32
 
1 members found this post helpful.
Old 02-18-2020, 09:54 AM   #25
slackerDude
Member
 
Registered: Jan 2016
Posts: 83

Rep: Reputation: Disabled
For those of us who don't do much in the way of security (simple passwords for root and user), everything outside firewalled off, etc..

What practical impact will PAM have? Will it force me to assign a good password? I've used a based root password for 20+ years and I want to keep using it - the muscle memory is VERY strong :-) And every new installation, Slackware complains "password is weak, enter again to use anyway" and I do.

Do I have to disable PAM somehow? Or will it continue this behavior?
 
Old 02-18-2020, 10:16 AM   #26
bartgymnast
Member
 
Registered: Feb 2003
Location: Almere, Netherlands
Distribution: slack 7.1 till latest and -current, LFS
Posts: 366

Rep: Reputation: 164Reputation: 164
Quote:
Originally Posted by slackerDude View Post
For those of us who don't do much in the way of security (simple passwords for root and user), everything outside firewalled off, etc..

What practical impact will PAM have? Will it force me to assign a good password? I've used a based root password for 20+ years and I want to keep using it - the muscle memory is VERY strong :-) And every new installation, Slackware complains "password is weak, enter again to use anyway" and I do.

Do I have to disable PAM somehow? Or will it continue this behavior?
the behavior should be the same. so nothing should change on that part.
 
1 members found this post helpful.
Old 02-18-2020, 12:45 PM   #27
mumahendras3
Member
 
Registered: Feb 2018
Location: Indonesia
Distribution: Slackware
Posts: 40

Rep: Reputation: Disabled
Quote:
Originally Posted by slackerDude View Post
For those of us who don't do much in the way of security (simple passwords for root and user), everything outside firewalled off, etc..

What practical impact will PAM have? Will it force me to assign a good password? I've used a based root password for 20+ years and I want to keep using it - the muscle memory is VERY strong :-) And every new installation, Slackware complains "password is weak, enter again to use anyway" and I do.

Do I have to disable PAM somehow? Or will it continue this behavior?
The default behaviour for PAM-ified Slackware is to force good password (at least for now). You can still revert back to the old behaviour by modifying /etc/pam.d/system-auth

Code:
#############################
# Password quality checking #
#############################
#
# Please note that unless cracklib and libpwquality are installed, setting
# passwords will not work unless the lines for the pam_pwquality module are
# commented out and the line for the traditional no-quality-check password
# changing is uncommented.
#
# The pam_pwquality module will check the quality of a user-supplied password
# against the dictionary installed for cracklib. Other tests are (or may be)
# done as well - see: man pam_pwquality
#
# Default password quality checking with pam_pwquality. If you don't want
# password quality checking, comment out these two lines and uncomment the
# traditional password handling line below.
password    requisite     pam_pwquality.so minlen=6 retry=3
password    [success=1 default=ignore]    pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok

# Traditional password handling without pam_pwquality password checking.
# Commented out by default to use the two pam_pwquality lines above.
#password    sufficient    pam_unix.so nullok sha512 shadow minlen=6
 
3 members found this post helpful.
Old 02-18-2020, 03:39 PM   #28
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 1,847

Rep: Reputation: 5968Reputation: 5968Reputation: 5968Reputation: 5968Reputation: 5968Reputation: 5968Reputation: 5968Reputation: 5968Reputation: 5968Reputation: 5968Reputation: 5968
Quote:
Originally Posted by slackerDude View Post
What practical impact will PAM have? Will it force me to assign a good password? I've used a based root password for 20+ years and I want to keep using it - the muscle memory is VERY strong :-) And every new installation, Slackware complains "password is weak, enter again to use anyway" and I do.
PAM will warn you if it thinks the password is weak, but root will be allowed to set it anyway.
 
8 members found this post helpful.
Old 02-18-2020, 10:06 PM   #29
slackerDude
Member
 
Registered: Jan 2016
Posts: 83

Rep: Reputation: Disabled
Quote:
Originally Posted by bartgymnast View Post
the behavior should be the same. so nothing should change on that part.
Thanks!
 
Old 02-19-2020, 11:15 AM   #30
camerabambai
Member
 
Registered: Mar 2010
Distribution: Slackware
Posts: 115

Rep: Reputation: 6
Autologin with kdm is not working with the latest pam packages, anyone has same problem?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
PAM Kerberos and ADS for Slackware-current - Call for testing ivandi Slackware 95 08-05-2015 11:46 PM
/etc/pam.d/system-auth-ac vs. /etc/pam.d/password-auth-ac vs. /etc/pam.d/sshd christr Red Hat 2 08-01-2014 08:08 PM
PAM module:passwd:- how many character validate by pam library amit_pansuria Linux - General 3 10-21-2008 02:19 AM
vsftpd + pam + virtual users - Pam cannot load database file. mdkelly069 Linux - Networking 3 09-23-2004 12:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 02:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration