[PATCH 1/3] gnu: Remove comment which is factually incorrect.

[PATCH 1/3] gnu: Remove comment which is factually incorrect.

[John Darrington]

* gnu/system/pam.scm: Remove incorrect comment.
---
 gnu/system/pam.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index cd7a342..4546c1a 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -316,4 +316,4 @@ all the PAM services."
            (pam-configuration (services base)
                               (transform transform))))
 
-;;; linux.scm ends here
+
-- 
2.1.4

[PATCH 2/3] gnu: pam_unix.so Add use_first_pass option.

[John Darrington]

* gnu/system/pam.scm (unix-pam-service) [auth]: Add "use_first_pass" option.
---
 gnu/system/pam.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 4546c1a..0278db6 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -217,7 +217,7 @@ should be a file-like object used as the message-of-the-day."
                          (pam-entry
                           (control "required")
                           (module "pam_unix.so")
-                          (arguments '("nullok")))
+                          (arguments '("nullok" "use_first_pass")))
                          unix)))
          (password (list (pam-entry
                           (control "required")
-- 
2.1.4

[PATCH 3/3] gnu: Add pam-krb5 service.

[John Darrington]

* doc/guix.texi (Kerberos Services): New node.
* gnu/services/kerberos.scm: New file.
* gnu/local.mk: Add it.
---
 doc/guix.texi             | 38 ++++++++++++++++++++++++++-
 gnu/local.mk              |  1 +
 gnu/services/kerberos.scm | 67 +++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 gnu/services/kerberos.scm

diff --git a/doc/guix.texi b/doc/guix.texi
index 86b82c8..1f4e808 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -220,6 +220,7 @@ Services
 * Desktop Services::            D-Bus and desktop services.
 * Database Services::           SQL databases.
 * Mail Services::               IMAP, POP3, SMTP, and all that.
+* Kerberos Services::           Kerberos services.
 * Web Services::                Web servers.
 * Network File System::         NFS related services.
 * Miscellaneous Services::      Other services.
@@ -7685,6 +7686,7 @@ declaration.
 * Desktop Services::            D-Bus and desktop services.
 * Database Services::           SQL databases.
 * Mail Services::               IMAP, POP3, SMTP, and all that.
+* Kerberos Services::           Kerberos services.
 * Web Services::                Web servers.
 * Network File System::         NFS related services.
 * Miscellaneous Services::      Other services.
@@ -10389,6 +10391,40 @@ could instantiate a dovecot service like this:
                   (string "")))
 @end example
 
+
+@node Kerberos Services
+@subsubsection Kerberos Services
+@cindex Kerberos
+
+The @code{(gnu services Kerberos)} module provides services relating to
+the authentication protocol @dfn{Kerberos}.
+
+@subsubheading PAM krb5 Service
+@cindex pam-krb5
+
+The pam-krb5 service allows for login authentication and password
+management via Kerberos.
+You will need this service if you want PAM enabled applications to authenticate
+users using Kerberos.
+
+@defvr {Scheme Variable} pam-krb5-service-type
+A service type for the Kerberos 5 PAM module.
+@end defvr
+
+@deftp {Data Type} pam-krb5-configuration
+Data type representing the configuration of the Kerberos 5 PAM module
+This type has the following parameters:
+@table @asis
+@item @code{pam-krb5} (default: @code{pam-krb5})
+The pam-krb5 package to use.
+
+@item @code{minimum-uid} (default: @code{1000})
+The smallest user ID for which Kerberos authentications should be attempted.
+Local accounts with lower values will silently fail to authenticate.
+@end table
+@end deftp
+
+
 @node Web Services
 @subsubsection Web Services
 
@@ -10475,7 +10511,7 @@ The @dfn{global security system} (GSS) daemon provides strong security for RPC
 based protocols.
 Before exchanging RPC requests an RPC client must establish a security
 context.  Typically this is done using the Kerberos command @command{kinit}
-or automatically at login time using PAM services.
+or automatically at login time using PAM services (@pxref{Kerberos Services}).
 
 @defvr {Scheme Variable} gss-service-type
 A service type for the Global Security System (GSS) daemon.
diff --git a/gnu/local.mk b/gnu/local.mk
index cfd4480..4021468 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -396,6 +396,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/services/dbus.scm				\
   %D%/services/desktop.scm			\
   %D%/services/dict.scm				\
+  %D%/services/kerberos.scm			\
   %D%/services/lirc.scm				\
   %D%/services/mail.scm				\
   %D%/services/mcron.scm			\
diff --git a/gnu/services/kerberos.scm b/gnu/services/kerberos.scm
new file mode 100644
index 0000000..144c71b
--- /dev/null
+++ b/gnu/services/kerberos.scm
@@ -0,0 +1,67 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2016 John Darrington <jmd@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu services kerberos)
+  #:use-module (gnu packages admin)
+  #:use-module (gnu services)
+  #:use-module (gnu system pam)
+  #:use-module (guix gexp)
+  #:use-module (guix records)
+  #:export (pam-krb5-configuration
+            pam-krb5-configuration?
+            pam-krb5-service-type))
+
+(define-record-type* <pam-krb5-configuration>
+  pam-krb5-configuration  make-pam-krb5-configuration
+  pam-krb5-configuration?
+  (pam-krb5               pam-krb5-configuration-pam-krb5
+                          (default pam-krb5))
+  (minimum-uid            pam-krb5-configuration-minimum-uid
+                          (default 1000)))
+
+(define (pam-krb5-pam-service config)
+  "Return a PAM service for Kerberos authentication."
+  (lambda (pam)
+    (define pam-krb5-module
+      #~(string-append #$(pam-krb5-configuration-pam-krb5 config) "/lib/security/pam_krb5.so"))
+
+    (let ((pam-krb5-sufficient
+           (pam-entry
+            (control "sufficient")
+            (module pam-krb5-module)
+            (arguments (list
+                        (format #f "minimum_uid=~a"
+                                (pam-krb5-configuration-minimum-uid config)))))))
+      (pam-service
+       (inherit pam)
+       (auth (cons* pam-krb5-sufficient
+                    (pam-service-auth pam)))
+       (session (cons* pam-krb5-sufficient
+                       (pam-service-session pam)))
+       (account (cons* pam-krb5-sufficient
+                       (pam-service-account pam)))))))
+
+(define (pam-krb5-pam-services config)
+  (list (pam-krb5-pam-service config)))
+
+(define pam-krb5-service-type
+  (service-type (name 'pam-krb5)
+                (extensions
+                 (list
+                  (service-extension pam-root-service-type
+                                     pam-krb5-pam-services)))))
-- 
2.1.4

Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option.

[Leo Famulari]

On Sat, Oct 22, 2016 at 05:27:59PM +0200, John Darrington wrote:
> * gnu/system/pam.scm (unix-pam-service) [auth]: Add "use_first_pass" option.
> ---
>  gnu/system/pam.scm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
> index 4546c1a..0278db6 100644
> --- a/gnu/system/pam.scm
> +++ b/gnu/system/pam.scm
> @@ -217,7 +217,7 @@ should be a file-like object used as the message-of-the-day."
>                           (pam-entry
>                            (control "required")
>                            (module "pam_unix.so")
> -                          (arguments '("nullok")))
> +                          (arguments '("nullok" "use_first_pass")))

pam_unix(8) says:

use_first_pass
    The argument use_first_pass forces the module to use a previous stacked modules
    password and will never prompt the user - if no password is available or the
    password is not appropriate, the user will be denied access.

I don't understand exactly what this means for GuixSD. Can you explain
it to us? :)

Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option.

[John Darrington]

[-- Attachment #1: Type: text/plain, Size: 1652 bytes --]

On Sun, Oct 23, 2016 at 05:45:50PM -0400, Leo Famulari wrote:

     > diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
     > index 4546c1a..0278db6 100644
     > --- a/gnu/system/pam.scm
     > +++ b/gnu/system/pam.scm
     > @@ -217,7 +217,7 @@ should be a file-like object used as the message-of-the-day."
     >                           (pam-entry
     >                            (control "required")
     >                            (module "pam_unix.so")
     > -                          (arguments '("nullok")))
     > +                          (arguments '("nullok" "use_first_pass")))
     
     pam_unix(8) says:
     
     use_first_pass
         The argument use_first_pass forces the module to use a previous stacked modules
         password and will never prompt the user - if no password is available or the
         password is not appropriate, the user will be denied access.
     
     I don't understand exactly what this means for GuixSD. Can you explain
     it to us? :)

On its own it does nothing.  It makes more sense in context with the other patch I sent.
With this option in place, one can extend the unix-pam-service with another pam service
(such as krb5-pam), and if the krb5 authentication fails (for example because I am not
at work) then the password I gave will be presented to the regular pam_unix login. 
I won't be prompted for it again.

J'

-- 
Avoid eavesdropping.  Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option.

[Ludovic Courtès]

John Darrington <john@darrington.wattle.id.au> skribis:

> On Sun, Oct 23, 2016 at 05:45:50PM -0400, Leo Famulari wrote:
>
>      > diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
>      > index 4546c1a..0278db6 100644
>      > --- a/gnu/system/pam.scm
>      > +++ b/gnu/system/pam.scm
>      > @@ -217,7 +217,7 @@ should be a file-like object used as the message-of-the-day."
>      >                           (pam-entry
>      >                            (control "required")
>      >                            (module "pam_unix.so")
>      > -                          (arguments '("nullok")))
>      > +                          (arguments '("nullok" "use_first_pass")))
>      
>      pam_unix(8) says:
>      
>      use_first_pass
>          The argument use_first_pass forces the module to use a previous stacked modules
>          password and will never prompt the user - if no password is available or the
>          password is not appropriate, the user will be denied access.
>      
>      I don't understand exactly what this means for GuixSD. Can you explain
>      it to us? :)
>
> On its own it does nothing.  It makes more sense in context with the other patch I sent.
> With this option in place, one can extend the unix-pam-service with another pam service
> (such as krb5-pam), and if the krb5 authentication fails (for example because I am not
> at work) then the password I gave will be presented to the regular pam_unix login. 
> I won't be prompted for it again.

In that case, instead of hardcoding “use_first_pass” here, would it be
possible for the pam-krb5 service to extend ‘pam-root-service-type’ with
a procedure that automatically adds “use_first_pass” where needed?

See elogind and ‘pam-extension-procedure’ in (gnu services desktop) for
an example of that.

Thanks,
Ludo’.

Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option.

[John Darrington]

[-- Attachment #1: Type: text/plain, Size: 1206 bytes --]

On Thu, Oct 27, 2016 at 02:51:02PM +0200, Ludovic Court??s wrote:
     >
     > On its own it does nothing.  It makes more sense in context with the other patch I sent.
     > With this option in place, one can extend the unix-pam-service with another pam service
     > (such as krb5-pam), and if the krb5 authentication fails (for example because I am not
     > at work) then the password I gave will be presented to the regular pam_unix login. 
     > I won't be prompted for it again.
     
     In that case, instead of hardcoding ???use_first_pass??? here, would it be
     possible for the pam-krb5 service to extend ???pam-root-service-type??? with
     a procedure that automatically adds ???use_first_pass??? where needed?
     

I will look into it.  But almost any other pam module will want to do the same - at least
any other which uses passphrase based authentication.  So I thought why put the onus on 
every other module to do this?


J'

-- 
Avoid eavesdropping.  Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option.

[Ludovic Courtès]

John Darrington <john@darrington.wattle.id.au> skribis:

> On Thu, Oct 27, 2016 at 02:51:02PM +0200, Ludovic Court??s wrote:
>      >
>      > On its own it does nothing.  It makes more sense in context with the other patch I sent.
>      > With this option in place, one can extend the unix-pam-service with another pam service
>      > (such as krb5-pam), and if the krb5 authentication fails (for example because I am not
>      > at work) then the password I gave will be presented to the regular pam_unix login. 
>      > I won't be prompted for it again.
>      
>      In that case, instead of hardcoding ???use_first_pass??? here, would it be
>      possible for the pam-krb5 service to extend ???pam-root-service-type??? with
>      a procedure that automatically adds ???use_first_pass??? where needed?
>      
>
> I will look into it.  But almost any other pam module will want to do
> the same

Yes, and what I suggest will allow you to do that.

> - at least
> any other which uses passphrase based authentication.  So I thought why put the onus on 
> every other module to do this?

It’s not entirely clear that ‘use_first_pass’ is generally desirable,
Kerberos aside.  So I think it makes more sense to add it as part of the
Kerberos service, with an explanation of why it’s important in this
context.

Ludo’.