From: ludo@gnu.org (Ludovic Courtès)
To: John Darrington <john@darrington.wattle.id.au>
Cc: guix-devel@gnu.org, John Darrington <jmd@gnu.org>
Subject: Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option.
Date: Fri, 28 Oct 2016 14:48:20 +0200 [thread overview]
Message-ID: <87mvhod4h7.fsf@gnu.org> (raw)
In-Reply-To: <20161028052231.GA9866@jocasta.intra> (John Darrington's message of "Fri, 28 Oct 2016 07:22:32 +0200")
John Darrington <john@darrington.wattle.id.au> skribis:
> On Thu, Oct 27, 2016 at 02:51:02PM +0200, Ludovic Court??s wrote:
> >
> > On its own it does nothing. It makes more sense in context with the other patch I sent.
> > With this option in place, one can extend the unix-pam-service with another pam service
> > (such as krb5-pam), and if the krb5 authentication fails (for example because I am not
> > at work) then the password I gave will be presented to the regular pam_unix login.
> > I won't be prompted for it again.
>
> In that case, instead of hardcoding ???use_first_pass??? here, would it be
> possible for the pam-krb5 service to extend ???pam-root-service-type??? with
> a procedure that automatically adds ???use_first_pass??? where needed?
>
>
> I will look into it. But almost any other pam module will want to do
> the same
Yes, and what I suggest will allow you to do that.
> - at least
> any other which uses passphrase based authentication. So I thought why put the onus on
> every other module to do this?
It’s not entirely clear that ‘use_first_pass’ is generally desirable,
Kerberos aside. So I think it makes more sense to add it as part of the
Kerberos service, with an explanation of why it’s important in this
context.
Ludo’.
next prev parent reply other threads:[~2016-10-28 12:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-22 15:27 [PATCH 1/3] gnu: Remove comment which is factually incorrect John Darrington
2016-10-22 15:27 ` [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option John Darrington
2016-10-23 21:45 ` Leo Famulari
2016-10-24 4:56 ` John Darrington
2016-10-27 12:51 ` Ludovic Courtès
2016-10-28 5:22 ` John Darrington
2016-10-28 12:48 ` Ludovic Courtès [this message]
2016-10-22 15:28 ` [PATCH 3/3] gnu: Add pam-krb5 service John Darrington
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mvhod4h7.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=jmd@gnu.org \
--cc=john@darrington.wattle.id.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).