From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id mIGGAIonsWZ3OwEA62LTzQ:P1 (envelope-from ) for ; Mon, 05 Aug 2024 19:27:06 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id mIGGAIonsWZ3OwEA62LTzQ (envelope-from ) for ; Mon, 05 Aug 2024 21:27:06 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=Re0LXsSr; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1722886025; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=mOoxPw9iwEp8iwEhNryo61jCEZrmdyji0ztbS3MvpHg=; b=f2elLHZvAmrHMhWJjEUST1oLc7YgkWZEwXO+BI73HqJag4aOgNdsqcCmpYlHmpaXRma4tn 6dRi7prI3KGOd+CPguQpOTTmL130ziWBndNvMSmeur6tjQp+HJaj/fNjNbXNSVrWWx6tY9 n1BlyaLXSRg/VI+/aa1C0pFbuRouwsDTql8BntiHUUgScKNs2BS2v2JwAiDmDdZrH+jvZg PwN41PKvfwCgn3oJ9oQYAkHqxs2mL4S0WjYjtO90x6UQoZknN8fTiPcoBu/BVMm64FlzLL s1FqKYykktZGNKBKmSReg04h3uZmS4V8mWSI62zCS+FEc+TzcVzvvcCRqEr3Pg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1722886025; a=rsa-sha256; cv=none; b=PjayRJzfyqqxq66AiwRkrNO2C2MIjW9UIMDcuCdn3iG2VhjSTnysztoOmS9zPnEl0oNEbt pXnyoh3ADxSrsml/OuyXkqx5KNRtAwwjbLRN8ge+SkYbd8odNe6ohEMBeTezqrKFZrk12D aNYuRVUVzo2k8dD8ipjFP9woBu6Z42+4j0joa2zvXtlHWn7UNPkK32nsen5cnP+vI1WM7l iJZvwS07sutJbUCLpslJPX3I7HM5evHsqeX1t9WnhRYaBiJvyefux6GEVWMI4lYsU9EtD3 3AOGiH04fpeFeF0Alg/64uFcvLvpfXGGFWqIZjmmAdnWMthkIuSR6SWnI3I5KA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lease-up.com header.s=2017 header.b=Re0LXsSr; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A5BDD36F6E for ; Mon, 5 Aug 2024 21:27:05 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sb3Lh-0007QG-02; Mon, 05 Aug 2024 15:26:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sb3Lf-0007Q5-KV for help-guix@gnu.org; Mon, 05 Aug 2024 15:26:27 -0400 Received: from sail-ipv4.us-core.com ([208.82.101.137]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1sb3Ld-0001yJ-Io for help-guix@gnu.org; Mon, 05 Aug 2024 15:26:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=2017; bh=YDHYP4FNxFlhihk 1krkYrWe2glDm3dL8Lqjn6ZiqivA=; h=date:references:in-reply-to:subject: to:from; d=lease-up.com; b=Re0LXsSrPX7Cir6ow2Wlf8QTwD6vjRmlhOe53mWC4pF veBZCCkdvuV+RlvboJc21cQoOpR/eZKmbUGwk2SpzN8NSDRWvsGQCc38kD85X5oVuwhQDm q0jEZsmZy49LkGvEQbIsJ84XMyTUxQNcPprulQUJshvvz4SCXAGWytQqY8= Received: by sail-ipv4.us-core.com (OpenSMTPD) with ESMTPSA id 22289dfd (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Mon, 5 Aug 2024 19:26:23 +0000 (UTC) To: Fredrik Salomonsson , help-guix Subject: Re: Question about PAM service In-Reply-To: <87zfpu3bwa.fsf@posteo.net> References: <87zfpu3bwa.fsf@posteo.net> Date: Mon, 05 Aug 2024 12:26:23 -0700 Message-ID: <87ttfydb4w.fsf@lease-up.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=208.82.101.137; envelope-from=felix.lechner@lease-up.com; helo=sail-ipv4.us-core.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Felix Lechner From: Felix Lechner via Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: A5BDD36F6E X-Migadu-Scanner: mx12.migadu.com X-Migadu-Spam-Score: -6.94 X-Spam-Score: -6.94 X-TUID: kq8F9/sfsVf5 Hi Fredrik, On Fri, Aug 02 2024, Fredrik Salomonsson wrote: > it does not look supertrivial to modify a PAM service. One way in Linux-PAM would be to skip the pam_unix.so module when the pam_u2f.so module returned PAM_SUCCESS, like this auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_u2f.so auth required pam_unix.so The mechanism is described here [1] but I haven't used in a while. I'd probably do that only for the 'auth' stage, so that a locked or expired password still prevents logins during the 'account' stage, although it would be a matter of personal preference. In Guix, you'll probably end up replacing 'pam-services' in your operating-system record. As an aside, I am also the upstream author of Guile-PAM [1] which could potentially allow you to write something like this: (lambda (action handle flags options) (case action ((pam_sm_authenticate) (if (or (eq? 'PAM_SUCCESS (call-legacy-module "pam_u2f.so")) (eq? 'PAM_SUCCESS (call-legacy-module "pam_unix.so")) 'PAM_SUCCESS 'PAM_AUTH_DENIED))) (else ...))) Guile-PAM is experimental, however, and the code above is untested. Kind regards Felix [1] https://www.chiark.greenend.org.uk/doc/libpam-doc/html/sag-configuration-file.html [2] https://juix.org/guile-pam/