From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: [PATCH 2/3] gnu: pam_unix.so Add use_first_pass option.
Date: Fri, 28 Oct 2016 14:48:20 +0200
Message-ID: <87mvhod4h7.fsf@gnu.org>
References: <1477150080-17187-1-git-send-email-jmd@gnu.org>
	<1477150080-17187-2-git-send-email-jmd@gnu.org>
	<20161023214550.GD6318@jasmine> <20161024045627.GA12193@jocasta.intra>
	<87k2cuklah.fsf@gnu.org> <20161028052231.GA9866@jocasta.intra>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41299)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1c06aA-0007CW-Pc
	for guix-devel@gnu.org; Fri, 28 Oct 2016 08:48:27 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1c06a7-0002ec-JR
	for guix-devel@gnu.org; Fri, 28 Oct 2016 08:48:26 -0400
In-Reply-To: <20161028052231.GA9866@jocasta.intra> (John Darrington's message
	of "Fri, 28 Oct 2016 07:22:32 +0200")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: John Darrington <john@darrington.wattle.id.au>
Cc: guix-devel@gnu.org, John Darrington <jmd@gnu.org>

John Darrington <john@darrington.wattle.id.au> skribis:

> On Thu, Oct 27, 2016 at 02:51:02PM +0200, Ludovic Court??s wrote:
>      >
>      > On its own it does nothing.  It makes more sense in context with t=
he other patch I sent.
>      > With this option in place, one can extend the unix-pam-service wit=
h another pam service
>      > (such as krb5-pam), and if the krb5 authentication fails (for exam=
ple because I am not
>      > at work) then the password I gave will be presented to the regular=
 pam_unix login.=20
>      > I won't be prompted for it again.
>=20=20=20=20=20=20
>      In that case, instead of hardcoding ???use_first_pass??? here, would=
 it be
>      possible for the pam-krb5 service to extend ???pam-root-service-type=
??? with
>      a procedure that automatically adds ???use_first_pass??? where neede=
d?
>=20=20=20=20=20=20
>
> I will look into it.  But almost any other pam module will want to do
> the same

Yes, and what I suggest will allow you to do that.

> - at least
> any other which uses passphrase based authentication.  So I thought why p=
ut the onus on=20
> every other module to do this?

It=E2=80=99s not entirely clear that =E2=80=98use_first_pass=E2=80=99 is ge=
nerally desirable,
Kerberos aside.  So I think it makes more sense to add it as part of the
Kerberos service, with an explanation of why it=E2=80=99s important in this
context.

Ludo=E2=80=99.