all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Customize PAM configuration
@ 2019-08-09 17:58 Jone
  2019-08-10 14:44 ` Timothy Sample
  0 siblings, 1 reply; 5+ messages in thread
From: Jone @ 2019-08-09 17:58 UTC (permalink / raw)
  To: help-guix

Hello! I want enter user/root password only once per session. To do this,
it will probably be convenient to export the password to shell variable.
For example, adding this to PAM configuration file:

   auth sufficient pam_exec.so expose_authtok /path/to/script.sh

But how to write it in system-config.scm? Sorry, I couldn't find any examples.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Customize PAM configuration
  2019-08-09 17:58 Customize PAM configuration Jone
@ 2019-08-10 14:44 ` Timothy Sample
  2019-08-10 18:55   ` Jone
  0 siblings, 1 reply; 5+ messages in thread
From: Timothy Sample @ 2019-08-10 14:44 UTC (permalink / raw)
  To: Jone; +Cc: help-guix

Hi Jone,

Jone <yeger9@gmail.com> writes:

> Hello! I want enter user/root password only once per session. To do this,
> it will probably be convenient to export the password to shell variable.
> For example, adding this to PAM configuration file:
>
>    auth sufficient pam_exec.so expose_authtok /path/to/script.sh
>
> But how to write it in system-config.scm? Sorry, I couldn't find any examples.

I don’t fully understand what you are trying to do, but here’s your
example translated into Guix:

(operating-system
  ...
  (pam-services (append (list (pam-service
                               (name "my-pam-service") ; or whatever
                               (auth (list (pam-entry
                                            (control "sufficient")
                                            (module "pam_exec.so")
                                            (arguments
                                             (list "expose_authok"
                                                   "/path/to/script.sh")))))))
                        (base-pam-services))))

Note that the “arguments” field of “pam-entry” takes G-Expressions.
This means that the script you want to execute could be a Guile script
built using “program-file”.  Alternatively, it could be a shell script
built using “computed-file” or some script that is outside of the store
using an absolute path.

Hope that helps!


-- Tim

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Customize PAM configuration
  2019-08-10 18:55   ` Jone
@ 2019-08-10 16:14     ` Ricardo Wurmus
  2019-08-10 19:52       ` Jone
  0 siblings, 1 reply; 5+ messages in thread
From: Ricardo Wurmus @ 2019-08-10 16:14 UTC (permalink / raw)
  To: Jone; +Cc: help-guix


Jone <yeger9@gmail.com> writes:

> The password is entered once at login and exported
> to environment variable. As a result, password is available during the user
> session (for some automation with bash scripts).

Please know that environment variables are readable in /proc and in the
output of process managers.  An environment variable is not a good place
for a secret.

--
Ricardo

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Customize PAM configuration
  2019-08-10 14:44 ` Timothy Sample
@ 2019-08-10 18:55   ` Jone
  2019-08-10 16:14     ` Ricardo Wurmus
  0 siblings, 1 reply; 5+ messages in thread
From: Jone @ 2019-08-10 18:55 UTC (permalink / raw)
  To: Timothy Sample; +Cc: help-guix

Thanks, Timothy! And sorry for my bad english.

> I don’t fully understand what you are trying to do

It's elementary! One password for any "local services", such as sudo, GPG
encryption, etc. The password is entered once at login and exported
to environment variable. As a result, password is available during the user
session (for some automation with bash scripts).
From a security perspective, this well normal decision, in my opinion.

Thanks for this example. I haven't used G-Expressions yet. In my case, the
final
script will of course be ordinary bash script (maybe in ~/).

What can you say about this idea?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Customize PAM configuration
  2019-08-10 16:14     ` Ricardo Wurmus
@ 2019-08-10 19:52       ` Jone
  0 siblings, 0 replies; 5+ messages in thread
From: Jone @ 2019-08-10 19:52 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: help-guix

Important notice, thank you!
I have read the detailed answer on this page:
https://stackoverflow.com/questions/4129631/linux-securing-environment-variables
and suppose I could use file instead variable.

An alternative solution would probably be to configure
sudoers file. But here comes the problem with running
scripts with root privileges..

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2019-08-10 16:48 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-08-09 17:58 Customize PAM configuration Jone
2019-08-10 14:44 ` Timothy Sample
2019-08-10 18:55   ` Jone
2019-08-10 16:14     ` Ricardo Wurmus
2019-08-10 19:52       ` Jone

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.