Question about PAM service

Question about PAM service

[Fredrik Salomonsson]

Hello Guix,

I recently changed my setup at home for work.  Now I have a laptop to do
my work on and my desktop (that's running Guix) for my personal notes
etc.  I still jump between the two through out the day.  It is a bit
annoying to have to type in my password every time I switch to my
desktop to unlock swaylock.

I got an u2f compatible USB key which got me thinking.  I might be able
to set it up that swaylock requires either password or the u2f key.
That way I don't need to type in my password to unlock my desktop all
the time.  Although it is a bit unclear if swaylock can handle this or
not.

However it does not look supertrivial to modify a PAM service.  So
before I venture down this path I figured it might be good to ask the
community to see if someone has done something similar?

From what I have gathered so far I need to disable the PAM services for
`screen-locker-service`.  Something like this:

```
(service screen-locker-service-type
            (screen-locker-configuration
             (name "swaylock")
             (program (file-append swaylock "/bin/swaylock"))
             (using-pam? #f)
             (using-setuid? #f)))
```

Then define my own for swaylock using `unix-pam-service`.  But grab the
result from that and modify the `auth` section to add the pam-u2f module
and also change the password from `required` to `sufficient`.  Does that
sound right? Or is there a better way of going about this?

Thanks

-- 
s/Fred[re]+i[ck]+/Fredrik/g

Re: Question about PAM service

[Felix Lechner via]

Hi Fredrik,

On Fri, Aug 02 2024, Fredrik Salomonsson wrote:

> it does not look supertrivial to modify a PAM service.

One way in Linux-PAM would be to skip the pam_unix.so module when the
pam_u2f.so module returned PAM_SUCCESS, like this

    auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_u2f.so
    auth required pam_unix.so

The mechanism is described here [1] but I haven't used in a while.

I'd probably do that only for the 'auth' stage, so that a locked or
expired password still prevents logins during the 'account' stage,
although it would be a matter of personal preference.

In Guix, you'll probably end up replacing 'pam-services' in your
operating-system record.

As an aside, I am also the upstream author of Guile-PAM [1] which could
potentially allow you to write something like this:

    (lambda (action handle flags options)
        (case action
          ((pam_sm_authenticate)
            (if (or (eq? 'PAM_SUCCESS (call-legacy-module "pam_u2f.so"))
                    (eq? 'PAM_SUCCESS (call-legacy-module "pam_unix.so"))
                'PAM_SUCCESS
                'PAM_AUTH_DENIED)))
           (else
               ...)))

Guile-PAM is experimental, however, and the code above is untested.

Kind regards
Felix

[1] https://www.chiark.greenend.org.uk/doc/libpam-doc/html/sag-configuration-file.html
[2] https://juix.org/guile-pam/

Re: Question about PAM service

[Fredrik Salomonsson]

Hi Felix,

Felix Lechner <felix.lechner@lease-up.com> writes:

>> it does not look supertrivial to modify a PAM service.
>
> One way in Linux-PAM would be to skip the pam_unix.so module when the
> pam_u2f.so module returned PAM_SUCCESS, like this
>
>     auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_u2f.so
>     auth required pam_unix.so
>
> The mechanism is described here [1] but I haven't used in a while.

Thanks! I'll try that ones I get some time I can sit down and tinker
with this.

> I'd probably do that only for the 'auth' stage, so that a locked or
> expired password still prevents logins during the 'account' stage,
> although it would be a matter of personal preference.

Yeah, my idea is to just have this for swaylock i.e. when the
screensaver kicks in.  And let the rest be guarded by a password.

> In Guix, you'll probably end up replacing 'pam-services' in your
> operating-system record.
>
> As an aside, I am also the upstream author of Guile-PAM [1] which could
> potentially allow you to write something like this:
>
>     (lambda (action handle flags options)
>         (case action
>           ((pam_sm_authenticate)
>             (if (or (eq? 'PAM_SUCCESS (call-legacy-module "pam_u2f.so"))
>                     (eq? 'PAM_SUCCESS (call-legacy-module "pam_unix.so"))
>                 'PAM_SUCCESS
>                 'PAM_AUTH_DENIED)))
>            (else
>                ...)))
>
> Guile-PAM is experimental, however, and the code above is untested.

Interesting.  I would not mind testing this out.  But I think I'll do
this in stages.  First get things working with plain old Linux-PAM then
I might test out Guile-PAM.  Is it packaged for Guix?

> [1] https://www.chiark.greenend.org.uk/doc/libpam-doc/html/sag-configuration-file.html
> [2] https://juix.org/guile-pam/

-- 
s/Fred[re]+i[ck]+/Fredrik/g

Re: Question about PAM service

[Fredrik Salomonsson]

Just to follow up as I finally got some time to sit down and tinker with
this.

Fredrik Salomonsson <plattfot@posteo.net> writes:

> Hi Felix,
>
> Felix Lechner <felix.lechner@lease-up.com> writes:
>
>>> it does not look supertrivial to modify a PAM service.
>>
>> One way in Linux-PAM would be to skip the pam_unix.so module when the
>> pam_u2f.so module returned PAM_SUCCESS, like this
>>
>>     auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_u2f.so
>>     auth required pam_unix.so
>>
>> The mechanism is described here [1] but I haven't used in a while.
>
> Thanks! I'll try that ones I get some time I can sit down and tinker
> with this.
>
>> I'd probably do that only for the 'auth' stage, so that a locked or
>> expired password still prevents logins during the 'account' stage,
>> although it would be a matter of personal preference.
>
> Yeah, my idea is to just have this for swaylock i.e. when the
> screensaver kicks in.  And let the rest be guarded by a password.
>
>> In Guix, you'll probably end up replacing 'pam-services' in your
>> operating-system record.
>>
>> As an aside, I am also the upstream author of Guile-PAM [1] which could
>> potentially allow you to write something like this:
>>
>>     (lambda (action handle flags options)
>>         (case action
>>           ((pam_sm_authenticate)
>>             (if (or (eq? 'PAM_SUCCESS (call-legacy-module "pam_u2f.so"))
>>                     (eq? 'PAM_SUCCESS (call-legacy-module "pam_unix.so"))
>>                 'PAM_SUCCESS
>>                 'PAM_AUTH_DENIED)))
>>            (else
>>                ...)))
>>
>> Guile-PAM is experimental, however, and the code above is untested.
>
> Interesting.  I would not mind testing this out.  But I think I'll do
> this in stages.  First get things working with plain old Linux-PAM then
> I might test out Guile-PAM.  Is it packaged for Guix?
>
>> [1] https://www.chiark.greenend.org.uk/doc/libpam-doc/html/sag-configuration-file.html
>> [2] https://juix.org/guile-pam/

I ended up just writing service that modifies a `unix-pam-service`, you
can find it here [1].  Then use that instead of the pam service the
`screen-locker-service-type` generates.  Works quite well, I need to hit
enter to activate the u2f key when the screen is locked.  And also wait
for u2f to timeout if I want to log in with just the password.  But
quite nice to not needing to type in my password to unlock the screen.

Anyone know if it is a good idea to check in the u2f_keys mapping file?
I have not find any info if that file contains any sensitive information
sensitive or not.  Would be nice to have all that configured with guix.

[1] https://git.sr.ht/~plattfot/plt/tree/edc7b4da848b31926ae5cb8bb4d92f33c7e65d70/item/plt/system/u2f.scm
[2] https://git.sr.ht/~plattfot/plt/tree/edc7b4da848b31926ae5cb8bb4d92f33c7e65d70/item/plt/system/machines.scm

-- 
s/Fred[re]+i[ck]+/Fredrik/g