Customize PAM configuration

Customize PAM configuration

[Jone]

Hello! I want enter user/root password only once per session. To do this,
it will probably be convenient to export the password to shell variable.
For example, adding this to PAM configuration file:

   auth sufficient pam_exec.so expose_authtok /path/to/script.sh

But how to write it in system-config.scm? Sorry, I couldn't find any examples.

Re: Customize PAM configuration

[Timothy Sample]

Hi Jone,

Jone <yeger9@gmail.com> writes:

> Hello! I want enter user/root password only once per session. To do this,
> it will probably be convenient to export the password to shell variable.
> For example, adding this to PAM configuration file:
>
>    auth sufficient pam_exec.so expose_authtok /path/to/script.sh
>
> But how to write it in system-config.scm? Sorry, I couldn't find any examples.

I don’t fully understand what you are trying to do, but here’s your
example translated into Guix:

(operating-system
  ...
  (pam-services (append (list (pam-service
                               (name "my-pam-service") ; or whatever
                               (auth (list (pam-entry
                                            (control "sufficient")
                                            (module "pam_exec.so")
                                            (arguments
                                             (list "expose_authok"
                                                   "/path/to/script.sh")))))))
                        (base-pam-services))))

Note that the “arguments” field of “pam-entry” takes G-Expressions.
This means that the script you want to execute could be a Guile script
built using “program-file”.  Alternatively, it could be a shell script
built using “computed-file” or some script that is outside of the store
using an absolute path.

Hope that helps!


-- Tim

Re: Customize PAM configuration

[Ricardo Wurmus]

Jone <yeger9@gmail.com> writes:

> The password is entered once at login and exported
> to environment variable. As a result, password is available during the user
> session (for some automation with bash scripts).

Please know that environment variables are readable in /proc and in the
output of process managers.  An environment variable is not a good place
for a secret.

--
Ricardo

Re: Customize PAM configuration

[Jone]

Thanks, Timothy! And sorry for my bad english.

> I don’t fully understand what you are trying to do

It's elementary! One password for any "local services", such as sudo, GPG
encryption, etc. The password is entered once at login and exported
to environment variable. As a result, password is available during the user
session (for some automation with bash scripts).
From a security perspective, this well normal decision, in my opinion.

Thanks for this example. I haven't used G-Expressions yet. In my case, the
final
script will of course be ordinary bash script (maybe in ~/).

What can you say about this idea?

Re: Customize PAM configuration

[Jone]

Important notice, thank you!
I have read the detailed answer on this page:
https://stackoverflow.com/questions/4129631/linux-securing-environment-variables
and suppose I could use file instead variable.

An alternative solution would probably be to configure
sudoers file. But here comes the problem with running
scripts with root privileges..