* Customize PAM configuration
@ 2019-08-09 17:58 Jone
2019-08-10 14:44 ` Timothy Sample
0 siblings, 1 reply; 5+ messages in thread
From: Jone @ 2019-08-09 17:58 UTC (permalink / raw)
To: help-guix
Hello! I want enter user/root password only once per session. To do this,
it will probably be convenient to export the password to shell variable.
For example, adding this to PAM configuration file:
auth sufficient pam_exec.so expose_authtok /path/to/script.sh
But how to write it in system-config.scm? Sorry, I couldn't find any examples.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Customize PAM configuration
2019-08-09 17:58 Customize PAM configuration Jone
@ 2019-08-10 14:44 ` Timothy Sample
2019-08-10 18:55 ` Jone
0 siblings, 1 reply; 5+ messages in thread
From: Timothy Sample @ 2019-08-10 14:44 UTC (permalink / raw)
To: Jone; +Cc: help-guix
Hi Jone,
Jone <yeger9@gmail.com> writes:
> Hello! I want enter user/root password only once per session. To do this,
> it will probably be convenient to export the password to shell variable.
> For example, adding this to PAM configuration file:
>
> auth sufficient pam_exec.so expose_authtok /path/to/script.sh
>
> But how to write it in system-config.scm? Sorry, I couldn't find any examples.
I don’t fully understand what you are trying to do, but here’s your
example translated into Guix:
(operating-system
...
(pam-services (append (list (pam-service
(name "my-pam-service") ; or whatever
(auth (list (pam-entry
(control "sufficient")
(module "pam_exec.so")
(arguments
(list "expose_authok"
"/path/to/script.sh")))))))
(base-pam-services))))
Note that the “arguments” field of “pam-entry” takes G-Expressions.
This means that the script you want to execute could be a Guile script
built using “program-file”. Alternatively, it could be a shell script
built using “computed-file” or some script that is outside of the store
using an absolute path.
Hope that helps!
-- Tim
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Customize PAM configuration
2019-08-10 14:44 ` Timothy Sample
@ 2019-08-10 18:55 ` Jone
2019-08-10 16:14 ` Ricardo Wurmus
0 siblings, 1 reply; 5+ messages in thread
From: Jone @ 2019-08-10 18:55 UTC (permalink / raw)
To: Timothy Sample; +Cc: help-guix
Thanks, Timothy! And sorry for my bad english.
> I don’t fully understand what you are trying to do
It's elementary! One password for any "local services", such as sudo, GPG
encryption, etc. The password is entered once at login and exported
to environment variable. As a result, password is available during the user
session (for some automation with bash scripts).
From a security perspective, this well normal decision, in my opinion.
Thanks for this example. I haven't used G-Expressions yet. In my case, the
final
script will of course be ordinary bash script (maybe in ~/).
What can you say about this idea?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Customize PAM configuration
2019-08-10 18:55 ` Jone
@ 2019-08-10 16:14 ` Ricardo Wurmus
2019-08-10 19:52 ` Jone
0 siblings, 1 reply; 5+ messages in thread
From: Ricardo Wurmus @ 2019-08-10 16:14 UTC (permalink / raw)
To: Jone; +Cc: help-guix
Jone <yeger9@gmail.com> writes:
> The password is entered once at login and exported
> to environment variable. As a result, password is available during the user
> session (for some automation with bash scripts).
Please know that environment variables are readable in /proc and in the
output of process managers. An environment variable is not a good place
for a secret.
--
Ricardo
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-08-10 16:48 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-08-09 17:58 Customize PAM configuration Jone
2019-08-10 14:44 ` Timothy Sample
2019-08-10 18:55 ` Jone
2019-08-10 16:14 ` Ricardo Wurmus
2019-08-10 19:52 ` Jone
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.