On Mon, 27 May 2024 at 00:30, Sam Hartman <hartm...@debian.org> wrote: > > >>>>> "Luca" == Luca Boccassi <bl...@debian.org> writes: > > Luca> > https://www.freedesktop.org/software/systemd/man/latest/pam_systemd_home.html > > It's going to be a long time (a couple of weeks) before I have cycles to > actually look at systemd-home rather than to answer questions with my > pam hat on without looking at your application. > The limits issue you wrote to me about yesterday is ahead in the queue, > as likely is a new version of krb5. > > Luca> Any idea where use_authtok try_first_pass could be coming > Luca> from? I don't see them defined anywhere in the pam config I am > Luca> shipping, so I have no idea why pam-auth-update is adding > Luca> them. > > I gave you pointers where to look for these: /usr/share/pam-config/unix > This is complex enough that someone who both has a good understanding of > pam and systemd-home is going to need to get involved. > I can talk about the broader pam context, and some issues people have > run into in the past, but someone needs to have both systemd-home and > pam in their heads to definitively decide what systemd-home wants out of > pam. > That's not going to be me any time soon.
Ah thanks for the pointer to the file, I had missed that somehow in the first reply. I see it now: the pam-config for unix.so assumes that if something runs before then everything is done already. Unfortunately that assumption is wrong. I'll see if I can just hack it and monkey patch common-password in the postinst to fix it up for now, as I assume this is some load-bearing assumption.
