Hi Felix, Felix Lechner <[email protected]> writes:
>> it does not look supertrivial to modify a PAM service. > > One way in Linux-PAM would be to skip the pam_unix.so module when the > pam_u2f.so module returned PAM_SUCCESS, like this > > auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_u2f.so > auth required pam_unix.so > > The mechanism is described here [1] but I haven't used in a while. Thanks! I'll try that ones I get some time I can sit down and tinker with this. > I'd probably do that only for the 'auth' stage, so that a locked or > expired password still prevents logins during the 'account' stage, > although it would be a matter of personal preference. Yeah, my idea is to just have this for swaylock i.e. when the screensaver kicks in. And let the rest be guarded by a password. > In Guix, you'll probably end up replacing 'pam-services' in your > operating-system record. > > As an aside, I am also the upstream author of Guile-PAM [1] which could > potentially allow you to write something like this: > > (lambda (action handle flags options) > (case action > ((pam_sm_authenticate) > (if (or (eq? 'PAM_SUCCESS (call-legacy-module "pam_u2f.so")) > (eq? 'PAM_SUCCESS (call-legacy-module "pam_unix.so")) > 'PAM_SUCCESS > 'PAM_AUTH_DENIED))) > (else > ...))) > > Guile-PAM is experimental, however, and the code above is untested. Interesting. I would not mind testing this out. But I think I'll do this in stages. First get things working with plain old Linux-PAM then I might test out Guile-PAM. Is it packaged for Guix? > [1] > https://www.chiark.greenend.org.uk/doc/libpam-doc/html/sag-configuration-file.html > [2] https://juix.org/guile-pam/ -- s/Fred[re]+i[ck]+/Fredrik/g
