Just to follow up as I finally got some time to sit down and tinker with this.
Fredrik Salomonsson <[email protected]> writes: > Hi Felix, > > Felix Lechner <[email protected]> writes: > >>> it does not look supertrivial to modify a PAM service. >> >> One way in Linux-PAM would be to skip the pam_unix.so module when the >> pam_u2f.so module returned PAM_SUCCESS, like this >> >> auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_u2f.so >> auth required pam_unix.so >> >> The mechanism is described here [1] but I haven't used in a while. > > Thanks! I'll try that ones I get some time I can sit down and tinker > with this. > >> I'd probably do that only for the 'auth' stage, so that a locked or >> expired password still prevents logins during the 'account' stage, >> although it would be a matter of personal preference. > > Yeah, my idea is to just have this for swaylock i.e. when the > screensaver kicks in. And let the rest be guarded by a password. > >> In Guix, you'll probably end up replacing 'pam-services' in your >> operating-system record. >> >> As an aside, I am also the upstream author of Guile-PAM [1] which could >> potentially allow you to write something like this: >> >> (lambda (action handle flags options) >> (case action >> ((pam_sm_authenticate) >> (if (or (eq? 'PAM_SUCCESS (call-legacy-module "pam_u2f.so")) >> (eq? 'PAM_SUCCESS (call-legacy-module "pam_unix.so")) >> 'PAM_SUCCESS >> 'PAM_AUTH_DENIED))) >> (else >> ...))) >> >> Guile-PAM is experimental, however, and the code above is untested. > > Interesting. I would not mind testing this out. But I think I'll do > this in stages. First get things working with plain old Linux-PAM then > I might test out Guile-PAM. Is it packaged for Guix? > >> [1] >> https://www.chiark.greenend.org.uk/doc/libpam-doc/html/sag-configuration-file.html >> [2] https://juix.org/guile-pam/ I ended up just writing service that modifies a `unix-pam-service`, you can find it here [1]. Then use that instead of the pam service the `screen-locker-service-type` generates. Works quite well, I need to hit enter to activate the u2f key when the screen is locked. And also wait for u2f to timeout if I want to log in with just the password. But quite nice to not needing to type in my password to unlock the screen. Anyone know if it is a good idea to check in the u2f_keys mapping file? I have not find any info if that file contains any sensitive information sensitive or not. Would be nice to have all that configured with guix. [1] https://git.sr.ht/~plattfot/plt/tree/edc7b4da848b31926ae5cb8bb4d92f33c7e65d70/item/plt/system/u2f.scm [2] https://git.sr.ht/~plattfot/plt/tree/edc7b4da848b31926ae5cb8bb4d92f33c7e65d70/item/plt/system/machines.scm -- s/Fred[re]+i[ck]+/Fredrik/g
