Re: PAM Configuration
Hello, On 2020-02-14 13:25, Christoph Pleger wrote: auth[success=2 default=ignore] pam_p11.so /usr/local/lib/libcvP11.so # here are the per-package modules (the "Primary" block) auth[success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds authrequisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around authrequiredpam_permit.so # and here are more per-package modules (the "Additional" block) authoptionalpam_group.so authoptionalpam_cap.so # end of pam-auth-update config The question here is, why the application at all gets knowledge about some failed PAM module, should it not just get the final result from the complete PAM stack, which is PAM_SUCCESS in this case? Regards Christoph
Re: PAM Configuration
Hello, auth[success=2 default=ignore] pam_p11.so /usr/local/lib/libcvP11.so [...] This works nearly exactly as desired, "nearly" because though the login with unix password works, the application shows "Login failed" for a short time. Is there something I can change in the above file to avoid this message? I don't know what local library it is you used, but I encourage you to consider the use of Debian packages libpam-p11 libpam-pkcs11 and libpam-poldi - or if you already considered those then share why you rejected them. I am using libpam-p11, the local library given as an option of pam_p11.so is just for support of the specific format of how data is stored on our organization's smartcards. Regards Christoph
Re: PAM Configuration
Hi Christoph. Quoting Christoph Pleger (2020-02-14 13:25:24) > I created a PAM configuration with the goal to make it possible that a > user can either login by inserting a smartcard into a card reader and > entering the correct PIN, or by entering the traditional UNIX > password. This is what my /etc/pam.d/common-auth looks like: [...] > auth[success=2 default=ignore] pam_p11.so > /usr/local/lib/libcvP11.so [...] > This works nearly exactly as desired, "nearly" because though the > login with unix password works, the application shows "Login failed" > for a short time. Is there something I can change in the above file to > avoid this message? I don't know what local library it is you used, but I encourage you to consider the use of Debian packages libpam-p11 libpam-pkcs11 and libpam-poldi - or if you already considered those then share why you rejected them. ...and then I suggest check their documentation - perhaps they already cover the combination use case that you are exploring. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature