PDA

View Full Version : Need help with PAM configuration for pam_keyring and thinkfinger



Maners
7th September 2007, 02:22 AM
Hi all,

I have been trying to figure out how to make both thinkfinger and pam_keyring to work nicely in Fedora 7. I found configuration examples for each of the modules, and they work well one at a time, but when combining configuration of both modules I get a dual password prompt at the login screen: after entering user name I get regular password prompt and then the prompt to type in password or swipe finger. It seems like the first one comes form pam_keyring and second from thinkfinger module. How do I configure PAM, so that I get only thinkfinger prompt and pam_keyring automatically "picks up" the credentials passed from thinkfinger?

My system-auth file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_thinkfinger.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

and gdm file:

#%PAM-1.0
auth required pam_env.so
auth optional pam_keyring.so try_first_pass
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
session optional pam_keyring.so

Maners
10th October 2007, 08:53 AM
Just FYI, in Fedora 8 Test 3 it all works nicely as the new GNOME release unlocks the keyring after successful login to the system and there's no need for pam_keyring module anymore.

Fedora's 8 system-auth:


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_thinkfinger.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so


and gdm:


#%PAM-1.0
auth required pam_env.so
auth include system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_gnome_keyring.so auto_start

dryicerx
10th November 2007, 12:47 AM
How did you get both to work... I had been waiting until F8 so this annoyance will go away but it's still there and I can't seem to find much difference from your config files

my system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_thinkfinger.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

and my gdm


#%PAM-1.0
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_env.so
auth include system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start

I can log in at gdm using thinkfinger.. but when I log in it immediately goes and asks for the password for applet-nm password for keyring, any ideas?

sej7278
10th November 2007, 02:56 PM
sorry i thought that read stinkfinger!

i assume its a fingerprint reader of thinkpads? i've got one on my hp nc6400 but apparently as far as drivers go somebody managed to get as far as scanning a mono image into the gimp.....

Maners
14th November 2007, 12:27 AM
Unfortunately in Fedora 8 Final the gnome-kerying-pam is broken and it stopped working as intended a few weeks after F8 Test 3. Here's the Bugzilla ticket regarding this: https://bugzilla.redhat.com/show_bug.cgi?id=356931 there are also several more bugs filled concerning this, so hopefully it will be fixed soon.

phalkone
27th December 2008, 05:35 PM
I realise this thread is quite old, but I have the same problem as the original poster in Fedora 10. I also wonder if I have to install pam_keyring now that we have pam_gnome_keyring. If I login with password instead of fingerprint reader I do not get promped for my password by the keyring. Can somebody tell me how to adjust my system-auth and gdm file.

My current system-auth:

auth required pam_env.so
auth sufficient pam_thinkfinger.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

My current gdm:

auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_succeed_if.so user != root quiet
auth required pam_env.so
auth substack system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include system-auth