search

OpenSC / pam_pkcs11

This Linux-PAM login module allows a X.509 certificate based user login
GNU Lesser General Public License v2.1
65 stars 51 forks source link

fallback to password on empty pin #36

Closed c3ph3us closed 5 years ago

c3ph3us commented 5 years ago

pam_pkcs11.txt

some time ago everything was fine :) but now i need to pull my yubikey to login via pam because when i hit enter [as empty pin] for pin aut which is a fist method in auth-common stack the pam module logs me out!!!!

1) why the new mechanism doesn't fall back to default password auth method (for empty pin) 2) and where i can change this to previous behavior for password fallback ? (this is a "must have option" as i use encryption of user home and for login and unwrapp passphrase i need user password when i first login into my account - and no pin solution) 

auth    [success=2 default=ignore]  pam_pkcs11.so
auth    [success=1 default=ignore]  pam_unix.so nullok_secure
auth    requisite   pam_deny.so
auth    required    pam_permit.so
auth    optional    pam_ecryptfs.so unwrap

error 2318 - empty smartcard pin not allowed

i have also tried to add nullok

error 2320 - wrong smartcard pin

where do i need setup and which correct option ?

config attached

wolneykien commented 5 years ago

I'll check the code today...

wolneykien commented 5 years ago

As I can see, the "2320: wrong smartcard PIN" error is only happens when the card (token) login fails. Note, that when you set nullok the PAM module really tries to login with the empty PIN and the card may not accept it. So, check your token/card.

wolneykien commented 5 years ago

Seems to be closed now. Feel free to reopen once you've got new info about the problem.

c3ph3us commented 5 years ago

@wolneykien yes but without nullok (as i understand allow to check by smardcard against empty pin) the pam_pkcs11 also is not going to pam_unix (password) instead is forcing to enter login ... and cicle is closing - only when there is no smardcard the i can use password .. which options in stack need i use to go down in stack ? sufficient is not working ....

optional?

with above config when i hit enter i get 2318 x 3 then auth ends with failure

wolneykien commented 5 years ago

Hi! I suppose, the card_only = false option in pam_pkcs11.conf is the one you are looking for. With this option it is possible to go to the next PAM module by ignore status as follows:

auth        [success=done ignore=ignore default=die]    pam_pkcs11.so
auth        requisite   pam_succeed_if.so user ingroup wheel
auth        include system-auth-local

where system-auth-local is the standard system authentication stack (i.e. local password authentication). Using pam_succeed_if.so is optional, of course.