search

nuvious / pam-duress

A Pluggable Authentication Module (PAM) which allows the establishment of alternate passwords that can be used to perform actions to clear sensitive data, notify IT/Security staff, close off sensitive network connections, etc if a user is coerced into giving a threat actor a password.
GNU Lesser General Public License v3.0
1.33k stars 39 forks source link

Some PAM config files looking very different from the example #33

Closed ghost closed 2 years ago

ghost commented 2 years ago

I was interested in testing this package out on openSUSE so I managed (I think) to put in OBS in a very bare bones way. (https://build.opensuse.org/package/show/home:lilfroggy/pam-duress). It seems to install properly, however my pam config file doesn't really seem to have the same syntax as the one in the example and also says it won't except any modifications to it:

/etc/pam.d/common-auth:

#%PAM-1.0
#
# This file is autogenerated by pam-config. All manual
# changes will be overwritten!
#
# The pam-config configuration files can be used as template
# for an own PAM configuration not managed by pam-config:
#
# for i in account auth password session; do \
#      rm -f common-$i; sed '/^#.*/d' common-$i-pc > common-$i; \
# done
#
# Afterwards common-{account, auth, password, session} can be
# adjusted. Never edit or delete common-*-pc files!
#
# WARNING: changes done by pam-config afterwards are not
# visible to the PAM stack anymore!
#
# WARNING: self managed PAM configuration files are not supported,
# will not see required adjustments by pam-config and can become
# insecure or break system functionality through system updates!
#
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth    required    pam_env.so  
auth    optional    pam_gnome_keyring.so
auth    required    pam_unix.so try_first_pass

Any ideas on how to make it work with such a setup?

nuvious commented 2 years ago

This is common as different flavors of Linux configure Pam differently. We are building flavor specific documentation and I've got a pull request on Arch. However I'm realizing me doing this in my spare time for all flavors isn't something I can reasonably accommodate for now. If you do figure out a means to install it in OpenSUSE please consider forking and creating a walk through. Thank for your interest in the project regardless but will close with comment as the module functionally focuses on working in PAM and becuase PAM is Linux flavor agnostic, issues raised based on implementation in a specific flavor will be closed unless they're updating documentation on a Linux flavor already contributed to the repo.