Open gdevenyi opened 5 years ago
skx
commented
5 years ago It looks like a simple matter of dropping a configuration-file beneath /usr/share/pam-configs/.
I guess if I need to install the module, and a config-file, I'll need to rework the instructions. Such that there is:
make
make test
make installRather than just copying the .so file into place.
Good suggestion though, thank-you. I'll take care of it over the next few days.
skx
commented
5 years ago I didn't find time to look at this yet, but will do over the coming weekend I hope!
gdevenyi
commented
5 years ago In no rush, I can handle the "old" way, just a suggestion to streamline usage :)
skx
commented
5 years ago I spent an hour or two experimenting with this over the weekend.
Taking the example file from the repository you linked to, with the minimum required edits (mostly changing the name of the module, and the options) then running pam-auth-update did stuff. But it didn't do what I wanted - instead of enabling the module only for sudo it enabled/disabled it globally. And when it was enabled globally it actually stopped working. syslog would log "password leaked" but logins would still be permitted.
So I looked at the modules code - and they use pam_sm_chauthtok rather than the PAM function I use pam_sm_authenticate. That's because their module only works on password-change events. It could be that I need to use a different (PAM) callback though.
So this bug now becomes:
Now I'm invested and see the difference I should be able to manage it more promptly..
This implementation has it setup: https://github.com/nonamed01/pam_havebeenpwned