You are not logged in.

#1 2020-07-28 23:31:26

loqs
Member
Registered: 2014-03-06
Posts: 11,239

PAM Combining pam_systemd_home and pam_faillock

Current system-auth from pambase 20200721.1-1 in testing

#%PAM-1.0

auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_permit.so

From man 8 pam_systemd_home

           #%PAM-1.0
           auth      sufficient pam_unix.so
           -auth     sufficient pam_systemd_home.so
           auth      required   pam_deny.so

           account   required   pam_nologin.so
           -account  sufficient pam_systemd_home.so
           account   sufficient pam_unix.so
           account   required   pam_permit.so

           -password sufficient pam_systemd_home.so
           password  sufficient pam_unix.so sha512 shadow try_first_pass try_authtok
           password  required   pam_deny.so

           -session  optional   pam_keyinit.so revoke
           -session  optional   pam_loginuid.so
           -session  optional   pam_systemd_home.so
           -session  optional   pam_systemd.so
           session   required   pam_unix.so

I read through https://wiki.archlinux.org/index.php/Talk:Systemd-homed
In the auth section pam_unix.so is listed before pam_systemd_home.so but that is reversed in account,  password and session.  I could not find a reason for this.
In the account section the pam_permit.so is more permissive than the current config?  Was this the cause of the allowing login without password?
In the session section pam_unix is required for a systemd-homed user?

From man 8 pam_faillock second example

           auth     required       pam_securetty.so
           auth     required       pam_env.so
           auth     required       pam_nologin.so
           auth     required       pam_faillock.so preauth
           # optionally use requisite above if you do not want to prompt for the password
           # on locked accounts
           auth     sufficient     pam_unix.so
           auth     [default=die]  pam_faillock.so authfail
           auth     required       pam_deny.so
           account  required       pam_faillock.so
           # if you drop the above call to pam_faillock.so the lock will be done also
           # on non-consecutive authentication failures
           account  required       pam_unix.so
           password required       pam_unix.so shadow
           session  required       pam_selinux.so close
           session  required       pam_loginuid.so
           session  required       pam_unix.so
           session  required       pam_selinux.so open

Proposed merged result

#%PAM-1.0

auth       required       pam_env.so
auth       required       pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       sufficient     pam_unix.so          try_first_pass nullok
-auth      sufficient     pam_systemd_home.so
auth       [default=die]  pam_faillock.so      authfail
auth       required       pam_deny.so

account    required       pam_faillock.so
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
account    required       pam_time.so
-account   sufficient     pam_systemd_home.so
account    sufficient     pam_unix.so
account    required       pam_deny.so

-password  sufficient     pam_systemd_home.so
password   sufficient     pam_unix.so          try_first_pass nullok shadow
password   required       pam_deny.so

session    required       pam_limits.so
-session   optional       pam_systemd_home.so
session    required       pam_unix.so

Dropped pam_permit.so as it served no purpose.
Dropped sha512 option from pam_unix as it overrides the value in /etc/login.defs
Does the above seem reasonable?
Edit:
sufficient returning immediately breaks stacks that have entries after include system-login / include system-auth.

#%PAM-1.0

auth       required                                       pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=2 new_authtok_reqd=2 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=1 new_authtok_reqd=1 default=ignore]  pam_systemd_home.so
auth       [default=die]                                  pam_faillock.so      authfail
auth       optional                                       pam_permit.so
auth       required                                       pam_env.so
auth       required                                       pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account  [success=1 new_authtok_reqd=1 default=ignore]   pam_systemd_home.so
account   required                                        pam_unix.so
account   optional                                        pam_permit.so
account   required                                        pam_time.so

-password  [success=1 new_authtok_reqd=1 default=ignore]  pam_systemd_home.so
password   required                                       pam_unix.so          try_first_pass nullok shadow
password   optional                                       pam_permit.so

session    required                                       pam_limits.so
-session   optional                                       pam_systemd_home.so
session    required                                       pam_unix.so
session    optional                                       pam_permit.so

Edit:
Alternative substack approach

#%PAM-1.0

auth      required  pam_faillock.so       preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth      substack  system-auth-substack
auth      required  pam_env.so
auth      required  pam_faillock.so       authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

account   substack  system-auth-substack
account   required  pam_time.so

password  substack  system-auth-substack

session   required  pam_limits.so
-session  optional  pam_systemd_home.so
session   required  pam_unix.so
#%PAM-1.0

auth      sufficient     pam_unix.so          try_first_pass nullok
-auth     sufficient     pam_systemd_home.so
auth      [default=die]  pam_faillock.so      authfail

-account   sufficient    pam_systemd_home.so
account    sufficient    pam_unix.so
account    required      pam_deny.so

password   sufficient    pam_unix.so          try_first_pass nullok shadow
-password  sufficient    pam_systemd_home.so
password   required      pam_deny.so

Last edited by loqs (2020-08-04 02:07:21)

Offline

Board footer

Powered by FluxBB