You are not logged in.

#1 2023-07-16 18:47:06

winslowsem
Member
Registered: 2023-07-07
Posts: 26

SOLVED PAM Mandatory Multi factor login issue

I want to set up PAM so it requires both fingerprint and the password to login, here is my current configuration:

auth       requisite     pam_fprintd.so
auth       requisite     pam_unix.so           nullok

However, it is not working as I'm expecting:

I'm able to unlock with the correct password only.

If I used fingerprint to auth, I will be prompted with a password prompt after login, which I can simply click Cancel to bypass

Last edited by winslowsem (2023-07-17 13:57:45)


I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

#2 2023-07-16 20:15:49

seth
Member
Registered: 2012-09-03
Posts: 60,378

Re: SOLVED PAM Mandatory Multi factor login issue

here is my current configuration:

auth       requisite     pam_fprintd.so
auth       requisite     pam_unix.so           nullok

That is your /etc/pam.d/system-auth ???

On a formal note, please use [code][/code] tags. Edit your post in this regard.

Offline

#3 2023-07-17 03:00:00

winslowsem
Member
Registered: 2023-07-07
Posts: 26

Re: SOLVED PAM Mandatory Multi factor login issue

I'm sorry, I've only posted the related lines, here is my full configuration:

system-auth

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=3 default=ignore]  pam_systemd_home.so
auth       required     pam_fprintd.so
auth       required     pam_unix.so           nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

For system-login and system-local-login, they are untouched(pam-selinux's default) and both included / inherently included system-auth

Last edited by winslowsem (2023-07-17 03:02:25)


I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

#4 2023-07-17 06:34:42

winslowsem
Member
Registered: 2023-07-07
Posts: 26

Re: SOLVED PAM Mandatory Multi factor login issue

idk how but after messing up with PAM for a while this is working for me

auth       required                   pam_faillock.so      preauth
-auth      [success=2 default=ignore]   pam_systemd_home.so
auth       [default=die]                pam_faillock.so      authfail
auth       [success=1 default=ignore]   pam_unix.so try_first_pass
auth       required                    pam_fprintd.so
auth	optional	pam_permit.so
auth       required                     pam_env.so
auth       required                     pam_faillock.so      authsucc

I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

#5 2023-07-17 06:45:57

seth
Member
Registered: 2012-09-03
Posts: 60,378

Re: SOLVED PAM Mandatory Multi factor login issue

"requisite" turned into "required" (again)?
Should™ not matter, though.
Try to comment all pam_systemd_home.so lines in all PAM configurations (I guess you're not using that anyway?)

PSA (though you probably figured that by now): you want to keep an open root shell while messing around w/ PAM. Just in case wink
Also PSA: fix the tabs. You don't want to lose track of what's in those lines (but it's not a problem here)

Edit: F5**
That config skips fprintd when pam_unix is successful?

Last edited by seth (2023-07-17 06:47:42)

Offline

#6 2023-07-17 06:52:11

winslowsem
Member
Registered: 2023-07-07
Posts: 26

Re: SOLVED PAM Mandatory Multi factor login issue

I'm actually using systemd-homed lol

I've fixed it with the configuration

#%PAM-1.0

auth       required                   pam_faillock.so      preauth
-auth      [success=2 default=ignore]   pam_systemd_home.so
auth       [default=die]                pam_faillock.so      authfail
auth       [success=1 default=ignore]   pam_unix.so try_first_pass
auth       required                    pam_fprintd.so
auth	optional	pam_permit.so
auth       required                     pam_env.so
auth       required                     pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

There is a minor problem, you will be prompt for password again after successfully entered DE
Tbh I have no idea why this config is working, but I've tested different situations and it is performing as I wished (Enforcing two factor for all authes), so guess I'm going to leave it as it is
It is truly a pain in the butt to mess with PAM cuz everytime you f it up you'll need to reboot into livecd to fix it, and I have luks on


I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

#7 2023-07-17 06:53:12

winslowsem
Member
Registered: 2023-07-07
Posts: 26

Re: SOLVED PAM Mandatory Multi factor login issue

seth wrote:

"requisite" turned into "required" (again)?
Should™ not matter, though.
Try to comment all pam_systemd_home.so lines in all PAM configurations (I guess you're not using that anyway?)

PSA (though you probably figured that by now): you want to keep an open root shell while messing around w/ PAM. Just in case wink
Also PSA: fix the tabs. You don't want to lose track of what's in those lines (but it's not a problem here)

Edit: F5**
That config skips fprintd when pam_unix is successful?

Yeah that's the weird part, it should have skipped fprintd, but instead of skipping it it enforce it

Could be a bug? I'm not that sure since it could be the installation of fprintd creating some additional configs on PAM/GDM

❯ sudo echo test
[sudo] pasvorto por winslow: 
Place your finger on the fingerprint reader

Verification timed out
Malĝuste, reprovu.
Place your finger on the fingerprint reader

I've tested it that it could not be bypassed when you don't input anything

Last edited by winslowsem (2023-07-17 06:59:02)


I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

#8 2023-07-17 06:58:23

seth
Member
Registered: 2012-09-03
Posts: 60,378

Re: SOLVED PAM Mandatory Multi factor login issue

I'm actually using systemd-homed lol

In your original config the

-auth      [success=3 default=ignore]  pam_systemd_home.so

skips the next three modules if it succeeds.
In your second and third the next two modules, jumping right to pam_fprintd.so

I'm betting your right arm that pam_systemd_homed gets in the way/is the only thing that actually authorizes you.
Return to your initial approach and remove the success=3 from the homed line.

KEEP A ROOTSHELL OPEN!

Offline

#9 2023-07-17 07:01:06

winslowsem
Member
Registered: 2023-07-07
Posts: 26

Re: SOLVED PAM Mandatory Multi factor login issue

seth wrote:

I'm actually using systemd-homed lol

In your original config the

-auth      [success=3 default=ignore]  pam_systemd_home.so

skips the next three modules if it succeeds.
In your second and third the next two modules, jumping right to pam_fprintd.so

I'm betting your right arm that pam_systemd_homed gets in the way/is the only thing that actually authorizes you.
Return to your initial approach and remove the success=3 from the homed line.

KEEP A ROOTSHELL OPEN!

I tried to keep a rootshell but I have too many security restrictions like SELinux which is preventing me from doing so, so I just gave up and reboot into a livecd everytime

Will try this now, thank you


I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

#10 2023-07-17 07:06:49

winslowsem
Member
Registered: 2023-07-07
Posts: 26

Re: SOLVED PAM Mandatory Multi factor login issue

seth wrote:

I'm actually using systemd-homed lol

In your original config the

-auth      [success=3 default=ignore]  pam_systemd_home.so

skips the next three modules if it succeeds.
In your second and third the next two modules, jumping right to pam_fprintd.so

I'm betting your right arm that pam_systemd_homed gets in the way/is the only thing that actually authorizes you.
Return to your initial approach and remove the success=3 from the homed line.

KEEP A ROOTSHELL OPEN!

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [default=ignore]  pam_systemd_home.so
auth       required     pam_unix.so     nullok  try_first_pass
auth       [success=1]     pam_fprintd.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc

Yep this is also working, and this config makes much more sense to me

The additional password prompt is still showing, however I would not mind one more layer of security lol

I also noticed a strange phenomenon that you can click enter to make the system asking you for only the fingerprint, however the password is still being enforced that you will get an error prompt when you bypassed password by this method and is authenticating with your fingerprint

Thanks for your help!

Last edited by winslowsem (2023-07-17 07:11:15)


I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

#11 2023-07-17 07:11:34

seth
Member
Registered: 2012-09-03
Posts: 60,378

Re: SOLVED PAM Mandatory Multi factor login issue

You could try "success=1" to skip only pam_unix if systemd_home is succesful

Offline

#12 2023-07-17 07:15:09

winslowsem
Member
Registered: 2023-07-07
Posts: 26

Re: SOLVED PAM Mandatory Multi factor login issue

seth wrote:

You could try "success=1" to skip only pam_unix if systemd_home is succesful

I just found another weird phenomenon with the new setup
At the GDM login page you can auth with your fingerprint only, the system will unlock, however, in a strange status. You will be prompted with a password prompt which you can simply click Cancel, if you chose to cancel it you will still have access to all of your files except some softwares will malfunction because of permission problem


I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

#13 2023-07-17 07:23:18

winslowsem
Member
Registered: 2023-07-07
Posts: 26

Re: SOLVED PAM Mandatory Multi factor login issue

winslowsem wrote:
seth wrote:

You could try "success=1" to skip only pam_unix if systemd_home is succesful

I just found another weird phenomenon with the new setup
At the GDM login page you can auth with your fingerprint only, the system will unlock, however, in a strange status. You will be prompted with a password prompt which you can simply click Cancel, if you chose to cancel it you will still have access to all of your files except some softwares will malfunction because of permission problem

nvm my old setup has exactly the same problem
the only difference between adding or not adding success=1 to pam_unix is that will you need to auth your fingerprint at the additional prompt


I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

#14 2023-07-17 07:32:59

seth
Member
Registered: 2012-09-03
Posts: 60,378

Re: SOLVED PAM Mandatory Multi factor login issue

Not to pam_unix, to pam_systemd_homed - if that succeeds (and I suspect it asks for your password) you then skip pam_unix right to the fingerprint.

Offline

#15 2023-07-17 09:09:50

winslowsem
Member
Registered: 2023-07-07
Posts: 26

Re: SOLVED PAM Mandatory Multi factor login issue

seth wrote:

Not to pam_unix, to pam_systemd_homed - if that succeeds (and I suspect it asks for your password) you then skip pam_unix right to the fingerprint.

Yeah it should also be a problem with systemd-homed, I realized that with this current configuration, GDM will correctly require both the factors to be authed, but will only required fingerprint for unlocking after a successful login, presumably the home directory for user is already mounted?
Lock screen has the same situation

auth       required                   pam_faillock.so      preauth
-auth      [success=3 default=die]   pam_systemd_home.so
auth       [default=die]                   pam_faillock.so
auth       [success=1 default=die]   pam_unix.so try_first_pass
auth       [default=die]                   pam_faillock.so
auth       [success=1 default=die]                    pam_fprintd.so
auth       [default=die]                   pam_faillock.so
auth       required                   pam_faillock.so
auth    optional        pam_permit.so
auth       required                     pam_env.so
auth       required                     pam_faillock.so      authsucc

Last edited by winslowsem (2023-07-17 09:35:51)


I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

#16 2023-07-17 10:26:54

winslowsem
Member
Registered: 2023-07-07
Posts: 26

Re: SOLVED PAM Mandatory Multi factor login issue

winslowsem wrote:
seth wrote:

Not to pam_unix, to pam_systemd_homed - if that succeeds (and I suspect it asks for your password) you then skip pam_unix right to the fingerprint.

Yeah it should also be a problem with systemd-homed, I realized that with this current configuration, GDM will correctly require both the factors to be authed, but will only required fingerprint for unlocking after a successful login, presumably the home directory for user is already mounted?
Lock screen has the same situation

auth       required                   pam_faillock.so      preauth
-auth      [success=3 default=die]   pam_systemd_home.so
auth       [default=die]                   pam_faillock.so
auth       [success=1 default=die]   pam_unix.so try_first_pass
auth       [default=die]                   pam_faillock.so
auth       [success=1 default=die]                    pam_fprintd.so
auth       [default=die]                   pam_faillock.so
auth       required                   pam_faillock.so
auth    optional        pam_permit.so
auth       required                     pam_env.so
auth       required                     pam_faillock.so      authsucc

I just realized that this is more likely to be a problem with GDM, as it works for the initial login but malfunction for unlocking afterward


I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

#17 2023-07-17 13:06:26

seth
Member
Registered: 2012-09-03
Posts: 60,378

Re: SOLVED PAM Mandatory Multi factor login issue

Stop flailing around w/ the PAM, there's no need to inject the gazillon "[default=die]                   pam_faillock.so" lines.
The on in #10 should™ be mostly ok, but you can "success=1" pam_systemd_home.so to skip pam_unix, that's it.

pam_systemd_home.so will most likely only do somthing on login, but not when authentication against a screenlocker
pam_unix.so  will then because of  try_first_pass use the password from pam_systemd_home.so and you only have to stick your fin… provide the dactyloscopy.


auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       required                    pam_unix.so          nullok
auth       [success=1]                 pam_fprintd.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc

Offline

#18 2023-07-17 13:58:09

winslowsem
Member
Registered: 2023-07-07
Posts: 26

Re: SOLVED PAM Mandatory Multi factor login issue

seth wrote:

Stop flailing around w/ the PAM, there's no need to inject the gazillon "[default=die]                   pam_faillock.so" lines.
The on in #10 should™ be mostly ok, but you can "success=1" pam_systemd_home.so to skip pam_unix, that's it.

pam_systemd_home.so will most likely only do somthing on login, but not when authentication against a screenlocker
pam_unix.so  will then because of  try_first_pass use the password from pam_systemd_home.so and you only have to stick your fin… provide the dactyloscopy.


auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       required                    pam_unix.so          nullok
auth       [success=1]                 pam_fprintd.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc

Works like a charm, thank you


I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

#19 2023-07-20 16:40:52

winslowsem
Member
Registered: 2023-07-07
Posts: 26

Re: SOLVED PAM Mandatory Multi factor login issue

seth wrote:

Stop flailing around w/ the PAM, there's no need to inject the gazillon "[default=die]                   pam_faillock.so" lines.
The on in #10 should™ be mostly ok, but you can "success=1" pam_systemd_home.so to skip pam_unix, that's it.

pam_systemd_home.so will most likely only do somthing on login, but not when authentication against a screenlocker
pam_unix.so  will then because of  try_first_pass use the password from pam_systemd_home.so and you only have to stick your fin… provide the dactyloscopy.


auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       required                    pam_unix.so          nullok
auth       [success=1]                 pam_fprintd.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc

well... unlocking with the fingerprint only after the first login is still doable, I guess GNOME isn't really designed to work with multi factor auth
Remoing the success=1 from systemd_home doesn't cut it
I might need to develop something requiring user to perform a mandatory sudo-auth after login, this is the only workaround I can think of

Last edited by winslowsem (2023-07-20 16:41:43)


I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

#20 2023-07-20 19:41:06

seth
Member
Registered: 2012-09-03
Posts: 60,378

Re: SOLVED PAM Mandatory Multi factor login issue

At least GDM comes w/ a bunch of its on pam configs (one of them actually fprint related), have you looked into those?

Offline

#21 2023-07-21 03:16:24

winslowsem
Member
Registered: 2023-07-07
Posts: 26

Re: SOLVED PAM Mandatory Multi factor login issue

seth wrote:

At least GDM comes w/ a bunch of its on pam configs (one of them actually fprint related), have you looked into those?

that is brilliant

I noticed the /etc/pam.d/gdm-fingerprint earlier, but as it already included system-local-login I didn't mess with it, but I just realized it is solely responsible for handling unlocking when you have fingerprint enrolled and it does not include system-local-login for the auth part
So simply adding those modifications on system-auth to it seems to do the trick

Here is my newest config for gdm-fingerprin

#%PAM-1.0

auth       required                    pam_shells.so
auth       requisite                   pam_nologin.so
auth       requisite                   pam_faillock.so      preauth
-auth      [default=ignore]  pam_systemd_home.so
auth       required                    pam_unix.so          nullok
auth       [success=1]                 pam_fprintd.so
auth       [default=die]               pam_faillock.so      authfail silent deny=32 unlock_time=300
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       [success=ok default=1]      pam_gdm.so
auth       optional                    pam_gnome_keyring.so

account    include                     system-local-login

password   required                    pam_deny.so

session    include                     system-local-login
session    optional                    pam_gnome_keyring.so auto_start

I use Arch on LVM on LUKS with SELinux and Secure Boot btw

Offline

Board footer

Powered by FluxBB