Arch Linux

zstewart

Member

Registered: 2015-08-09

Posts: 4

PAM - changes to /etc/pam.d/passwd

I was recently trying to configure gnome keyring to automatically update the password on the default keyring when I update my password, by setting

password optional pam_gnome_keyring.so

in `/etc/pam.d/passwd` as described here.

In the process I noticed that there was a 'passwd.pacnew' file there, and decided to look into it in case my pam passwd config is now outdated.

My current pam.d/passwd is

password required pam_unix.so sha512 shadow nullok rounds=1000000
password optional pam_fscrypt.so
password optional pam_gnome_keyring.so

The new pam.d/passwd is

auth include system-auth
account include system-auth
password include system-auth

I've looked around a bit and it appears that this means that for each directive ("auth", "account", or "password") this will pull in the corresponding directives from pam.d/system-auth, which I see has this configuration for "password"

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

What I need to know is what if any of this new config should I replicate to my pam.d/passwd?

1. What does pam_permit.so do in the context of "password"?

2. What do "auth" and "account" do in pam.d/passwd

3. If I include the current pam.d/system-auth with "password required pam_unix.so try_first_pass nullok shadow" will that confilict with or cause issues with my own separate "pam_unix.so" config (with its added number of password rounds)?

seth

Member

Registered: 2012-09-03

Posts: 60,807

Re: PAM - changes to /etc/pam.d/passwd

https://bbs.archlinux.org/viewtopic.php?id=290932

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

zstewart

Member

Registered: 2015-08-09

Posts: 4

Re: PAM - changes to /etc/pam.d/passwd

That's the inverse of the problem I have. I had no problem adding the pam_gnome_keyring.so module. What I'm trying to figure out is what elements of the new default pam.d/passwd I should replicate into my current, already modified pam.d/passwd.

seth

Member

Registered: 2012-09-03

Posts: 60,807

Re: PAM - changes to /etc/pam.d/passwd

Not really, if you want to set the rounds, you'd probably better do so in system-auth anyway and pam_permit is what pam_home (systemd-homed) skips to (which is likely also behind this change)

So you'd take the new default pam.d/passwd but add your

password optional pam_fscrypt.so
password optional pam_gnome_keyring.so

after the system-auth include.

If you've no interest in pam_home you can comment that (and pam_permit) in system-auth, because you obviously have no interest for that anywhere.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

zstewart

Member

Registered: 2015-08-09

Posts: 4

Re: PAM - changes to /etc/pam.d/passwd

Thanks.

Just so I better understand what's going on, what does pam_permit do as a "password" module? I assume pam_home just handles sending home information to systemd-homed, is that correct?

seth

Member

Registered: 2012-09-03

Posts: 60,807

Re: PAM - changes to /etc/pam.d/passwd

pam_permit just logs you in, https://man.archlinux.org/man/core/pam/pam_permit.8.en
The idea is (probably) that systemd-homed is authenticating enough, so you you skip the normal authentication and are propelled into your account.

https://github.com/shadow-maint/shadow/ … m.d/passwd upstread just includes system-auth for everything since 16 years, arch only very recently de-sanitized this:
https://gitlab.archlinux.org/archlinux/ … df1c_141_0
(I frankly dk the point of having auth and account in there, it's probably just to centralize the configuration)

I'd assume in this context you won't have to issue your password when altering it - worst case is that it just ends the stack and the subsequent modules are not touched, so your keyring paüssword doesn't get changed.
That being said: pam_env tails it in the system-auth auth section.
You'll have to try.

---
tbh and just my personal take: unless you know what problem systemd-homed solves for you, comment the pam_home and pam_permit entries in system-auth.
(The latter shows up quite a lot, but usually around the password module and the password module is only relevant to passwd and probably chgpasswd, more or less an explicit "don't care")

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc