Upcoming changes to PAM configuration files
Hi, We faced some problems with the configuration of several PAM modules: our current approach of having one set of "common-*-pc" files is not good enough or is not working, if you use "sufficient" in your config, e.g. if you use sssd. So we looked how other distributions solved this and did throw the best of them together. Beside the well known four common-* files, we added common-session-nonlogin (which is identical to common-session except it does not contain pam_systemd) and four postlogin-{account,auth,password,session} files. pam and pam-config with this files are currently in stagings, if they are released, we will start adjusting the service files of different packages. This all is documented here: https://en.opensuse.org/openSUSE:PAM_configuration And yes, this is not backward compatible with SLE12 nor SLE15, you need a different PAM service file for them. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect, Future Technologies SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nuernberg, Germany Managing Director: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman (HRB 36809, AG Nürnberg)
Hello Thorsten, thanks for the heads-up Am Dienstag, 21. März 2023, 15:14:11 CET schrieb Thorsten Kukuk:
pam and pam-config with this files are currently in stagings, if they are released, we will start adjusting the service files of different packages. This all is documented here: https://en.opensuse.org/openSUSE:PAM_configuration
In which way needs https://en.opensuse.org/SDB:Using_fingerprint_authentication[1] a rewrite? Thanks Axel -------- [1] https://en.opensuse.org/SDB:Using_fingerprint_authentication
On Tue, Mar 21, Axel Braun wrote:
In which way needs https://en.opensuse.org/SDB:Using_fingerprint_authentication a rewrite?
I don't think it needs any because of this change, but: "add the following to /etc/pam.d/sddm right underneath" needs to be enhanced to copy first /usr/lib/pam.d/sddm to /etc/pam.d/ But this is nothing new. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect, Future Technologies SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nuernberg, Germany Managing Director: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman (HRB 36809, AG Nürnberg)
On Tue, 2023-03-21 at 14:14 +0000, Thorsten Kukuk wrote:
This all is documented here: https://en.opensuse.org/openSUSE:PAM_configuration
And yes, this is not backward compatible with SLE12 nor SLE15, you need a different PAM service file for them.
Nitpick: On the wiki page, this reads: "This PAM configuration files are NOT compatible with SLE12/SLE15. For this, you need to decide at build time, which configuration file to include in the binary RPM: the old one or the new one." Reading the wiki page without reading your ML post, it's unclear what "the new one" and "the old one" means. Perhaps, as the Wiki page is about openSUSE in general and not and about Tumbleweed, the "old" style should also be explained? Moreover, the wiki page paragraph suggests that package maintainers have a choice what to include for SLE 12/15. Is this really true? The way I read your post, SLE packages should contain the "old" style files, and TW packages the "new" ones. Martin
participants (3)
-
Axel Braun -
Martin Wilck -
Thorsten Kukuk