[opensuse-support] Correct usage of pam-config
I'm trying to set up a Yubikey Neo smartcard for two-factor authorisation on my laptop. System: openSUSE Leap 15.0 Desktop: KDE Plasma I have installed pam_yubico from the Main repository, and can see pam_yubico.so in /lib64/security. But when I try to add it to /etc/pam.d/common-auth, it fails: europa:~ # pam-config -a --pam_yubico /etc/pam.d/common-auth-pc: Unknown module pam_yubico.so, ignored! I could edit /etc/pam.d/common-auth directly, but the file contains warnings against this: #%PAM-1.0 # # This file is autogenerated by pam-config. All changes # will be overwritten. What is the correct syntax? I have read man pam-config and https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.... But neither have shed any light on my problem. Regards Bob -- Bob
25.01.2019 20:46, Bob Williams пишет:
I'm trying to set up a Yubikey Neo smartcard for two-factor authorisation on my laptop.
System: openSUSE Leap 15.0 Desktop: KDE Plasma
I have installed pam_yubico from the Main repository, and can see pam_yubico.so in /lib64/security. But when I try to add it to /etc/pam.d/common-auth, it fails:
europa:~ # pam-config -a --pam_yubico /etc/pam.d/common-auth-pc: Unknown module pam_yubico.so, ignored!
I could edit /etc/pam.d/common-auth directly, but the file contains warnings against this:
#%PAM-1.0 # # This file is autogenerated by pam-config. All changes # will be overwritten.
Well, documentation you mention says quite clearly If you prefer to manually create or maintain your PAM configuration files, make sure to disable pam-config for these files. and then explains how to do it.
What is the correct syntax? I have read man pam-config and https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.... But neither have shed any light on my problem.
What is not clear in For a list of supported modules, use the pam-config --list-modules command. pam-config only can configure modules it knows about.
On Fri, 25 Jan 2019 22:06:40 +0300
Andrei Borzenkov
Well, documentation you mention says quite clearly
If you prefer to manually create or maintain your PAM configuration files, make sure to disable pam-config for these files.
and then explains how to do it.
The explanation says: "When you create your PAM configuration files from scratch using the pam-config --create command, it creates symbolic links from the common-* to the common-*-pc files. pam-config only modifies the common-*-pc configuration files. Removing these symbolic links effectively disables pam-config, because pam-config only operates on the common-*-pc files and these files are not put into effect without the symbolic links. " On this machine, the common-* files are symlinks and the common-*-pc files are regular text files containing the code. If I remove the common-* links, I will be left with the common-*-pc configuration files, created by pam-config. Will PAM read those common-*-pc files or does it expect to find common-* ? Do I need to rename common-*-pc to common-* as well as removing the common-* links? Normally I would experiment with some file renaming, but I'm worried that if I get it wrong I might lock myself out of the machine. Many thanks for your help. Bob -- Bob
27.01.2019 14:23, Bob Williams пишет:
On Fri, 25 Jan 2019 22:06:40 +0300 Andrei Borzenkov
wrote: Well, documentation you mention says quite clearly
If you prefer to manually create or maintain your PAM configuration files, make sure to disable pam-config for these files.
and then explains how to do it.
The explanation says: "When you create your PAM configuration files from scratch using the pam-config --create command, it creates symbolic links from the common-* to the common-*-pc files. pam-config only modifies the common-*-pc configuration files. Removing these symbolic links effectively disables pam-config, because pam-config only operates on the common-*-pc files and these files are not put into effect without the symbolic links. "
On this machine, the common-* files are symlinks and the common-*-pc files are regular text files containing the code. If I remove the common-* links, I will be left with the common-*-pc configuration files, created by pam-config.
Will PAM read those common-*-pc files or does it expect to find common-* ?
It expects to find common-*.
Do I need to rename common-*-pc to common-* as well as removing the common-* links?
You do not *need* to rename them, but if you want to start with exact copy of current configuration - yes, copy (or move, does not matter) common-*-pc into corresponding common-* before starting to change common-*.
Normally I would experiment with some file renaming, but I'm worried that if I get it wrong I might lock myself out of the machine.
It is easy to fix after booting either from snapshot or from any Linux Live medium (including openSUSE installation one).
Many thanks for your help.
Bob
participants (2)
-
Andrei Borzenkov
-
Bob Williams