Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Nov 26 04:56
    Firstyear commented #350
  • Nov 25 05:00

    github-actions[bot] on gh-pages

    deploy: b7837f3aaee8ac55b5cf071… (compare)

  • Nov 25 04:55
    Firstyear closed #620
  • Nov 25 04:55

    Firstyear on master

    add logging for oauth2 errors (… (compare)

  • Nov 25 04:55
    Firstyear closed #619
  • Nov 25 04:44
    yaleman synchronize #620
  • Nov 25 04:27
    yaleman synchronize #620
  • Nov 25 04:07
    yaleman synchronize #620
  • Nov 25 04:03

    Firstyear on 20211124-stdsimd

    (compare)

  • Nov 25 04:03

    Firstyear on master

    Change to std::simd (#72) (compare)

  • Nov 25 04:03
    Firstyear closed #72
  • Nov 25 03:44
    Firstyear commented #71
  • Nov 25 03:02
    yaleman commented #620
  • Nov 25 03:01
    yaleman opened #620
  • Nov 25 02:44
    yaleman labeled #619
  • Nov 25 02:44
    yaleman assigned #619
  • Nov 25 02:44
    yaleman opened #619
  • Nov 24 22:42

    github-actions[bot] on gh-pages

    deploy: fad0dd86e0763b64c8072bd… (compare)

  • Nov 24 22:38
    Firstyear commented #617
  • Nov 24 22:37

    Firstyear on 616-improve-domain-name-docs-ux

    (compare)

Triss Healy
@trissylegs
Hmmm. Can't login to a tty though?
Firstyear
@Firstyear
Any debug messages there from the tty? IIRC tty's go through a different pam module nd again, may have their own requirements.
I think tty goes though /etc/pam.d/login
Triss Healy
@trissylegs
Ahh sudo might be doing this via pam_rootok.so.
Firstyear
@Firstyear
Possible.
I'm gonna have to run off shortly though, friends coming for dinner.
But I think you're on the right track now?
If not, I'll look in a few hours :)
Triss Healy
@trissylegs
Ok I'm going fiddle with PAM settings until this works
nirya@Asuka ~ % sudo 'echo test'
[sudo] password for nirya: 
sm_authenticate
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
acct_mgmt
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required
Firstyear
@Firstyear
Have yo uset a posix pw on the account?
Triss Healy
@trissylegs
Pretty sure
I'll do it again
It did not fix it
Triss Healy
@trissylegs
# pamtester sudo nirya authenticate
sm_authenticate
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
Password: 

pamtester: successfully authenticated
So It's failing after authenticate
Triss Healy
@trissylegs
Ok I can log-in now:
This appeared to be the culprit:
account    required                    pam_unix.so
Logged via GDM works too
Triss Healy
@trissylegs
pffftt. pkexec fails if debug is enabled because the debug messages break its auth helper
Firstyear
@Firstyear
Yeah, look at the suse pam configs @trissylegs
# /etc/pam.d/common-auth-pc
auth        required      pam_env.so
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_kanidm.so ignore_unknown_user
auth        required      pam_deny.so
Note the "pam_localuser.so"? With default=1? That means "if the account is NOT local, jump one module."
So that way it'll check your account, say "it's not local", then it will jump over pam_unix to pam_succedd_if and check your uid>=1000, then only if that passes, does it go to pam_kani
And the pam_deny is a "catch all" safety net.
Firstyear
@Firstyear
@/all Hi everyone, we are doing a survey on rust usage, would appreciate your responses https://survey.opensuse.org/index.php/417611?lang=en
James Hodgkinson
@yaleman
clearly I need to hang out here more often, @trissylegs I ran into similar derpy problems with PAM the other day :S
Firstyear
@Firstyear
Pam is a special hell.
James Hodgkinson
@yaleman
:100:
so, speaking of cursed things, I was thinking it'd be possible to add TOTP support as a minimum to login for kanidm ^_^
(ssh/console login that is)
and... I have other cursed ideas for ... other things, but that's later
Firstyear
@Firstyear
It's not
Because of offline pw caching.
There would then be no way to auth when offline because we can't store the totp on the machine
It would necesitate online-only auth.
Additionally, it's also not needed - ssh keys mate. Much much better.
Especially when you look at the features in things like ssh keys with yubikeys
James Hodgkinson
@yaleman
yeah, there's many ways to skin particular cats
depends on the environments etc
and yes, it'd require always-online, but in a lot of environments that's mandatory anyhow
Firstyear
@Firstyear
If always online was there, it'd be possible.
But it creates another issue with the ldap interface because then you need password+totp concat in pw fields
Which kinda sucks
Another question is should the totp token mirror the primary account totp
James Hodgkinson
@yaleman
uh, concat noooo never don't do that
Firstyear
@Firstyear
Exactly
James Hodgkinson
@yaleman
the duo mfa PAM plugin separately prompts for TOTP
Firstyear
@Firstyear
For pam you can do it seperate.
James Hodgkinson
@yaleman
so it's possible to not have that LDAP concat stupidity
Firstyear
@Firstyear
But then totp would only apply to pam, not any other of the unix pw auth transactions.
Which could get confusing.
James Hodgkinson
@yaleman
there's already three possible user passwords for kanidm accounts