Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 09:01
    madwizard-thomas commented #90
  • Dec 08 21:04
    Firstyear commented #90
  • Dec 08 15:00
    madwizard-thomas commented #90
  • Dec 08 04:20

    Firstyear on master

    Update to v2.20 (compare)

  • Dec 08 04:16

    Firstyear on master

    Improve stats and queue managem… (compare)

  • Dec 08 00:02
    Firstyear closed #625
  • Dec 08 00:02

    Firstyear on 20211207-rinstall

    (compare)

  • Dec 08 00:02

    Firstyear on master

    Add rinstall file (#625) (compare)

  • Dec 08 00:02
    Firstyear synchronize #625
  • Dec 08 00:02
    Firstyear closed #624
  • Dec 08 00:02

    Firstyear on master

    Check before rename for #622 (#… (compare)

  • Dec 08 00:01

    Firstyear on 20211207-rinstall

    Fix based on review (compare)

  • Dec 07 02:33
    Firstyear opened #625
  • Dec 07 02:33

    Firstyear on 20211207-rinstall

    Add rinstall file (compare)

  • Dec 07 02:06
    ericmarkmartin commented #89
  • Dec 06 22:02
    Firstyear commented #90
  • Dec 06 20:29
  • Dec 06 09:39
    madwizard-thomas commented #90
  • Dec 05 22:44
    Firstyear commented #90
  • Dec 05 03:39
Firstyear
@Firstyear
Any debug messages there from the tty? IIRC tty's go through a different pam module nd again, may have their own requirements.
I think tty goes though /etc/pam.d/login
Triss Healy
@trissylegs
Ahh sudo might be doing this via pam_rootok.so.
Firstyear
@Firstyear
Possible.
I'm gonna have to run off shortly though, friends coming for dinner.
But I think you're on the right track now?
If not, I'll look in a few hours :)
Triss Healy
@trissylegs
Ok I'm going fiddle with PAM settings until this works
nirya@Asuka ~ % sudo 'echo test'
[sudo] password for nirya: 
sm_authenticate
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
acct_mgmt
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required
Firstyear
@Firstyear
Have yo uset a posix pw on the account?
Triss Healy
@trissylegs
Pretty sure
I'll do it again
It did not fix it
Triss Healy
@trissylegs
# pamtester sudo nirya authenticate
sm_authenticate
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
Password: 

pamtester: successfully authenticated
So It's failing after authenticate
Triss Healy
@trissylegs
Ok I can log-in now:
This appeared to be the culprit:
account    required                    pam_unix.so
Logged via GDM works too
Triss Healy
@trissylegs
pffftt. pkexec fails if debug is enabled because the debug messages break its auth helper
Firstyear
@Firstyear
Yeah, look at the suse pam configs @trissylegs
# /etc/pam.d/common-auth-pc
auth        required      pam_env.so
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_kanidm.so ignore_unknown_user
auth        required      pam_deny.so
Note the "pam_localuser.so"? With default=1? That means "if the account is NOT local, jump one module."
So that way it'll check your account, say "it's not local", then it will jump over pam_unix to pam_succedd_if and check your uid>=1000, then only if that passes, does it go to pam_kani
And the pam_deny is a "catch all" safety net.
Firstyear
@Firstyear
@/all Hi everyone, we are doing a survey on rust usage, would appreciate your responses https://survey.opensuse.org/index.php/417611?lang=en
James Hodgkinson
@yaleman
clearly I need to hang out here more often, @trissylegs I ran into similar derpy problems with PAM the other day :S
Firstyear
@Firstyear
Pam is a special hell.
James Hodgkinson
@yaleman
:100:
so, speaking of cursed things, I was thinking it'd be possible to add TOTP support as a minimum to login for kanidm ^_^
(ssh/console login that is)
and... I have other cursed ideas for ... other things, but that's later
Firstyear
@Firstyear
It's not
Because of offline pw caching.
There would then be no way to auth when offline because we can't store the totp on the machine
It would necesitate online-only auth.
Additionally, it's also not needed - ssh keys mate. Much much better.
Especially when you look at the features in things like ssh keys with yubikeys
James Hodgkinson
@yaleman
yeah, there's many ways to skin particular cats
depends on the environments etc
and yes, it'd require always-online, but in a lot of environments that's mandatory anyhow
Firstyear
@Firstyear
If always online was there, it'd be possible.
But it creates another issue with the ldap interface because then you need password+totp concat in pw fields
Which kinda sucks
Another question is should the totp token mirror the primary account totp
James Hodgkinson
@yaleman
uh, concat noooo never don't do that
Firstyear
@Firstyear
Exactly
James Hodgkinson
@yaleman
the duo mfa PAM plugin separately prompts for TOTP
Firstyear
@Firstyear
For pam you can do it seperate.
James Hodgkinson
@yaleman
so it's possible to not have that LDAP concat stupidity
Firstyear
@Firstyear
But then totp would only apply to pam, not any other of the unix pw auth transactions.
Which could get confusing.
James Hodgkinson
@yaleman
there's already three possible user passwords for kanidm accounts
Firstyear
@Firstyear
Yeah, I know. I need to make it possible to sync them inside an account