Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Dec 05 22:44
    Firstyear commented #90
  • Dec 05 03:39
  • Dec 04 09:33
    madwizard-thomas edited #90
  • Dec 04 09:33
    madwizard-thomas edited #90
  • Dec 04 09:32
    madwizard-thomas opened #90
  • Nov 30 01:06
    yaleman synchronize #624
  • Nov 30 00:43
    erictapen commented #623
  • Nov 30 00:42
    erictapen edited #623
  • Nov 30 00:39

    github-actions[bot] on gh-pages

    deploy: 615ddee75f1e57080eef228… (compare)

  • Nov 30 00:34

    Firstyear on master

    adding notes about OIDCRemoteUs… (compare)

  • Nov 30 00:34
    Firstyear closed #621
  • Nov 30 00:34
    Firstyear commented #71
  • Nov 30 00:32
    Firstyear commented #623
  • Nov 30 00:28
    Firstyear commented #623
  • Nov 30 00:27
    Firstyear commented #622
  • Nov 30 00:11
    erictapen closed #622
  • Nov 30 00:11
    erictapen commented #622
  • Nov 29 23:19
    yaleman commented #622
  • Nov 29 23:18
    yaleman edited #624
  • Nov 29 23:18
    yaleman opened #624
Firstyear
@Firstyear
I'm gonna have to run off shortly though, friends coming for dinner.
But I think you're on the right track now?
If not, I'll look in a few hours :)
Triss Healy
@trissylegs
Ok I'm going fiddle with PAM settings until this works
nirya@Asuka ~ % sudo 'echo test'
[sudo] password for nirya: 
sm_authenticate
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
acct_mgmt
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required
Firstyear
@Firstyear
Have yo uset a posix pw on the account?
Triss Healy
@trissylegs
Pretty sure
I'll do it again
It did not fix it
Triss Healy
@trissylegs
# pamtester sudo nirya authenticate
sm_authenticate
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
Password: 

pamtester: successfully authenticated
So It's failing after authenticate
Triss Healy
@trissylegs
Ok I can log-in now:
This appeared to be the culprit:
account    required                    pam_unix.so
Logged via GDM works too
Triss Healy
@trissylegs
pffftt. pkexec fails if debug is enabled because the debug messages break its auth helper
Firstyear
@Firstyear
Yeah, look at the suse pam configs @trissylegs
# /etc/pam.d/common-auth-pc
auth        required      pam_env.so
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_kanidm.so ignore_unknown_user
auth        required      pam_deny.so
Note the "pam_localuser.so"? With default=1? That means "if the account is NOT local, jump one module."
So that way it'll check your account, say "it's not local", then it will jump over pam_unix to pam_succedd_if and check your uid>=1000, then only if that passes, does it go to pam_kani
And the pam_deny is a "catch all" safety net.
Firstyear
@Firstyear
@/all Hi everyone, we are doing a survey on rust usage, would appreciate your responses https://survey.opensuse.org/index.php/417611?lang=en
James Hodgkinson
@yaleman
clearly I need to hang out here more often, @trissylegs I ran into similar derpy problems with PAM the other day :S
Firstyear
@Firstyear
Pam is a special hell.
James Hodgkinson
@yaleman
:100:
so, speaking of cursed things, I was thinking it'd be possible to add TOTP support as a minimum to login for kanidm ^_^
(ssh/console login that is)
and... I have other cursed ideas for ... other things, but that's later
Firstyear
@Firstyear
It's not
Because of offline pw caching.
There would then be no way to auth when offline because we can't store the totp on the machine
It would necesitate online-only auth.
Additionally, it's also not needed - ssh keys mate. Much much better.
Especially when you look at the features in things like ssh keys with yubikeys
James Hodgkinson
@yaleman
yeah, there's many ways to skin particular cats
depends on the environments etc
and yes, it'd require always-online, but in a lot of environments that's mandatory anyhow
Firstyear
@Firstyear
If always online was there, it'd be possible.
But it creates another issue with the ldap interface because then you need password+totp concat in pw fields
Which kinda sucks
Another question is should the totp token mirror the primary account totp
James Hodgkinson
@yaleman
uh, concat noooo never don't do that
Firstyear
@Firstyear
Exactly
James Hodgkinson
@yaleman
the duo mfa PAM plugin separately prompts for TOTP
Firstyear
@Firstyear
For pam you can do it seperate.
James Hodgkinson
@yaleman
so it's possible to not have that LDAP concat stupidity
Firstyear
@Firstyear
But then totp would only apply to pam, not any other of the unix pw auth transactions.
Which could get confusing.
James Hodgkinson
@yaleman
there's already three possible user passwords for kanidm accounts
Firstyear
@Firstyear
Yeah, I know. I need to make it possible to sync them inside an account
And to be fair, one of them isn't so much of a password
As a "token"
James Hodgkinson
@yaleman
if auth can be restricted to PAM and not LDAP then it'd be possible to not have the POSIX-password for users (or make it transparently sync)
Firstyear
@Firstyear
Yeah, that could be doable.