Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 04:20

    Firstyear on master

    Update to v2.20 (compare)

  • 04:16

    Firstyear on master

    Improve stats and queue managem… (compare)

  • 00:02
    Firstyear closed #625
  • 00:02

    Firstyear on 20211207-rinstall

    (compare)

  • 00:02

    Firstyear on master

    Add rinstall file (#625) (compare)

  • 00:02
    Firstyear synchronize #625
  • 00:02
    Firstyear closed #624
  • 00:02

    Firstyear on master

    Check before rename for #622 (#… (compare)

  • 00:01

    Firstyear on 20211207-rinstall

    Fix based on review (compare)

  • Dec 07 02:33
    Firstyear opened #625
  • Dec 07 02:33

    Firstyear on 20211207-rinstall

    Add rinstall file (compare)

  • Dec 07 02:06
    ericmarkmartin commented #89
  • Dec 06 22:02
    Firstyear commented #90
  • Dec 06 20:29
  • Dec 06 09:39
    madwizard-thomas commented #90
  • Dec 05 22:44
    Firstyear commented #90
  • Dec 05 03:39
  • Dec 04 09:33
    madwizard-thomas edited #90
  • Dec 04 09:33
    madwizard-thomas edited #90
  • Dec 04 09:32
    madwizard-thomas opened #90
Triss Healy
@trissylegs
I'll do it again
It did not fix it
Triss Healy
@trissylegs
# pamtester sudo nirya authenticate
sm_authenticate
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
Password: 

pamtester: successfully authenticated
So It's failing after authenticate
Triss Healy
@trissylegs
Ok I can log-in now:
This appeared to be the culprit:
account    required                    pam_unix.so
Logged via GDM works too
Triss Healy
@trissylegs
pffftt. pkexec fails if debug is enabled because the debug messages break its auth helper
Firstyear
@Firstyear
Yeah, look at the suse pam configs @trissylegs
# /etc/pam.d/common-auth-pc
auth        required      pam_env.so
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_kanidm.so ignore_unknown_user
auth        required      pam_deny.so
Note the "pam_localuser.so"? With default=1? That means "if the account is NOT local, jump one module."
So that way it'll check your account, say "it's not local", then it will jump over pam_unix to pam_succedd_if and check your uid>=1000, then only if that passes, does it go to pam_kani
And the pam_deny is a "catch all" safety net.
Firstyear
@Firstyear
@/all Hi everyone, we are doing a survey on rust usage, would appreciate your responses https://survey.opensuse.org/index.php/417611?lang=en
James Hodgkinson
@yaleman
clearly I need to hang out here more often, @trissylegs I ran into similar derpy problems with PAM the other day :S
Firstyear
@Firstyear
Pam is a special hell.
James Hodgkinson
@yaleman
:100:
so, speaking of cursed things, I was thinking it'd be possible to add TOTP support as a minimum to login for kanidm ^_^
(ssh/console login that is)
and... I have other cursed ideas for ... other things, but that's later
Firstyear
@Firstyear
It's not
Because of offline pw caching.
There would then be no way to auth when offline because we can't store the totp on the machine
It would necesitate online-only auth.
Additionally, it's also not needed - ssh keys mate. Much much better.
Especially when you look at the features in things like ssh keys with yubikeys
James Hodgkinson
@yaleman
yeah, there's many ways to skin particular cats
depends on the environments etc
and yes, it'd require always-online, but in a lot of environments that's mandatory anyhow
Firstyear
@Firstyear
If always online was there, it'd be possible.
But it creates another issue with the ldap interface because then you need password+totp concat in pw fields
Which kinda sucks
Another question is should the totp token mirror the primary account totp
James Hodgkinson
@yaleman
uh, concat noooo never don't do that
Firstyear
@Firstyear
Exactly
James Hodgkinson
@yaleman
the duo mfa PAM plugin separately prompts for TOTP
Firstyear
@Firstyear
For pam you can do it seperate.
James Hodgkinson
@yaleman
so it's possible to not have that LDAP concat stupidity
Firstyear
@Firstyear
But then totp would only apply to pam, not any other of the unix pw auth transactions.
Which could get confusing.
James Hodgkinson
@yaleman
there's already three possible user passwords for kanidm accounts
Firstyear
@Firstyear
Yeah, I know. I need to make it possible to sync them inside an account
And to be fair, one of them isn't so much of a password
As a "token"
James Hodgkinson
@yaleman
if auth can be restricted to PAM and not LDAP then it'd be possible to not have the POSIX-password for users (or make it transparently sync)
Firstyear
@Firstyear
Yeah, that could be doable.
Need to make the password/account policy stuff to handle that
IIRC there is an account policy issue already open if you want to brain dump some of your ideas there later?
James Hodgkinson
@yaleman
yeah
Triss Healy
@trissylegs
Annoying with the UID >= 1000 is some AUR packages (ie not maintained by users) make users with useradd during install (standard packages use systemd-sysusers)
A problem I was spend a while cleaning up yesturday
I wonder if I can make a hook that checks if a package I'm about to build does it so I can fix it myself first.
Firstyear
@Firstyear
You don't need the >=1000 check