-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue: PAM module doesn't allow login with other PAM modules on error #535
Comments
This was done on purpose as part of #406 The point is that when authd is the selected auth method, then nothing else should be used, unless explicitly requested via the "local" broker. Indeed we can use more complex handing by using something like |
Are you trying to ensure that it isn't interoperable with the rest of Linux? I mean, rendering PAM useless instead of working with PAM feels like something Microsoft or Apple would do. "If you use our stuff, you can't use anything else." |
You can use other stuff indeed, but we don't officially support such configurations (yet). |
I think @3v1n0 is slightely incorrect here. If we are failing for authentication failure, yes, we should abort. However, for other use cases like authd daemon not being reachable, I think it’s ok to skip us. What we don’t want is:
So, we should probably add |
Ok, that's easy enough then since we already do return pam.AuthInfoUnavail when not connected to the server, as initially I thought we would have ignored such case, but then it looked to me we wanted to be sure that if the authd daemon and modules are installed, then they should be used. But it's also true that one could disable the systemd service or socket without having to break PAM. |
If any error occors in our PAM module, we print an error message and return an error return code which causes the login to be aborted. For example if the gRPC connection to authd fails:
This behavior makes it hard for the user to recover from the error, because they can't log in anymore as any user, including root (so
su
orsudo
will fail as well). I think we should instead handle errors by printing an error message and letting PAM try authentication with the next PAM module. If I understand the PAM manual, that can be done by returningPAM_IGNORE
.The text was updated successfully, but these errors were encountered: