GNOME Bugzilla – Bug 560488
pam module: ask for password during auth
Last modified: 2011-03-09 16:22:47 UTC
It turns out it can be wrong to put auth optional pam_gnome_keyring.so at the end of the auth section. See some of the discussion at https://bugzilla.novell.com/show_bug.cgi?id=443189 for details, but here's a quick summary. You can have: auth sufficient pam_unix2.so [...] auth optional pam_gnome_keyring.so Since pam_unix2.so is sufficient, pam will not call what's after it if it works (note that it does work if it's "required" and not "sufficient"). After some discussion, it appears that the pam module should ask for the password and store it where PAM expects it. There are a few other pam modules doing so (pam-mount, eg). This also means that "auth optional pam_gnome_keyring.so" should be before the "sufficient" lines.
The problem with this (which gnome-keyring was doing early in it's PAM integration) is assuming that a password is required for login. Many setups don't use a password, and gnome-keyring all of a sudden made GDM prompt in those situations. :( We'd need to find a solution that fits both parties needs.
Stef: my opinion (and keep in mind that I'm quite new in trying to understand PAM stuff ;-)) is that the setups that don't use a password should have their PAM module listed before the gnome-keyring one. So that would be a distribution problem to put the "auth optional pam_gnome_keyring.so" line at the right place -- and the only thing you can do to help distributors is to clearly state where it should go (and you're already doing this on the wiki page, although my bug is also about the fact that it's not the best guideline ;-)).
For reference, bug 514862 is the bug that caused the code that asks for password to be removed. It was about a specific case with "passwd -d". I'm still mixed with what to do here. If any pam module is configured as sufficient, the current way to handle things will just mean "no login keyring". If we change the order and put the keyring module before any sufficient/required module, we have to prompt for the password. But this will break with "passwd -d". Hrm. Need more thoughts. But I'd be tempted to say that the first case is more common than the second one...
Okay. Talked with Ray quite a bit about this issue on IRC. Here's the right way to fix it: improve documentation. + first explain that "sufficient" makes pam leaves the stack ignoring the following modules + then explain that "substack" exists and can be used + then give an example: For auth: /etc/pam.d/gdm: auth substack common-auth auth optional pam_gnome_keyring.so For password: /etc/pam.d/common-password: password substack real-common-password password optional pam_gnome_keyring.so Stef, how does that sound?
Sounds great. Will you add to the documentation here: http://live.gnome.org/GnomeKeyring/Pam Or if you don't have time or feel comfortable with that, we draw something up together and I can work on posting it.
I'll probably do it when I'll commit the only_if patch, if you don't mind. (I think it's not a big deal to keep the current doc as it is right now since, well, I don't think many people got confused like I was)
Sounds good.
Should we close this bug?
Up to you, I guess. I have a hard time convincing the openSUSE PAM people to use substack, though :/