Re: Future plans?



On Thu, 2007-04-26 at 18:26 -0400, Sam Varshavchik wrote:

> My only other pet peeve with a NetworkManager-based setup is having to enter 
> another password after logging in, to unlock the keyring. It's completely 
> pointless, and unneeded. A passphrase-protected keyring gives no value added 
> whatsoever, that you cannot already have with a non-world readable 
> passphrase file in your own account.
> 
> Someone once suggested pam_keyring.  I gave it a try.  I installed it. There 
> was very little documentation in it to tell me how to set up the PAM config 
> files for it.  What was there, was outdated, and was no longer applicable to 
> the modern PAM.  Typical.  Tried to improvise the PAM configuration, basing 
> it on other PAM service configurations, made no difference.  Still get 
> prompted for the password, absolutely nothing in any log file I could find 
> which would tell me why pam_keyring fails or does not work.  After futzing 
> around with it for an hour or so, completely clueless, I give up.

Hmm.. The configuration phase wasn't so difficult for me, but maybe I'm
fighting with pam for too long.

What follows is my /etc/pam.d/system-auth (from a FC5, I'm using it in
my FC6 laptop without modifications). Remove the 'pam_encfs' and
'pam_ssh' entries if you don't need them.

NB: your keyring password and your login password must be the same (and
encfs and ssh-agent too, if you use them)

auth        required      pam_env.so
auth        optional      pam_encfs.so
auth        optional      pam_ssh.so try_first_pass
auth        optional      pam_keyring.so try_first_pass
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so
session     required      pam_encfs.so
session     optional      pam_ssh.so
session     optional      pam_keyring.so

-- 
Question: “Is there a God?”
Answer: “No.”
From the Official God FAQ, http://www.400monkeys.com/God/

Attachment: signature.asc
Description: This is a digitally signed message part



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]