Re: Future plans?

From: "Andrea Dell'Amico" <adellam link it>
To: Sam Varshavchik <mrsam courier-mta com>
Cc: NetworkManager-list gnome org
Subject: Re: Future plans?
Date: Fri, 27 Apr 2007 16:42:40 +0200

On Thu, 2007-04-26 at 18:26 -0400, Sam Varshavchik wrote:

> My only other pet peeve with a NetworkManager-based setup is having to enter 
> another password after logging in, to unlock the keyring. It's completely 
> pointless, and unneeded. A passphrase-protected keyring gives no value added 
> whatsoever, that you cannot already have with a non-world readable 
> passphrase file in your own account.
> 
> Someone once suggested pam_keyring.  I gave it a try.  I installed it. There 
> was very little documentation in it to tell me how to set up the PAM config 
> files for it.  What was there, was outdated, and was no longer applicable to 
> the modern PAM.  Typical.  Tried to improvise the PAM configuration, basing 
> it on other PAM service configurations, made no difference.  Still get 
> prompted for the password, absolutely nothing in any log file I could find 
> which would tell me why pam_keyring fails or does not work.  After futzing 
> around with it for an hour or so, completely clueless, I give up.

Hmm.. The configuration phase wasn't so difficult for me, but maybe I'm
fighting with pam for too long.

What follows is my /etc/pam.d/system-auth (from a FC5, I'm using it in
my FC6 laptop without modifications). Remove the 'pam_encfs' and
'pam_ssh' entries if you don't need them.

NB: your keyring password and your login password must be the same (and
encfs and ssh-agent too, if you use them)

auth        required      pam_env.so
auth        optional      pam_encfs.so
auth        optional      pam_ssh.so try_first_pass
auth        optional      pam_keyring.so try_first_pass
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so
session     required      pam_encfs.so
session     optional      pam_ssh.so
session     optional      pam_keyring.so

-- 
Andrea Dell'Amico - <http://www.link.it/>

References:
- Future plans?
  - From: Roberth =?ISO-8859-1?Q?Sjon=F8y?=
- Re: Future plans?
  - From: Patrick Bogen
- Re: Future plans?
  - From: Sam Varshavchik

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]