On (07/09/2010 16:32), Thomas Vogt wrote: [...] > > I've an issue with pam_pefs: > > ===> lib/libpam/modules/pam_pefs (install) > install -C -o root -g wheel -m 444 libpam_pefs.a /usr/lib > install -C -o root -g wheel -m 444 libpam_pefs_p.a /usr/lib > install -o root -g wheel -m 444 pam_pefs.8.gz /usr/share/man/man8 > > I do not see any pam_pefs.so which makes login not possible if > pam.d/system is modified as mentioned in your description: > > auth sufficient pam_pefs.so try_first_pass Sorry, I don't quite understand you here. Don't hesitate contacting me again if didn't understand you correctly. I've also missed one more line, which actually adds the key: session optional pam_pefs.so Setup I've posted makes possible to login using pefs key or standard pam_unix.so password. Here is my /etc/pam.d/system file: # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_pefs.so try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account account required pam_login_access.so account required pam_unix.so # session session optional pam_pefs.so session required pam_lastlog.so no_fail # password password required pam_unix.so no_warn try_first_pass I have "stronger" password for pefs, while traditional password is "weaker" and easier to type. I use pefs password to login only the first time and add key my home directory. Please note that your home directory has to be mounted, I mount it in /etc/rc.local, but don't add any keys. pam_pefs adds the key. Also note that it has to be exactly your home directory (/home/gleb in my case), to prevent possible attacks. And keychain database has to be created, so that pam_pefs knows how to verify the key. Details on how to create it available in my original email. That's rather inconvenient procedure, but you need to do it just once, it's so complicated because pefs is read-only if no key specified, but database should not be encrypted to make it accessible by pam_pefs: > 3. Mount pefs filesystem: > # pefs mount /home/ME /home/ME > > 4. Enter passphrase: > # pefs addkey /home/ME > > # pefs addchain -Z /home/ME > Don't encrypt .pefs.db: > # mv ~/Private/.pefs.db /tmp > # umount ~/Private > # mv /tmp/.pefs.db /home/ME > # pefs mount /home/ME /home/ME > Use -c option to verify key is in database > # pefs addkey -c /home/ME I'll try to make it easier, I didn't actually expect anyone to try it, and just mentioned it without providing instructions not to write long setup procedure. You can also try adding debug option to pam_pefs.so config if something goes wrong. I don't remember details but pefs/Makefile contains the following comment by me: # Should be built from sources tree # SUBDIR+= lib/libpam/modules/pam_pefs But if you are able to build it, it should be fine. Thanks, Gleb. > > Regards, > ThomasReceived on Tue Sep 07 2010 - 15:52:31 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:07 UTC