Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Using Fedora
FedoraForum Search

Forgot Password? Join Us!

Using Fedora General support for current versions. Ask questions about Fedora and it's software that do not belong in any other forum.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 7th September 2007, 02:22 AM
Maners Offline
Registered User
 
Join Date: May 2004
Location: New York
Age: 32
Posts: 165
Need help with PAM configuration for pam_keyring and thinkfinger

Hi all,

I have been trying to figure out how to make both thinkfinger and pam_keyring to work nicely in Fedora 7. I found configuration examples for each of the modules, and they work well one at a time, but when combining configuration of both modules I get a dual password prompt at the login screen: after entering user name I get regular password prompt and then the prompt to type in password or swipe finger. It seems like the first one comes form pam_keyring and second from thinkfinger module. How do I configure PAM, so that I get only thinkfinger prompt and pam_keyring automatically "picks up" the credentials passed from thinkfinger?

My system-auth file:
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth	    sufficient    pam_thinkfinger.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
and gdm file:
Code:
#%PAM-1.0
auth       required    pam_env.so
auth       optional    pam_keyring.so try_first_pass
auth       include     system-auth
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session	   optional    pam_keyring.so
Reply With Quote
  #2  
Old 10th October 2007, 08:53 AM
Maners Offline
Registered User
 
Join Date: May 2004
Location: New York
Age: 32
Posts: 165
Just FYI, in Fedora 8 Test 3 it all works nicely as the new GNOME release unlocks the keyring after successful login to the system and there's no need for pam_keyring module anymore.

Fedora's 8 system-auth:
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth	    sufficient    pam_thinkfinger.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
and gdm:
Code:
#%PAM-1.0
auth       required    pam_env.so
auth       include     system-auth
auth       optional    pam_gnome_keyring.so
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_selinux.so close
session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session    required    pam_selinux.so open
session    optional    pam_gnome_keyring.so auto_start

Last edited by Maners; 10th October 2007 at 09:00 AM.
Reply With Quote
  #3  
Old 9th November 2007, 11:47 PM
dryicerx Offline
Registered User
 
Join Date: Apr 2005
Posts: 34
How did you get both to work... I had been waiting until F8 so this annoyance will go away but it's still there and I can't seem to find much difference from your config files

my system-auth
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_thinkfinger.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
and my gdm

Code:
#%PAM-1.0
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth       required    pam_env.so
auth       include     system-auth
auth       optional    pam_gnome_keyring.so
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_selinux.so close
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session    required    pam_selinux.so open
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    optional    pam_gnome_keyring.so auto_start
I can log in at gdm using thinkfinger.. but when I log in it immediately goes and asks for the password for applet-nm password for keyring, any ideas?
Reply With Quote
  #4  
Old 10th November 2007, 01:56 PM
sej7278 Offline
Registered User
 
Join Date: Sep 2004
Posts: 2,008
sorry i thought that read stinkfinger!

i assume its a fingerprint reader of thinkpads? i've got one on my hp nc6400 but apparently as far as drivers go somebody managed to get as far as scanning a mono image into the gimp.....
Reply With Quote
  #5  
Old 13th November 2007, 11:27 PM
Maners Offline
Registered User
 
Join Date: May 2004
Location: New York
Age: 32
Posts: 165
Unfortunately in Fedora 8 Final the gnome-kerying-pam is broken and it stopped working as intended a few weeks after F8 Test 3. Here's the Bugzilla ticket regarding this: https://bugzilla.redhat.com/show_bug.cgi?id=356931 there are also several more bugs filled concerning this, so hopefully it will be fixed soon.
Reply With Quote
  #6  
Old 27th December 2008, 04:35 PM
phalkone Offline
Registered User
 
Join Date: Dec 2008
Posts: 9
I realise this thread is quite old, but I have the same problem as the original poster in Fedora 10. I also wonder if I have to install pam_keyring now that we have pam_gnome_keyring. If I login with password instead of fingerprint reader I do not get promped for my password by the keyring. Can somebody tell me how to adjust my system-auth and gdm file.

My current system-auth:
Code:
auth        required      pam_env.so
auth        sufficient    pam_thinkfinger.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
My current gdm:
Code:
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth       required    pam_succeed_if.so user != root quiet
auth       required    pam_env.so
auth       substack    system-auth
auth       optional    pam_gnome_keyring.so
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_selinux.so close
session    required    pam_loginuid.so
session    optional    pam_console.so
session    required    pam_selinux.so open
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    optional    pam_gnome_keyring.so auto_start
session    include     system-auth
Reply With Quote
Reply

Tags
configuration, pam, pamkeyring, thinkfinger

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Thinkfinger not working with LENOVO R61 georgopanos Hardware & Laptops 3 29th October 2008 04:06 PM
thinkfinger - IBM/Lenovo laptops exe Hardware & Laptops 4 29th July 2008 07:56 AM
uninstalling thinkfinger splat Using Fedora 2 14th June 2008 03:35 AM
Can't Install thinkfinger.x86_64 moniker117 Using Fedora 3 6th April 2008 09:20 PM
Automatic wlan login using pam_keyring moravec Servers & Networking 2 15th January 2008 11:34 AM


Current GMT-time: 04:13 (Thursday, 24-07-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat