<---- template headericclude ----->
Need help with PAM configuration for pam_keyring and thinkfinger
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 6 of 6
  1. #1
    Join Date
    May 2004
    Location
    New York
    Age
    42
    Posts
    166
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Need help with PAM configuration for pam_keyring and thinkfinger

    Hi all,

    I have been trying to figure out how to make both thinkfinger and pam_keyring to work nicely in Fedora 7. I found configuration examples for each of the modules, and they work well one at a time, but when combining configuration of both modules I get a dual password prompt at the login screen: after entering user name I get regular password prompt and then the prompt to type in password or swipe finger. It seems like the first one comes form pam_keyring and second from thinkfinger module. How do I configure PAM, so that I get only thinkfinger prompt and pam_keyring automatically "picks up" the credentials passed from thinkfinger?

    My system-auth file:
    Code:
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      pam_env.so
    auth	    sufficient    pam_thinkfinger.so
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        required      pam_deny.so
    
    account     required      pam_unix.so
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     required      pam_permit.so
    
    password    requisite     pam_cracklib.so try_first_pass retry=3
    password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
    password    required      pam_deny.so
    
    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session     required      pam_unix.so
    and gdm file:
    Code:
    #%PAM-1.0
    auth       required    pam_env.so
    auth       optional    pam_keyring.so try_first_pass
    auth       include     system-auth
    account    required    pam_nologin.so
    account    include     system-auth
    password   include     system-auth
    session    optional    pam_keyinit.so force revoke
    session    include     system-auth
    session    required    pam_loginuid.so
    session    optional    pam_console.so
    session	   optional    pam_keyring.so

  2. #2
    Join Date
    May 2004
    Location
    New York
    Age
    42
    Posts
    166
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just FYI, in Fedora 8 Test 3 it all works nicely as the new GNOME release unlocks the keyring after successful login to the system and there's no need for pam_keyring module anymore.

    Fedora's 8 system-auth:
    Code:
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      pam_env.so
    auth	    sufficient    pam_thinkfinger.so
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        required      pam_deny.so
    
    account     required      pam_unix.so
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     required      pam_permit.so
    
    password    requisite     pam_cracklib.so try_first_pass retry=3
    password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
    password    required      pam_deny.so
    
    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session     required      pam_unix.so
    and gdm:
    Code:
    #%PAM-1.0
    auth       required    pam_env.so
    auth       include     system-auth
    auth       optional    pam_gnome_keyring.so
    account    required    pam_nologin.so
    account    include     system-auth
    password   include     system-auth
    session    required    pam_selinux.so close
    session    optional    pam_keyinit.so force revoke
    session    include     system-auth
    session    required    pam_loginuid.so
    session    optional    pam_console.so
    session    required    pam_selinux.so open
    session    optional    pam_gnome_keyring.so auto_start
    Last edited by Maners; 10th October 2007 at 09:00 AM.

  3. #3
    Join Date
    Apr 2005
    Posts
    34
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How did you get both to work... I had been waiting until F8 so this annoyance will go away but it's still there and I can't seem to find much difference from your config files

    my system-auth
    Code:
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      pam_env.so
    auth        sufficient    pam_thinkfinger.so
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        required      pam_deny.so
    
    account     required      pam_unix.so
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     required      pam_permit.so
    
    password    requisite     pam_cracklib.so try_first_pass retry=3
    password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
    password    required      pam_deny.so
    
    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session     required      pam_unix.so
    and my gdm

    Code:
    #%PAM-1.0
    auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
    auth       required    pam_env.so
    auth       include     system-auth
    auth       optional    pam_gnome_keyring.so
    account    required    pam_nologin.so
    account    include     system-auth
    password   include     system-auth
    session    required    pam_selinux.so close
    session    include     system-auth
    session    required    pam_loginuid.so
    session    optional    pam_console.so
    session    required    pam_selinux.so open
    session    optional    pam_keyinit.so force revoke
    session    required    pam_namespace.so
    session    optional    pam_gnome_keyring.so auto_start
    I can log in at gdm using thinkfinger.. but when I log in it immediately goes and asks for the password for applet-nm password for keyring, any ideas?

  4. #4
    Join Date
    Sep 2004
    Posts
    2,006
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    sorry i thought that read stinkfinger!

    i assume its a fingerprint reader of thinkpads? i've got one on my hp nc6400 but apparently as far as drivers go somebody managed to get as far as scanning a mono image into the gimp.....

  5. #5
    Join Date
    May 2004
    Location
    New York
    Age
    42
    Posts
    166
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Unfortunately in Fedora 8 Final the gnome-kerying-pam is broken and it stopped working as intended a few weeks after F8 Test 3. Here's the Bugzilla ticket regarding this: https://bugzilla.redhat.com/show_bug.cgi?id=356931 there are also several more bugs filled concerning this, so hopefully it will be fixed soon.

  6. #6
    phalkone Guest
    I realise this thread is quite old, but I have the same problem as the original poster in Fedora 10. I also wonder if I have to install pam_keyring now that we have pam_gnome_keyring. If I login with password instead of fingerprint reader I do not get promped for my password by the keyring. Can somebody tell me how to adjust my system-auth and gdm file.

    My current system-auth:
    Code:
    auth        required      pam_env.so
    auth        sufficient    pam_thinkfinger.so
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        required      pam_deny.so
    
    account     required      pam_unix.so
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     required      pam_permit.so
    
    password    requisite     pam_cracklib.so try_first_pass retry=3
    password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
    password    required      pam_deny.so
    
    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session     required      pam_unix.so
    My current gdm:
    Code:
    auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
    auth       required    pam_succeed_if.so user != root quiet
    auth       required    pam_env.so
    auth       substack    system-auth
    auth       optional    pam_gnome_keyring.so
    account    required    pam_nologin.so
    account    include     system-auth
    password   include     system-auth
    session    required    pam_selinux.so close
    session    required    pam_loginuid.so
    session    optional    pam_console.so
    session    required    pam_selinux.so open
    session    optional    pam_keyinit.so force revoke
    session    required    pam_namespace.so
    session    optional    pam_gnome_keyring.so auto_start
    session    include     system-auth

Similar Threads

  1. Thinkfinger not working with LENOVO R61
    By georgopanos in forum Hardware
    Replies: 3
    Last Post: 29th October 2008, 04:06 PM
  2. thinkfinger - IBM/Lenovo laptops
    By exe in forum Hardware
    Replies: 4
    Last Post: 29th July 2008, 07:56 AM
  3. uninstalling thinkfinger
    By splat in forum Using Fedora
    Replies: 2
    Last Post: 14th June 2008, 03:35 AM
  4. Can't Install thinkfinger.x86_64
    By moniker117 in forum Using Fedora
    Replies: 3
    Last Post: 6th April 2008, 09:20 PM
  5. Automatic wlan login using pam_keyring
    By moravec in forum Servers & Networking
    Replies: 2
    Last Post: 15th January 2008, 12:34 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
[[template footer(Guest)]]