Looks like my spam filter ate the notification that you answered, and/or
since my post was "additional information only", I did not get a
notification in the first place.
My /etc/pam.d/sddm:
(lines wrapped by email client marked with \)
-------------------------
#%PAM-1.0
# Block login if they are globally disabled
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
# auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
# gnome_keyring breaks QProcess
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet5.so
-auth optional pam_ssh.so use_first_pass
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] \
pam_selinux.so close
# Create a new session keyring.
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_loginuid.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process \
starts
# in the proper default security context. Only sessions which are \
intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] \
pam_selinux.so open
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet5.so auto_start
-session optional pam_ssh.so
@include common-password
# From the pam_env man page
# Since setting of PAM environment variables can have side effects to \
other modules, this module should be the last one on the stack.
# Load environment from /etc/environment
session required pam_env.so
# Load environment from /etc/default/locale and ~/.pam_environment
session required pam_env.so envfile=/etc/default/locale \
user_readenv=1
---------------------------------
And my /etc/pam.d/login:
---------------------------------
#
# The PAM configuration file for the Shadow `login' service
#
# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for \ example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth optional pam_faildelay.so delay=3000000
# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth required pam_issue.so issue=/etc/issue
# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient \ (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] \
pam_selinux.so close
# Sets the loginuid process attribute
session required pam_loginuid.so
# Prints the message of the day upon successful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# pam_selinux.so changes the SELinux context of the used \
TTY and configures
# SELinux in order to transition to the user context with the next \
execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad] \
pam_selinux.so open
# When the module is present, "required" would be sufficient (When \ SELinux
# is disabled, this returns success.)
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default\ /locale
# Standard Un*x authentication.
@include common-auth
# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth optional pam_group.so
-auth optional pam_ssh.so try_first_pass
# Uncomment and edit /etc/security/time.conf if you need to set
# time restraint on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account required pam_access.so
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# Prints the last login info upon successful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session optional pam_lastlog.so
# Prints the status of the user's mailbox upon successful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session optional pam_mail.so standard
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
-session optional pam_ssh.so
---------------------------------
On Sun, 7 Nov 2021 20:36:08 +0100 Jerome BENOIT <calcu...@rezozer.net>
wrote:
I apologies for my late reply.
Actually I agree with your comments.
My current set up on my main computer follows your comment below.
So far I can remember, I have never revisited the pam-auth-update(8)
configuration file of this package since I begun to maintain it.
Meanwhile, note that I put some warning in the README.Debian file.
Can you share your /etc/pam.d/login and /etc/pam.d/*dm files so that
I can compare with my set up ?
> The workaround/fix for this would be to not let pam-auth-update add
> pam_ssh.so into common-auth and common-session, but add the necessary
> lines *selectively* only to services that handle local logins like
> /etc/pam.d/login and /etc/pam.d/*dm, but *not* to /etc/pam.d/sshd.
>
> That should allow libpam-ssh to start the agent on initial login, but
> leave the SSH sessions and their agent forwarding alone.
>
> If you need the "authentication by SSH key passphrase" functionality on
> SSH connections, you could add only the "auth optional pam_ssh.so
> try_first_pass" line to /etc/pam.d/sshd. (Note that this line should not
> be the first authentication module, to prevent an information leak, as
> described in the pam_ssh(8) man page.)
>
>
Cheers,
Jerome
--
Jerome BENOIT | calculus+at-rezozer^dot*net
https://qa.debian.org/developer.php?login=calcu...@rezozer.net
AE28 AE15 710D FF1D 87E5 A762 3F92 19A6 7F36 C68B
--
matti.kurk...@iki.fi