John Darrington <j...@darrington.wattle.id.au> skribis:
> On Sun, Oct 23, 2016 at 05:45:50PM -0400, Leo Famulari wrote:
>
> > diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
> > index 4546c1a..0278db6 100644
> > --- a/gnu/system/pam.scm
> > +++ b/gnu/system/pam.scm
> > @@ -217,7 +217,7 @@ should be a file-like object used as the
> message-of-the-day."
> > (pam-entry
> > (control "required")
> > (module "pam_unix.so")
> > - (arguments '("nullok")))
> > + (arguments '("nullok" "use_first_pass")))
>
> pam_unix(8) says:
>
> use_first_pass
> The argument use_first_pass forces the module to use a previous
> stacked modules
> password and will never prompt the user - if no password is
> available or the
> password is not appropriate, the user will be denied access.
>
> I don't understand exactly what this means for GuixSD. Can you explain
> it to us? :)
>
> On its own it does nothing. It makes more sense in context with the other
> patch I sent.
> With this option in place, one can extend the unix-pam-service with another
> pam service
> (such as krb5-pam), and if the krb5 authentication fails (for example because
> I am not
> at work) then the password I gave will be presented to the regular pam_unix
> login.
> I won't be prompted for it again.
In that case, instead of hardcoding “use_first_pass” here, would it be
possible for the pam-krb5 service to extend ‘pam-root-service-type’ with
a procedure that automatically adds “use_first_pass” where needed?
See elogind and ‘pam-extension-procedure’ in (gnu services desktop) for
an example of that.
Thanks,
Ludo’.
