#2858 closed defect (needinfo)
pam_fprintd.so and pam_ssh.so
| Reported by: | Niki Waibel | Owned by: | Niki Waibel |
|---|---|---|---|
| Priority: | major | Milestone: | 4.1 |
| Component: | server | Version: | trunk |
| Keywords: | Cc: |
Description (last modified by )
hi, i am trying to get PAM auth going. i realized (after quite a while) that things are not working because i have
auth sufficient pam_fprintd.so auth sufficient pam_ssh.so session sufficient pam_fprintd.so session sufficient pam_ssh.so
in /etc/pam.d/system-auth (Fedora32)
is it possible to keep system-auth as it is and disable/ignore pam_fprintd.so somehow from /etc/pam.d/xpra?
i've tried
session [default=ignore success=ignore new_authtok_reqd=ignore] pam_fprintd.so auth required pam_ssh.so
as well as
session [default=bad success=bad new_authtok_reqd=bad] pam_fprintd.so auth required pam_ssh.so
but xpra always waits until the fingerprint is used on the xpra server, or its time out; which is nonsense.
the fingerprint allows the login (independent of the ssh passphrase or unix password), as well as ssh passphrase or unix login.
even if i remove all "include" lines from /etc/pam.d/xpra, the fingerprint can authenticate successfully the xpra session.
also, in /var/log/secure, i can see
Aug 9 14:34:29 lnx-1 python3.8[46183]: PAM unable to resolve symbol: pam_sm_open_session Aug 9 14:34:29 lnx-1 python3.8[46183]: PAM unable to resolve symbol: pam_sm_close_session
not sure if that's related.
$ xpra version 4.1-r27063
Change History (4)
comment:1 Changed 9 months ago by
| Description: | modified (diff) |
|---|---|
| Owner: | changed from Antoine Martin to Niki Waibel |
comment:2 Changed 9 months ago by
i've tried the fedora systemd xpra proxy first (winswitch-beta repo), but then turned it off to make things simpler:
xpra start --bind-tcp=127.0.0.1:14500 --tcp-auth=pam xpra attach tcp://user@127.0.0.1:14500
is what i am using.
i just read man pam.conf to guess what might be done. so i am far from "knowing" pam ;-) thought i ask here first, as xpra should work smoothly, even in case the systen uses fingerprint authentication.
comment:3 Changed 8 months ago by
| Resolution: | → needinfo |
|---|---|
| Status: | new → closed |
I really don't know what to do from the xpra side.
Feel free to post here, or elsewhere on the wiki, if you find a satisfactory solution.
comment:4 Changed 4 months ago by
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2858
copyleft 2010 - 2021
Looks like you know more about pam than I do... so maybe you should direct your question to the pam folks?
Are you running the proxy or just a seamless server with system authentication?
The symbol problems (
PAM unable to resolve symbol: ...) won't help for sure, try a newer beta (ie: new one today) or build from source.