Subject: Re: pam_ssh for users w/o private keys
To: Christos Zoulas <christos@tac.gw.com>
From: Bill Studenmund <wrstuden@netbsd.org>
List: current-users
Date: 06/23/2005 19:40:17
--tNQTSEo8WG/FKZ8E
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Jun 23, 2005 at 01:22:35AM +0300, Christos Zoulas wrote:
> In article <1119476837.427.36.camel@dawn.home.network>,
> Julio M. Merino Vidal <jmmv84@gmail.com> wrote:
> >
> >I've enabled pam_ssh in /etc/pam.d/display_manager, so that I can log in
> >from gdm using my key's passphrase (and get an agent started).
> >Everything is fine for my regular user, but it's not for others that
> >don't have a private key in their home directory (i.e., root).
Well, I guess it's ok like that...
> >I mean, if I try to log in as root, gdm asks me for the ssh passphrase
> >(something that shouldn't happen, as I see it). At that point, I hit
> >enter, hoping that it would proceed with the next authentication module,
> >pam_unix, asking me the regular password. But it does not. It just
> >reports a login error.
Try typing root's password at that prompt.
> >AFAICS in the documentation, setting pam_ssh as sufficient (which is the
> >default in the example display_manager file) should cause failures in
> >this module to fallback to other modules in the chain (pam_unix).
> >
> >(I don't think this is a gdm specific bug since the same thing works
> >fine under Linux, using whatever PAM implementation it has.)
> >
> >Am I wrong in my expectations? Or is there a problem somewhere?
>=20
> Did you type your password when it asked for the passphrase? Do you
> have try first pass set?
I had to disable try_first_pass in a lot of lines. Seems our=20
try_first_pass isn't implemented right, and it acts like use_first_pass.=20
It's supposed to re-ask on failure, but doesn't.
Take care,
Bill
--tNQTSEo8WG/FKZ8E
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iD8DBQFCu3KRWz+3JHUci9cRAljBAJ9aK86kk7bnY5RLWnsVZo9042kMsACfV66f
OAe9o5YF3LA4P4hc5NvXo9U=
=z4Ot
-----END PGP SIGNATURE-----
--tNQTSEo8WG/FKZ8E--