PAM: support the authentication facility #14789
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
valpackett
commented
Apr 24, 2023
|
@felixdoerre would you mind taking a look at this PR. |
felixdoerre
reviewed
Apr 26, 2023
Implement the pam_sm_authenticate method, using the noop argument of lzc_load_key to do a passphrase check without actually loading the key. This allows using ZFS as the source of truth for user passwords, without storing any password hashes in /etc or using other PAM modules. Signed-off-by: Val Packett <val@packett.cool>
felixdoerre
approved these changes
Apr 26, 2023
behlendorf
approved these changes
Apr 26, 2023
behlendorf
added
Status: Accepted
andrewc12
pushed a commit
to andrewc12/openzfs
that referenced
this pull request
May 1, 2023
Implement the pam_sm_authenticate method, using the noop argument of lzc_load_key to do a passphrase check without actually loading the key. This allows using ZFS as the source of truth for user passwords, without storing any password hashes in /etc or using other PAM modules. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Felix Dörre <felix@dogcraft.de> Signed-off-by: Val Packett <val@packett.cool> Closes openzfs#14789
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation and Context
In the system I'm working on, I'd like to exclusively use the ZFS dataset passphrase for user authentication, in order to avoid extra sources of persistent state (in this case
/etc/shadowstyle files). Seems like this could be useful for others too so I'd like to upstream it.Description
Implement the
pam_sm_authenticatemethod, using thenoopargument oflzc_load_keyto do a passphrase check without actually loading the key.This allows using ZFS as the source of truth for user passwords, without storing any password hashes in
/etcor using other PAM modules.Notes for Other PRs
If #13050 is to land after this, it should either extract the "already mounted" check up to
pam_sm_open_sessionor skip that check in noop mode.How Has This Been Tested?
Adding these to
/etc/pam.d/suand adding a test user with a home directory pointing to an encrypted dataset (using
vipw),then verifying that
su uzercorrectly checks the passphrase but doesn't mount anything, whilesu -l uzer(-lfor "Simulate a full login" that does open a session) does also mount and unmount the home dataset.Types of changes
Checklist:
Signed-off-by.