PAM: support the authentication facility #14789
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation and Context
In the system I'm working on, I'd like to exclusively use the ZFS dataset passphrase for user authentication, in order to avoid extra sources of persistent state (in this case
/etc/shadow
style files). Seems like this could be useful for others too so I'd like to upstream it.Description
Implement the
pam_sm_authenticate
method, using thenoop
argument oflzc_load_key
to do a passphrase check without actually loading the key.This allows using ZFS as the source of truth for user passwords, without storing any password hashes in
/etc
or using other PAM modules.Notes for Other PRs
If #13050 is to land after this, it should either extract the "already mounted" check up to
pam_sm_open_session
or skip that check in noop mode.How Has This Been Tested?
Adding these to
/etc/pam.d/su
and adding a test user with a home directory pointing to an encrypted dataset (using
vipw
),then verifying that
su uzer
correctly checks the passphrase but doesn't mount anything, whilesu -l uzer
(-l
for "Simulate a full login" that does open a session) does also mount and unmount the home dataset.Types of changes
Checklist:
Signed-off-by
.