authconfig overwrites pam.d files about pam-u2f HOT 8 CLOSED

how have you installed the module? We don't provide Fedora packages so you might want to check with the maintainer of the package if he/she has a preferred location.
As far as I know authconfig is a Fedora/Red Hat specific tool.

from pam-u2f.

hi alessio
im sorry i wasnt clear. module works.. but im not sure about the right way
to enable it on fedora.
authconfig auto-generates these files and my u2f settings will be
overwritten.

can you help please

On Nov 22, 2016 2:46 PM, "Alessio Di Mauro" [email protected]
wrote:

how have you installed the module? We don't provide Fedora packages so you
might want to check with the maintainer of the package if he/she has a
preferred location.
As far as I know authconfig is a Fedora/Red Hat specific tool.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#46 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAEsUwOrmdoNx6HvWuvGJPKHlQubz2vVks5rArL1gaJpZM4K5KfA
.

from pam-u2f.

I'm not sure what you mean with "these files".
For pam-u2f to work you need:

• a configuration file for the authentication service, the location of this is system-specific (usually something like /etc/pam.d/)
• an authfile for the mapping between users and devices, this is generated with pamu2fcfg and it's location is discussed in the README file

I doubt that your OS is even aware of the existence of the second file. The first you should be able to handle with whatever tool the OS provides you.

from pam-u2f.

hi alessio
all files in pam.d are "automatically generated" by authconfig.

thats the issue.

if i add u2f configuration to the pam.d files.. it works, but it will get
overwritten the next time authconfig runs and i will lose my edits.

On Nov 22, 2016 3:11 PM, "Alessio Di Mauro" [email protected]
wrote:

I'm not sure what you mean with "these files".
For pam-u2f to work you need:

• a configuration file for the authentication service, the location of
  this is system-specific (usually something like /etc/pam.d/)
• an authfile for the mapping between users and devices, this is
  generated with pamu2fcfg and it's location is discussed in the README
  file

I doubt that your OS is even aware of the existence of the second file.
The first you should be able to handle with whatever tool the OS provides
you.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#46 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAEsUzBRGAPuaTUI6ENhzofDDPJ-C9-mks5rArjTgaJpZM4K5KfA
.

from pam-u2f.

Looking at the authconfig man page, would this help you?

/etc/pam.d/system-auth-ac
Contains the actual PAM configuration for system services and is the default target of the /etc/pam.d/system-auth symlink. If a local configuration of PAM is created (and symlinked from system-auth file) this file can be included there.

from pam-u2f.

this is the contents of the system-auth-ac file

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

notice the

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run

from pam-u2f.

Yes, but this is not what I'm talking about. Read the man page.

You can substitute system-auth or system-auth-ac with a symlink and have them point to your local configuratoin

from pam-u2f.

@a-dma He did read the manpage, and you're still incorrect over four years later (and that includes authselect, the replacement for authconfig). With luck somebody else has already documented this properly, as Yubico sure hasn't.

from pam-u2f.