On Sun, 26 May 2024 at 21:46, Sam Hartman <hartm...@debian.org> wrote: > > > Hi. > I'm not really swapped in on Debian this weekend; dealing with a > transition for day job. > > But quick thoughts. > > I'm surprised that systemd-home is a pam auth module. > That is, I wouldn't expect systemd-home to be able to decide whether you > have presented valid credentials to log in. > It may be that it has an account entry point, but it's auth entry point > is trivial. > > pam-auth-update assumes that you don't want to reenter a password. > So, it assumes the first module in the stack will take a password and > then we will reuse that. > > Similarly for password, you don't want to for example change the ldap > and local passwords to different values. > > > compare the auth vs auth-initial password vs password-initial lines in > /usr/share/pam-configs/unix. > > > Will systemd-home work with an auth-type of additional rather than > primary?
You are asking difficult questions I'm afraid, I don't really know very well how PAM works to be able to answer. What I can tell you is that users and passwords are definitely defined in homed, as the purpose is to manage users and homes. Here's the manpage: https://www.freedesktop.org/software/systemd/man/latest/pam_systemd_home.html Any idea where use_authtok try_first_pass could be coming from? I don't see them defined anywhere in the pam config I am shipping, so I have no idea why pam-auth-update is adding them.
