Re: Customize PAM configuration
Important notice, thank you! I have read the detailed answer on this page: https://stackoverflow.com/questions/4129631/linux-securing-environment-variables and suppose I could use file instead variable. An alternative solution would probably be to configure sudoers file. But here comes the problem with running scripts with root privileges..
Re: Customize PAM configuration
Jone writes: > The password is entered once at login and exported > to environment variable. As a result, password is available during the user > session (for some automation with bash scripts). Please know that environment variables are readable in /proc and in the output of process managers. An environment variable is not a good place for a secret. -- Ricardo
Re: Customize PAM configuration
Thanks, Timothy! And sorry for my bad english. > I don’t fully understand what you are trying to do It's elementary! One password for any "local services", such as sudo, GPG encryption, etc. The password is entered once at login and exported to environment variable. As a result, password is available during the user session (for some automation with bash scripts). >From a security perspective, this well normal decision, in my opinion. Thanks for this example. I haven't used G-Expressions yet. In my case, the final script will of course be ordinary bash script (maybe in ~/). What can you say about this idea?
Re: Customize PAM configuration
Hi Jone, Jone writes: > Hello! I want enter user/root password only once per session. To do this, > it will probably be convenient to export the password to shell variable. > For example, adding this to PAM configuration file: > >auth sufficient pam_exec.so expose_authtok /path/to/script.sh > > But how to write it in system-config.scm? Sorry, I couldn't find any examples. I don’t fully understand what you are trying to do, but here’s your example translated into Guix: (operating-system ... (pam-services (append (list (pam-service (name "my-pam-service") ; or whatever (auth (list (pam-entry (control "sufficient") (module "pam_exec.so") (arguments (list "expose_authok" "/path/to/script.sh"))) (base-pam-services Note that the “arguments” field of “pam-entry” takes G-Expressions. This means that the script you want to execute could be a Guile script built using “program-file”. Alternatively, it could be a shell script built using “computed-file” or some script that is outside of the store using an absolute path. Hope that helps! -- Tim
Customize PAM configuration
Hello! I want enter user/root password only once per session. To do this, it will probably be convenient to export the password to shell variable. For example, adding this to PAM configuration file: auth sufficient pam_exec.so expose_authtok /path/to/script.sh But how to write it in system-config.scm? Sorry, I couldn't find any examples.