No, it doesn’t work. If so, only until reboot, while changes have not been reloaded. Encryption unwrapping does not work as soon, as there is any other pam- module inserted for me. After removing sss and krb5 e.g, only having ecryptfs activated via pam-config works. It doesn’t matter in which order i activate the modules with pam-config.
This is how it looks like “working”
common-account
account required pam_unix.so try_first_pass
common-auth
[FONT=monospace]auth required pam_env.so
auth required pam_unix.so try_first_pass
auth required pam_ecryptfs.so unwrap
[/FONT]
common-password
[FONT=monospace]password requisite pam_cracklib.so
password required pam_unix.so use_authtok nullok shadow try_first_pass
common-session
[FONT=monospace]session optional pam_systemd.so
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_ecryptfs.so unwrap
session optional pam_env.so
[/FONT][/FONT]
After “pam-config -a --sss”:
[FONT=monospace]
[FONT=monospace][FONT=monospace]
[FONT=monospace]account requisite pam_unix.so try_first_pass
account sufficient pam_localuser.so
account required pam_sss.so use_first_pass
[/FONT][/FONT][/FONT]
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
auth required pam_ecryptfs.so unwrap
auth required pam_sss.so use_first_pass
[FONT=monospace]
[FONT=monospace]password requisite pam_cracklib.so
password sufficient pam_unix.so use_authtok nullok shadow try_first_pass
password required pam_sss.so use_authtok
[/FONT][/FONT]
session optional pam_systemd.so
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_sss.so
session optional pam_umask.so
session optional pam_ecryptfs.so unwrap
session optional pam_env.so
[/FONT]
This is not working encryption of home is not done any more at login, leaving me stuck with an quite empty home until doing “ecryptfs-mount-private” by hand.
I have played around with those files (knowing that it will be overwritten) - but i have not found a way to do so that it works like this:
- First, try sssd - user- auth
- If this is known to sssd, take the password and pass it to ecryptfs for unwrapping
- if sssd account fails, take local account
- if this is working, pass the password to ecryptfs
- if none of those are working -> deny
Can you tell me, how those files should look like? If we figured that out, i may open an issue und do a push in pam-config to get this working automagically. i can do so on github and already compiled it.
Its just me not knowing how to setup pam the right way. Any docs i have found are not for opensuse and do not work as described.