[RFE] Allow to set pam_u2f arguments in configuration file

[pbrezina]

Currently, pam_u2f reads all parameters from pam configuration. Those options that are not affecting the behavior on the PAM stack itself but are only affecting internal pam_u2f behaviors (such as *verification) should be possible to read from a configuration file so the PAM stack does not have to be changed.

This is relevant for authselect: authselect/authselect#297

[LDVG]

Thanks for the RFE! Could you elaborate on the end goal?

The options that you mention alter the way pam-u2f authenticates a user (e.g. by verifying a PIN or through built-in user verification such as biometrics). Having these options in the PAM service configuration makes it possible for a system administrator to set different requirements for different services.

[pbrezina]

Fedora/RHEL uses authselect to configure system authentication in /etc/pam.d/system-auth (and few other files) that is included by individual PAM services. Authselect provides functionality to modify the default configuration to user's needs, however if possible, we tent to only stick to minimum amount of parameters that are necessary to make the module work correctly in given PAM stack and push the rest of the options to module's individual configuration file.

For example, pam_faillock has preauth and authfail that needs to go to PAM stack since these options directly changes what the module does and how it affects PAM. But it also has other options like dir, deny, etc. that do not affect the PAM stack itself, it just affects the module internally and as such they can be read from a configuration file.

Lots of modules already support reading defaults from configuration. Meaning, if the value from PAM configuration takes precedence but if it is missing it uses the value from a configuration file. This helps authselect to focus on the important stuff (make the module work) and keep specific configuration to users and module authors.

Does this answer your question?

[LDVG]

Does this answer your question?

Yes, thank you for the clarification! Being able to configure the module's default options using a separate configuration file while allowing the same options to be overridden by the PAM service configuration does sound sensible to me. PRs are welcome!

[pbrezina]

Hi, I have another request to include an option that looks like it should be present in the configuration files instead of pam stack. Do you have any plan to work on this ticket or is it not a priority for you and external contribution is required?

Thank you.

[agraven]

I would be interested in implementing this, though before starting it would be nice to know what format the config file should be in, and where it should reside/be read from.

[LDVG]

Hi,

I have not had time to take a close look yet. We welcome any contributions towards this feature! For consistency with other modules, I'd suggest that we aim for something along the lines of:

• Possibility to provide a custom path in the PAM configuration file;

• Having a fallback path configured at build-time, defaulting to e.g. $(sysconfdir)/security/pam_u2f.conf;

• Using a simple format with one key=value entry per line, e.g.

  pinverification=1
  authfile=/path/to/a/file
  cue
  

  This might even fairly easily plug into the existing argument parser. That said, we'll likely have to refactor some of its memory management.

We'll evidently have to be quite careful with reading this file; ensuring proper file permissions, ownership, et al. At some point we might want to consider enabling the system administrator to further harden the configuration by adding another argument that e.g. specifies the expected sha256sum (or similar) of the expected file.

Does this sound sensible?

Thank you!

Ludvig.

[agraven]

That's exactly the information I was interested in having confirmed, thank you. I'll get to work on hacking on this when I get the time :)