fix: PAM on Debian, enable use_first_pass by default (#3326)

Since we use Debian's PAM autoconf, pam_unix isn't disabled and remains active. This means pam_unix triggers first and pam_kanidm should use the password it already tried to match to a local user. This change also moves the postinst hook for PAM config correctly to the libpam-kanidm package, since that's the one that delivers the config that needs a reinstall!
2025-02-23 04:27:02 +01:00 · 2025-01-01 00:40:14 +02:00 · 2025-01-01 00:40:14 +02:00 · 3f47d7f008
parent 3ce4e0ff87
commit 3f47d7f008
4 changed files with 32 additions and 3 deletions
--- a/unix_integration/pam_kanidm/Cargo.toml
+++ b/unix_integration/pam_kanidm/Cargo.toml
@ -35,6 +35,7 @@ maintainer = "James Hodgkinson <james@terminaloutcomes.com>"
 depends = ["libc6", "libpam0g"]
 section = "network"
 priority = "optional"
+maintainer-scripts = "debian/"
 assets = [
 	# Empty on purpose
 ]
--- a/unix_integration/pam_kanidm/debian/kanidm.pam
+++ b/unix_integration/pam_kanidm/debian/kanidm.pam
@ -4,7 +4,7 @@ Priority: 128

 Auth-Type: Primary
 Auth:
-  [success=end new_authtok_reqd=done default=ignore]    pam_kanidm.so ignore_unknown_user
+  [success=end new_authtok_reqd=done default=ignore]    pam_kanidm.so ignore_unknown_user use_first_pass

 Account-Type: Primary
 Account:
--- a/unix_integration/pam_kanidm/debian/postinst
+++ b/unix_integration/pam_kanidm/debian/postinst
@ -0,0 +1,29 @@
+#!/bin/sh
+# postinst script for libpam-kanidm
+#
+# see: dh_installdeb(1)
+
+set -e
+
+
+case "$1" in
+    configure)
+        echo "Updating PAM configuration"
+        pam-auth-update --package
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- a/unix_integration/resolver/debian/postinst
+++ b/unix_integration/resolver/debian/postinst
@ -8,13 +8,12 @@ set -e

 case "$1" in
    configure)
-        pam-auth-update --package
        echo "============================="
        echo "Thanks for installing Kanidm!"
        echo "============================="
        echo "Please ensure you modify the configuration files at /etc/kanidm/unixd and /etc/kanidm/config"
        echo "Full examples are in /usr/share/kanidm-unixd/"
-        echo "To configure nsswitch, please follow instructions in https://kanidm.github.io/kanidm/master/integrations/pam_and_nsswitch.html"
+        echo "PAM has already been autoconfigured by the libpam-kanidm package. To configure nsswitch, please follow instructions in https://kanidm.github.io/kanidm/master/integrations/pam_and_nsswitch.html"
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)