[arch-general] System-wide PAM alternative auths methods with different users

[Max Gautier]

On Wed, Jul 13, 2022 at 05:00:10PM +0200, Max Gautier wrote:
Hi everyone. 

I recently setup pam authenication using some Yubikeys and was wondering
how to integrate to all pam-based applications (screenlocker, polkit,
sudo, login, etc) without forcing its use for all user.
The wiki describe how to setup yubikey or fprintd with sufficient, but
not a general way.

After reading `man pam.d`, this is what I would go for:

in /etc/pam.d/system-auth:

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=4 default=ignore]  pam_fprintd.so cue # addition
auth       [success=3 default=ignore]  pam_u2f.so # addition
-auth      [success=2 default=ignore]  pam_systemd_home.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

... (skipped rest of the file)


If I understand correctly, the success=n make PAM skip the n following
modules, so this would allow a user not having any enrolled fingerprint
or configured yubikeys to authenticate normally with their password.
And user with those will be able to use them to authenticate.

Is this the correct approach ?

Thanks !

-- 
Max Gautier