pam_keyring and multiple auth modules

In the article about Password Hell, I’ve explained how to set up your Linux machine, to use just your login password to get access to all your resources.

Unfortunately this does not work with multiple PAM auth modules, fe. pam_ldap, pam_kerberos etc. These modules need to break the authentication stack with success (using ’sufficient’ directive) as soon, as they authenticate the user against the mechanism they support. This leads to skipping the pam_keyring module during the login process.

The solution is not very obvious or straightforward unfortunately. We’re unable to achieve it using classic PAM files syntax and we need to use the modern, more flexible one. I will not dive into details of the bracket syntax here - please refer ‘man pam’ if you want it.

The working (for pam_ldap) files are as follow:

/etc/pam.d/common-auth

auth    required        pam_env.so
auth    [success=2default=ignore]       pam_unix.so likeauth nullok shadow
auth    [success=1default=ignore]       pam_ldap.so use_first_pass
auth    required        pam_deny.so
auth    optional        pam_permit.so

Please notice the last pam_permit line. We need a target to jump to from previous lines.

/etc/pam.d/common-session

session required        pam_limits.so
session [success=1default=ignore]       pam_ldap.so
session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0066
session optional        pam_lastlog.so
session optional        pam_foreground.so

This should give you a hint how to set up other than pam_ldap authenticators.