On 3/3/21 6:11 PM, Hans de Goede wrote:
Hi,
On 3/2/21 5:20 PM, Pavel Březina wrote:
On 3/2/21 4:25 PM, Ray Strode wrote:
Hi,
Ahh, okay.
On Tue, Mar 2, 2021 at 9:31 AM Hans de Goede <hdegoede@xxxxxxxxxx> wrote:
sudo authselect select minimal
sudo authselect apply-changes
Which results in the following /etc/pam.d/fingerprint-auth file:
[hans@x1 linux]$ sudo cat /etc/pam.d/fingerprint-auth
# Generated by authselect on Tue Mar 2 15:24:53 2021
# Do not modify this file manually.
minimal profile does not support fingerprint
So it seems there are 4 profiles:
[hans@x1 ~]$ authselect list
- minimal Local users only for minimal installations
- nis Enable NIS for system authentication
- sssd Enable SSSD for system authentication (also for local users only)
- winbind Enable winbind for system authentication
What I want is a profile which uses just the good old /etc files to
avoid the overhead of running a local daemon (sssd tends to show up as
one of the top 10 wakeup sources in powertop on an idle system) and I
also don't want a config which tries to go out on the network.
So minimal seems to meet my needs; and although I personally do not
have much of a need for fingerprint auth, I don't really see why we
could not do fingerprint auth with the minimal config. I'm pretty
I'd say the answer is simple - if you go with minimal, you don't need
fingerprint. And you wrote it yourself - you don't need fingerprint
auth. Just because something can be done, does not mean it is worth to
maintain it. More info below.
sure I can manually create a pam-config where this works just fine.
I guess its in the name minimal, where as "local" might be (1) a better
That's the point - it's minimal not local, not without-sssd. The readme
explicitly says that it reserved for cases when you really care about
disk and memory footprint.
It has very limited functionality by design. If you do not want to use
SSSD, you can keep using sssd profile and just disable the service. It
will keep working. The minimal profile is there for users that also want
to remove sssd packages to safe resources, but in that case you probably
don't care about fingerprint and smartcards either.
name. Note I'm not suggesting to add another profile just for this
but it would be nice if fingerprint auth would at least be a
(default off) feature for the minimal config.
Shall I file a RFE issue for this at:
https://github.com/authselect/authselect/issues/
If you need fingerprint auth then open the ticket please - but no
promises here. If you don't need it then just don't open the ticket :-)
If you need it, you can create custom profile for now:
https://github.com/authselect/authselect/wiki/How-To:-Create-new-profile
?
Regards,
Hans
1) Might have been a better name in retrospect, but meh
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
