2014-11-13 19:30:51 +02:00
|
|
|
KDE can be configured to support the PAM ("Pluggable Authentication
|
2022-04-01 16:12:41 +03:00
|
|
|
Modules") system for password checking by the screen saver kscreensaver (for
|
|
|
|
|
unlocking the display).
|
2014-11-13 19:30:51 +02:00
|
|
|
|
|
|
|
|
PAM is a flexible application-transparent configurable user-authentication
|
|
|
|
|
system found on FreeBSD, Solaris, and Linux (and maybe other unixes).
|
|
|
|
|
|
|
|
|
|
Information about PAM may be found on its homepage
|
|
|
|
|
http://www.kernel.org/pub/linux/libs/pam/
|
|
|
|
|
(Despite the location, this information is NOT Linux-specific.)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Known Solaris Issues:
|
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
|
|
For compiling PAM support on Solaris, PAM_MESSAGE_CONST must NOT
|
|
|
|
|
be defined. This should now be handled automatically by the
|
2022-04-01 16:12:41 +03:00
|
|
|
build system.
|
2014-11-13 19:30:51 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Using PAM
|
|
|
|
|
---------
|
|
|
|
|
|
|
|
|
|
By default, PAM is automatically used, if it is found. Use
|
2021-06-12 10:31:05 +03:00
|
|
|
-DWITH_PAM=FALSE to disable it.
|
2014-11-13 19:30:51 +02:00
|
|
|
|
|
|
|
|
If PAM is found, KDE usually uses the PAM service "kde". You may
|
2022-04-01 16:12:41 +03:00
|
|
|
override it for all KDE programs by using -DKDE4_PAM_SERVICE=<service>.
|
2021-06-01 17:49:45 +03:00
|
|
|
|
2022-04-01 16:12:41 +03:00
|
|
|
One file is provided but not installed - kde.pamd. The usual location to put
|
|
|
|
|
that file is /etc/pam.d/. You may want to edit the definitions in them to meet
|
|
|
|
|
your needs, on BSD host for example you may have to substitue "pam_unix.so"
|
|
|
|
|
with "pam_bsdauth.so". If the services are misconfigured, you will NOT be able
|
|
|
|
|
to unlock a locked screen!
|
2021-06-12 10:31:05 +03:00
|
|
|
|
|
|
|
|
To verify the configuration you can invoke kcheckpass directly and examine
|
|
|
|
|
its exit status. If it is not 0 when correct password is entered (if
|
|
|
|
|
password for the user is set) then you will have to thinker with the
|
|
|
|
|
configuration. kcheckpass is usually installed in /usr/libexec/kde4.
|
|
|
|
|
Authorization failure reason should be logged to /var/log/auth.log.
|
2014-11-13 19:30:51 +02:00
|
|
|
|
|
|
|
|
If there is ever any doubt about which PAM service a program was
|
|
|
|
|
compiled with, it can be determined by examining the PAM-generated
|
2022-04-01 16:12:41 +03:00
|
|
|
entries in the system log associated with kcheckpass for
|
2014-11-13 19:30:51 +02:00
|
|
|
authentication failures.
|
|
|
|
|
|
|
|
|
|
PAM configuration files have four types of entries for each service:
|
|
|
|
|
|
2022-04-01 16:12:41 +03:00
|
|
|
type used by kcheckpass
|
|
|
|
|
---- ------------------
|
|
|
|
|
auth x
|
|
|
|
|
account x
|
|
|
|
|
password x
|
|
|
|
|
session x
|
2014-11-13 19:30:51 +02:00
|
|
|
|
|
|
|
|
There may be more than one entry of each type. Check existing PAM
|
|
|
|
|
configuration files and PAM documentation on your system for guidance as
|
|
|
|
|
to what entries to make. If you call a PAM service that is not
|
|
|
|
|
configured, the default action of PAM is likely to be denial of service.
|
|
|
|
|
|
2022-04-01 16:12:41 +03:00
|
|
|
Note: Screensavers typically only authenticate a user to allow him/her
|
2021-06-01 17:49:45 +03:00
|
|
|
to continue working. They may also renew tokens etc., where supported.
|
2014-11-13 19:30:51 +02:00
|
|
|
See the Linux PAM Administrators guide, which is part of the PAM
|
|
|
|
|
distribution, for more details.
|
|
|
|
|
|
|
|
|
|
|
