PAM (Pluggable Authentication Modules)
Control arguments
- sufficient
- if true, return true
- if false, continue
- requisite
- if true, continue
- if false, return false
- required
- if true, continue
- if false, continue but always return false
Automatically Change Keyring Password with User Password
See Arch Linux wiki.
In /etc/pam.d/passwd
append the following line:
password optional pam_gnome_keyring.so
Remove Delay After Failed Authentication in Sudo
Add the nodelay
option in /etc/security/faillock.conf
on its own line.
This enables that the nodelay
option of the pam_unix.so
module is actually respected.
In /etc/pam.d/sudo
replace the line
auth include system-auth
with the lines referring to auth
(a PAM stack) found the /etc/pam.d/system-auth
file.
Then add the nodelay
option for the pam_unix.so
module.
The content of /etc/pam.d/sudo
should be the following.
#%PAM-1.0
auth required pam_faillock.so preauth
-auth [success=2 default=ignore] pam_systemd_home.so
auth [success=1 default=bad] pam_unix.so try_first_pass nullok nodelay
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# other already existing lines not referring to type auth
account include system-auth
session include system-auth
That's it.
Why not add the nodelay
option in /etc/pam.d/system-auth
?
Because all other modules that delegate to that /etc/pam.d/system-auth
file would inherit the nodelay
option as well.
This is not what we want.
For instance, the sshd
service also delegates to the system-auth
file and would therefore inherit that behaviour.
We want to keep the change concisely where we want it to be: only applied to the sudo
program.