Enable configuration via pam-auth-update

[gdevenyi]

This implementation has it setup:
https://github.com/nonamed01/pam_havebeenpwned

[skx]

It looks like a simple matter of dropping a configuration-file beneath /usr/share/pam-configs/.

I guess if I need to install the module, and a config-file, I'll need to rework the instructions. Such that there is:

  make
  make test
  make install

Rather than just copying the .so file into place.

Good suggestion though, thank-you. I'll take care of it over the next few days.

[skx]

I didn't find time to look at this yet, but will do over the coming weekend I hope!

[gdevenyi]

In no rush, I can handle the "old" way, just a suggestion to streamline usage :)

[skx]

I spent an hour or two experimenting with this over the weekend.

Taking the example file from the repository you linked to, with the minimum required edits (mostly changing the name of the module, and the options) then running pam-auth-update did stuff. But it didn't do what I wanted - instead of enabling the module only for sudo it enabled/disabled it globally. And when it was enabled globally it actually stopped working. syslog would log "password leaked" but logins would still be permitted.

So I looked at the modules code - and they use pam_sm_chauthtok rather than the PAM function I use pam_sm_authenticate. That's because their module only works on password-change events. It could be that I need to use a different (PAM) callback though.

So this bug now becomes:

• Work, globally, rather than per-service. If necessary using a different PAM callback function.
• Then update to use pam-config.

Now I'm invested and see the difference I should be able to manage it more promptly..