Mention PAM configuration in README #31
Comments
|
It probably should not be the case that PAM needs to be adjusted when installing doas. If it does require a new file/module to be installed then this is certainly something either we, or the package/port maintainer should document. Can you tell me why a new /etc/pam.d/doas file needs to be created on your system, because it's not needed on any of my test systems. |
|
Probably because your /etc/pam.d/other is set up differently than mine |
|
My "other" file pulls in the same modules yours does, though mine uses include statements rather than specifying the modules directly. |
|
In the /etc/pam.d/other file I mentioned (macOS default) nothing is going to happen because of pam_deny.so ie. there are no other conditions. Again, this is AFAIK the default in macOS (I did not modify it AFAIK). Whereas on a Linux system /etc/pam.d/other contains include statements indeed, and these common-* files contain defaults which the distribution deemed sane. TL;DR macOS by default requires additional PAM configuration to get doas(1) working. The documentation could (IMO should) mention this, as else the error the user gets is just While |
|
I can verify what happened for @jfdhuiz just happened for me. Without copying /etc/pam.d/sudo to .../doas, I only saw the "authentication failed" message whenever I used doas. For reference, I'm running macOS Mojave (10.14.6). I hadn't touched any of the pam.d config files. I did try creating a /etc/login.def before finding this solution, but it wasn't helping. |
|
As I understand it, macOS ships with sudo included, is that correct? If so then we can probably just add a comment to the README file which says the following command needs to be run at install time: |
|
You are correct that sudo comes with macOS. I think your recommendation of including that line in the README would work great. (correcting the comma in |
|
I have added this command (without the typo this time) to the README file with a brief note explaining why the PAM sudo file needs to be copied. Thank you both for helping get this sorted out. |
My bad, I shouldn't mentioned the OS version I encountered the problem on: macOS Catalina (10.15.3). Thank you for the fix. |
|
Hello! This may be clossed but I noticed this behavior on Fedora 33 as well, the same command fixed it. |
|
I have added the PAM set up instructions under the Linux section for distros which don't automatically work with doas. |
I've decided I need a sudo replacement.
I was delighted to learn doas works perfectly fine on macOS, including authentication via smartcard, thank you. Just one thing: out of the box, it only worked with nopass. I figured I had to configure /etc/pam.d/doas (I copied the contents of /etc/pam.d/sudo). I feel like this could be added in README.md
I'm unable (probably due to SIP) to chmod setuid away on /usr/bin/sudo but I've been able to clear /etc/sudoers
I also added an alias in my ~/.config/fish/fish.config which is synced to different machines:
test (type doas 2>/dev/null); and alias sudo='doas'
In .bash_profile I went with (this would've worked in Fish as well if && is replaced with ; and)
which -s doas && alias sudo=doas
The idea here is that if doas is installed, it is configured, and sudo is aliased to doas. This is obviously not true the moment you install it, so if you use this alias at that point you need to use your current shell to configure /usr/local/etc/doas.conf, or alternative you need to call /usr/bin/sudo to configure /usr/local/etc/doas.conf (paths might differ per OS, YMMV).
The text was updated successfully, but these errors were encountered: