After trying to educate myself on how to use the PAM module properly together with pam_unix still present, I think this is probably the way:
- Invoke pam_glome with a "prompt" option. This should use
pam_set_data to store the ephemeral key and output the GLOME challenge.
- Let pam_unix do its thing and fail if the password is incorrect.
- Invoke pam_glome again, let it discover the prior context and check the authcode.
We might also want to support a "quiet" to not print errors - however in this setup I suspect printing anything about the authcode is actually fine.
After trying to educate myself on how to use the PAM module properly together with pam_unix still present, I think this is probably the way:
pam_set_datato store the ephemeral key and output the GLOME challenge.We might also want to support a "quiet" to not print errors - however in this setup I suspect printing anything about the authcode is actually fine.