Configure PAM to not show native authentication UI

kpa
kpa
Community Member
in Linux

I use 1Password as my ssh-agent (on Mac) and want to do the same on my Ubuntu machine. It works but it insists on showing me UI which I can't do anything with when I'm ssh'ed into the machine. 1Password is using polkit and pam to manage this but I can't for the life of me figure out why 1Password insists on showing UI when things like sudo can be done from the command line (and thus over SSH).

How can I configure PAM/1Password so it asks for the password on the command line instead of the Ubuntu UI?

1Password Version: 8.10.0
Extension Version: Not Provided
OS Version: Ubuntu 20.04.5 LTS
Browser:_ Firefox

Comments

  • RogueScholar
    RogueScholar
    Community Member

    Hi @kpa,

    I only needed to do this a couple times in the past so I can't be certain that I'm remembering every step precisely, but I can at least tell you that the solution you seek almost certainly involves the use of [pkttyagent](https://polkit.pages.freedesktop.org/polkit/pkttyagent.1.html) to supply the credentials to polkitd. As I recall, my trick was to invoke any commands that needed elevated privileges using tmux (screen would work, too) to provide me with multiple concurrent shells on the same host. This would allow me to call the original command that needed elevated privileges in one instance (as in the case of pkexec mc . .; echo $$ for launching Midnight Commander with both panes showing "${PWD}" as root) where the echo $$ took care of giving me the PID (process ID number) as its output, which I was then able to pass to pkttyagent as an argument following the --process flag in another tmux shell.

    It wouldn't surprise me if you were able to accomplish all this in just your plain SSH session with just a Ctrl-Z to background the first process (which conveniently also solves the PID problem, at least on Bash and Z Shell, as they display the PID automatically whenever a process is backgrounded), do your thing with pkttyagent, then just call the original process back with the fg command once the authentication is successful, but I never got around to trying it myself. Just now while typing this it also occurred to me that Nelson Elhage's reptyr project might be of some assistance for things of this nature, but that's just me spitballing now.

    I'm not saying this is a great workflow or something we should aspire to, but having faced the same issue that you describe, I felt like offering my kludgy hack might be some small comfort until a better one presents itself. Best of luck to you in all your endeavors. 👍

This discussion has been closed.