Add config option to call pam_acct_mgmt #691
Comments
|
To me it just doesn't make any sense to do account validation as a lock-screen app. Also the user is already logged in when they launch hyprlock and therefore their account must be valid. It would be trivial to write a pam module that disallows authentication based on the current time. I would also be ok with calling pam_acct_mgmt behind an option in hyprlock, but I think it just wouldn't make a lot of sense and it is similar amount of work to just implement a custom pam_time module. |
|
well, from the pam.d man page, an auth module "establishes that the user is who they claim to be" and an account module "is typically used to restrict/permit access to a service". pam_time is clearly the latter. in general i don't know why you'd want to prevent a user from logging on, but don't want to deny access to the computer if something changes after logon? it's true that it would be odd to deny unlocking for max password age, since hyprlock doesn't have any facility to let the user change their password, but someone who has that enabled and turns account checks on in their hyprlock config presumably either wants that or can turn that off in pam.d. not opposed to running my own pam_time but it seems more flexible to use the pam features that already exist |
Description
I'd like to limit when I'm allowed to unlock my computer using pam_time. Because pam_time only offers an account module type, and hyprlock never calls pam_acct_mgmt(), pam_time can't be checked. Currently I just log out and the login shell uses pam_time, but this isn't ideal since it means closing all my applications.
The text was updated successfully, but these errors were encountered: