“Step 2. Configuring Fedora template to prompt Dom0 for any authorization request” no longer works in Fedora Core 39 template, because RedHat now has user authentication managed by authselect utility - so now /etc/pam.d/system-auth is a symlink to /etc/authselect/system-auth, automatically generated by authselect.
Ways to deal with it:
-
Either create a custom authselect profile with our auth policy:
[root@fedora-39-x64]# authselect create-profile sudo-dom0-prompt --base-on=sssd --symlink-meta --symlink-pam [root@fedora-39-x64]# mv /etc/authselect/custom/sudo-dom0-prompt/system-auth /etc/authselect/custom/sudo-dom0-prompt/system-auth.original_aside [root@fedora-39-x64]# cp /etc/authselect/system-auth /etc/authselect/custom/sudo-dom0-promptNow edit
/etc/authselect/custom/sudo-dom0-prompt/system-auth, replace all lines beginning with “auth” with these lines:auth [success=1 default=ignore] pam_exec.so seteuid /usr/lib/qubes/qrexec-client-vm dom0 qubes.VMAuth /bin/grep -q ^1$ auth requisite pam_deny.so auth required pam_permit.soThen select new profile:
[root@fedora-39-x64]# authselect select custom/sudo-dom0-prompt(Optional) Check that
/etc/pam.d/system-authhas correct contents:[root@fedora-39-x64]# cat /etc/pam.d/system-auth -
Or alternately opt out from authselect-managed configuration and then edit the static file
/etc/pam.d/system-authas before:[root@fedora-39-x64]# authselect opt-outI haven’t tried opting out - thought that if RedHat is moving ahead with authselect, it’s better to work with it, rather than disable it.