diff options
author | Ray Strode <rstrode@redhat.com> | 2016-08-15 14:11:01 -0400 |
---|---|---|
committer | Ray Strode <rstrode@redhat.com> | 2016-08-19 15:02:07 -0400 |
commit | 31ed6f2b3f1ab45ae07aad41c13a51ba91fd159d (patch) | |
tree | 7a3ada2efa60d90050f726943bb29160dbce7723 | |
parent | 714b6af29b916ac7da0cdab6f83460574ed49cf2 (diff) | |
download | gdm-31ed6f2b3f1ab45ae07aad41c13a51ba91fd159d.tar.gz |
pam: grab cached password from systemd and pass it on
If the user has an encrypted disk then systemd will cache the password
they type into the keyring. It makes sense to try to use this password
for automatic login purposes first, since on single user machines,
the sole user password is likely to match the disk password.
Of course if it doesn't work we'll fall back to the old way of doing
automatic login without a password (and then the user will have to
manualy enter if they need to for gnome-keyring or whatever)
https://bugzilla.gnome.org/show_bug.cgi?id=769950
-rw-r--r-- | configure.ac | 8 | ||||
-rw-r--r-- | data/pam-arch/gdm-autologin.pam | 3 | ||||
-rw-r--r-- | data/pam-exherbo/gdm-autologin.pam | 8 | ||||
-rw-r--r-- | data/pam-lfs/gdm-autologin.pam | 3 | ||||
-rw-r--r-- | data/pam-redhat/gdm-autologin.pam | 7 | ||||
-rw-r--r-- | pam_gdm/Makefile.am | 2 | ||||
-rw-r--r-- | pam_gdm/pam_gdm.c | 29 |
7 files changed, 53 insertions, 7 deletions
diff --git a/configure.ac b/configure.ac index cb3a3765..ac6afc55 100644 --- a/configure.ac +++ b/configure.ac @@ -522,6 +522,14 @@ if test "x$have_pam" = "xyes"; then ) fi +AC_CHECK_LIB(keyutils, keyctl_read, [ + AC_DEFINE(HAVE_KEYUTILS, 1, [Define if have keyutils]) + KEYUTILS_LIBS="-lkeyutils" + KEYUTILS_CFLAGS="" +]) +AC_SUBST(KEYUTILS_LIBS) +AC_SUBST(KEYUTILS_CFLAGS) + dnl Check if we can use the setpenv function to add specialvariable dnl to the environment (such as the /etc/environment file under AIX) AC_LINK_IFELSE([ diff --git a/data/pam-arch/gdm-autologin.pam b/data/pam-arch/gdm-autologin.pam index 9f45c659..99b14209 100644 --- a/data/pam-arch/gdm-autologin.pam +++ b/data/pam-arch/gdm-autologin.pam @@ -1,5 +1,7 @@ auth requisite pam_nologin.so auth required pam_env.so +auth optional pam_gdm.so +auth optional pam_gnome_keyring.so auth optional pam_permit.so account include system-local-login @@ -8,3 +10,4 @@ password include system-local-login session optional pam_keyinit.so force revoke session include system-local-login +session optional pam_gnome_keyring.so auto_start diff --git a/data/pam-exherbo/gdm-autologin.pam b/data/pam-exherbo/gdm-autologin.pam index 71556e81..afde048d 100644 --- a/data/pam-exherbo/gdm-autologin.pam +++ b/data/pam-exherbo/gdm-autologin.pam @@ -2,11 +2,9 @@ # except for the authentication method, which is: # always permit login -auth required pam_env.so -auth required pam_tally.so file=/var/log/faillog onerr=succeed -auth required pam_shells.so -auth required pam_nologin.so -auth required pam_permit.so +auth optional pam_gdm.so +auth substack system-local-login +auth sufficient pam_permit.so -auth optional pam_gnome_keyring.so account include system-local-login diff --git a/data/pam-lfs/gdm-autologin.pam b/data/pam-lfs/gdm-autologin.pam index 13ac13ac..953d47e6 100644 --- a/data/pam-lfs/gdm-autologin.pam +++ b/data/pam-lfs/gdm-autologin.pam @@ -4,6 +4,8 @@ auth requisite pam_nologin.so auth required pam_env.so auth required pam_succeed_if.so uid >= 1000 quiet +auth optional pam_gdm.so +auth optional pam_gnome_keyring.so auth required pam_permit.so account include system-account @@ -12,5 +14,6 @@ password include system-password session optional pam_keyinit.so revoke session required pam_limits.so session include system-session +session optional pam_gnome_keyring.so auto_start # End /etc/pam.d/gdm-autologin diff --git a/data/pam-redhat/gdm-autologin.pam b/data/pam-redhat/gdm-autologin.pam index 96fcfe37..c2efea86 100644 --- a/data/pam-redhat/gdm-autologin.pam +++ b/data/pam-redhat/gdm-autologin.pam @@ -1,6 +1,8 @@ #%PAM-1.0 -auth required pam_env.so -auth required pam_permit.so +auth optional pam_gdm.so +auth substack password-auth +auth optional pam_gnome_keyring.so +auth sufficient pam_permit.so auth include postlogin account required pam_nologin.so account include system-auth @@ -12,4 +14,5 @@ session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session include system-auth +session optional pam_gnome_keyring.so auto_start session include postlogin diff --git a/pam_gdm/Makefile.am b/pam_gdm/Makefile.am index 5ea69d78..61d672b4 100644 --- a/pam_gdm/Makefile.am +++ b/pam_gdm/Makefile.am @@ -15,6 +15,7 @@ pam_gdm_la_SOURCES = \ $(END_OF_LIST) pam_gdm_la_CFLAGS = \ + $(KEYUTILS_CFLAGS) \ $(PAM_CFLAGS) \ $(END_OF_LIST) @@ -26,6 +27,7 @@ pam_gdm_la_LDFLAGS = \ $(END_OF_LIST) pam_gdm_la_LIBADD = \ + $(KEYUTILS_LIBS) \ $(PAM_LIBS) \ $(END_OF_LIST) diff --git a/pam_gdm/pam_gdm.c b/pam_gdm/pam_gdm.c index 90a05573..7beb04e7 100644 --- a/pam_gdm/pam_gdm.c +++ b/pam_gdm/pam_gdm.c @@ -17,18 +17,47 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. * */ +#include <config.h> + +#include <unistd.h> + #include <security/_pam_macros.h> #include <security/pam_ext.h> #include <security/pam_misc.h> #include <security/pam_modules.h> #include <security/pam_modutil.h> +#ifdef HAVE_KEYUTILS +#include <keyutils.h> +#endif + int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv) { +#ifdef HAVE_KEYUTILS + int r; + void *cached_password = NULL; + key_serial_t serial; + + serial = find_key_by_type_and_desc ("user", "cryptsetup", 0); + if (serial == 0) + return PAM_AUTHINFO_UNAVAIL; + + r = keyctl_read_alloc (serial, &cached_password); + if (r < 0) + return PAM_AUTHINFO_UNAVAIL; + + r = pam_set_item (pamh, PAM_AUTHTOK, cached_password); + + free (cached_password); + + if (r < 0) + return PAM_AUTH_ERR; +#endif + return PAM_SUCCESS; } |