diff options
author | Jan Alexander Steffens (heftig) <heftig@archlinux.org> | 2021-08-31 21:51:46 +0000 |
---|---|---|
committer | Ray Strode <halfline@gmail.com> | 2021-12-22 21:08:12 +0000 |
commit | 5e415bb1df01a3a6f42f30253e31f883a22b56dd (patch) | |
tree | 62a03dca46e921bbb790e7cc3651aecff4f94b72 /data/pam-arch/gdm-smartcard.pam | |
parent | f7aaba5d77fcca23816f8c43e96ea5ae1797a9ba (diff) | |
download | gdm-5e415bb1df01a3a6f42f30253e31f883a22b56dd.tar.gz |
pam-arch: Drop pam_faillock counting from fingerprint and smartcard
As mentioned in an [fprintd issue comment][1], we need to make sure that
the stack's error status is taken from the main auth module, i.e.
pam_fprintd, otherwise GDM will not behave correctly.
Still use pam_faillock preauth so that we test whether the account is
locked, but don't use authfail/authsucc to log a failure/success so this
stack doesn't participate in triggering the lock.
Ideally we would check which return values we actually want to treat as
a reason to lock the account (e.g. fingerprint mismatch) and which are
neutral (e.g. no fingerprints enrolled), but that's much more effort.
Should fix [FS#71750][2].
[1]: https://gitlab.freedesktop.org/libfprint/fprintd/-/issues/112#note_1016191
[2]: https://bugs.archlinux.org/task/71750
Diffstat (limited to 'data/pam-arch/gdm-smartcard.pam')
-rw-r--r-- | data/pam-arch/gdm-smartcard.pam | 10 |
1 files changed, 2 insertions, 8 deletions
diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam index e6ec1299..6d7333bf 100644 --- a/data/pam-arch/gdm-smartcard.pam +++ b/data/pam-arch/gdm-smartcard.pam @@ -2,16 +2,10 @@ auth required pam_shells.so auth requisite pam_nologin.so -auth required pam_faillock.so preauth -# Optionally use requisite above if you do not want to prompt for the smartcard -# on locked accounts. -auth [success=1 default=ignore] pam_pkcs11.so wait_for_card card_only -auth [default=die] pam_faillock.so authfail +auth requisite pam_faillock.so preauth +auth required pam_pkcs11.so wait_for_card card_only auth optional pam_permit.so auth required pam_env.so -auth required pam_faillock.so authsucc -# If you drop the above call to pam_faillock.so the lock will be done also -# on non-consecutive authentication failures. auth [success=ok default=1] pam_gdm.so auth optional pam_gnome_keyring.so |