pam: update exherbo configuration

This is a backport from exherbo changes by Saleem Abdulrasool <compnerd@compnerd.org>

Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>

3 files changed, 22 insertions, 32 deletions

diff --git a/data/pam-exherbo/gdm-fingerprint.pam b/data/pam-exherbo/gdm-fingerprint.pam
index 15f24fae..41639ece 100644
--- a/data/pam-exherbo/gdm-fingerprint.pam
+++ b/data/pam-exherbo/gdm-fingerprint.pam
@@ -1,17 +1,10 @@
-# mirrors system-auth / system(-local)-login
-# except for the authentication method, which is:
-# fingerprint login
+account  include  system-login
 
-auth        required    pam_env.so
-auth        required    pam_tally.so file=/var/log/faillog onerr=succeed
-auth        required    pam_shells.so
-auth        required    pam_nologin.so
-auth        required    pam_fprintd.so
--auth       optional    pam_gnome_keyring.so
+auth     substack fingerprint-auth
+auth     optional pam_gnome_keyring.so
 
-account     include     system-local-login
+password required pam_deny.so
 
-password    include     system-local-login
+session  substack system-login
+session  optional pam_gnome_keyring.so auto_start
 
-session     include     system-local-login
--session    optional    pam_gnome_keyring.so auto_start
diff --git a/data/pam-exherbo/gdm-launch-environment.pam b/data/pam-exherbo/gdm-launch-environment.pam
index 1c96229f..8357e231 100644
--- a/data/pam-exherbo/gdm-launch-environment.pam
+++ b/data/pam-exherbo/gdm-launch-environment.pam
@@ -1,11 +1,16 @@
-# this is for the session that gdm spawns to show the login screen
+account     required    pam_nologin.so
+account     required    pam_succeed_if.so audit quiet_success user = gdm
+account     required    pam_permit.so
 
 auth        required    pam_env.so
-auth        required    pam_nologin.so
+auth        required    pam_succeed_if.so audit quiet_success user = gdm
 auth        required    pam_permit.so
 
-account     include     system-local-login
+password    required    pam_deny.so
 
-password    include     system-local-login
+session     required    pam_loginuid.so
+session     required    pam_systemd.so kill-session-processes=1
+session     optional    pam_keyinit.so force revoke
+session     required    pam_succeed_if.so audit quiet_success user = gdm
+session     required    pam_permit.so
 
-session     include     system-local-login
diff --git a/data/pam-exherbo/gdm-password.pam b/data/pam-exherbo/gdm-password.pam
index 3ad9ce5c..d223f660 100644
--- a/data/pam-exherbo/gdm-password.pam
+++ b/data/pam-exherbo/gdm-password.pam
@@ -1,18 +1,10 @@
-# mirrors system-auth / system(-local)-login
-# except for the authentication method, which is:
-# password login
+account  include  system-login
 
-auth        required    pam_env.so
-auth        required    pam_tally.so file=/var/log/faillog onerr=succeed
-auth        required    pam_shells.so
-auth        required    pam_nologin.so
-auth        required    pam_unix.so try_first_pass likeauth nullok
--auth       optional    pam_gnome_keyring.so
+auth     substack system-login
+auth     optional pam_gnome_keyring.so
 
-account     include     system-local-login
+password required pam_deny.so
 
-password    include     system-local-login
-
-session     include     system-local-login
--session    optional    pam_gnome_keyring.so auto_start
+session  substack system-login
+session  optional pam_gnome_keyring.so auto_start