pam-arch: Drop pam_faillock counting from fingerprint and smartcard

As mentioned in an [fprintd issue comment][1], we need to make sure that the stack's error status is taken from the main auth module, i.e. pam_fprintd, otherwise GDM will not behave correctly. Still use pam_faillock preauth so that we test whether the account is locked, but don't use authfail/authsucc to log a failure/success so this stack doesn't participate in triggering the lock. Ideally we would check which return values we actually want to treat as a reason to lock the account (e.g. fingerprint mismatch) and which are neutral (e.g. no fingerprints enrolled), but that's much more effort. Should fix [FS#71750][2]. [1]: https://gitlab.freedesktop.org/libfprint/fprintd/-/issues/112#note_1016191 [2]: https://bugs.archlinux.org/task/71750
author: Jan Alexander Steffens (heftig) <heftig@archlinux.org> 2021-08-31 21:51:46 +0000
committer: Ray Strode <halfline@gmail.com> 2021-12-22 21:08:12 +0000
commit: 5e415bb1df01a3a6f42f30253e31f883a22b56dd (patch)
tree: 62a03dca46e921bbb790e7cc3651aecff4f94b72 /data
parent: f7aaba5d77fcca23816f8c43e96ea5ae1797a9ba (diff)
download: gdm-5e415bb1df01a3a6f42f30253e31f883a22b56dd.tar.gz
2 files changed, 4 insertions, 16 deletions
diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam
index cc660d9a..2aaf9f6c 100644
--- a/data/pam-arch/gdm-fingerprint.pam
+++ b/data/pam-arch/gdm-fingerprint.pam
@@ -2,16 +2,10 @@
 
 auth       required                    pam_shells.so
 auth       requisite                   pam_nologin.so
-auth       required                    pam_faillock.so      preauth
-# Optionally use requisite above if you do not want to prompt for the fingerprint
-# on locked accounts.
-auth       [success=1 default=ignore]  pam_fprintd.so
-auth       [default=die]               pam_faillock.so      authfail
+auth       requisite                   pam_faillock.so      preauth
+auth       required                    pam_fprintd.so
 auth       optional                    pam_permit.so
 auth       required                    pam_env.so
-auth       required                    pam_faillock.so      authsucc
-# If you drop the above call to pam_faillock.so the lock will be done also
-# on non-consecutive authentication failures.
 auth       [success=ok default=1]      pam_gdm.so
 auth       optional                    pam_gnome_keyring.so
 
diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam
index e6ec1299..6d7333bf 100644
--- a/data/pam-arch/gdm-smartcard.pam
+++ b/data/pam-arch/gdm-smartcard.pam
@@ -2,16 +2,10 @@
 
 auth       required                    pam_shells.so
 auth       requisite                   pam_nologin.so
-auth       required                    pam_faillock.so      preauth
-# Optionally use requisite above if you do not want to prompt for the smartcard
-# on locked accounts.
-auth       [success=1 default=ignore]  pam_pkcs11.so        wait_for_card card_only
-auth       [default=die]               pam_faillock.so      authfail
+auth       requisite                   pam_faillock.so      preauth
+auth       required                    pam_pkcs11.so        wait_for_card card_only
 auth       optional                    pam_permit.so
 auth       required                    pam_env.so
-auth       required                    pam_faillock.so      authsucc
-# If you drop the above call to pam_faillock.so the lock will be done also
-# on non-consecutive authentication failures.
 auth       [success=ok default=1]      pam_gdm.so
 auth       optional                    pam_gnome_keyring.so
author	Jan Alexander Steffens (heftig) <heftig@archlinux.org>	2021-08-31 21:51:46 +0000
committer	Ray Strode <halfline@gmail.com>	2021-12-22 21:08:12 +0000
commit	5e415bb1df01a3a6f42f30253e31f883a22b56dd (patch)
tree	62a03dca46e921bbb790e7cc3651aecff4f94b72 /data
parent	f7aaba5d77fcca23816f8c43e96ea5ae1797a9ba (diff)
download	gdm-5e415bb1df01a3a6f42f30253e31f883a22b56dd.tar.gz