diff options
author | Alynx Zhou <alynx.zhou@gmail.com> | 2022-11-30 20:36:36 +0800 |
---|---|---|
committer | Ray Strode <halfline@gmail.com> | 2023-03-05 14:17:24 +0000 |
commit | f26947c585b678178d3944db8bfb816771497321 (patch) | |
tree | 81f947b31a1f726f78cbcddd4a97a86a404485eb /data | |
parent | 712279aba4556f6acd718773f808414b3e8b4674 (diff) | |
download | gdm-f26947c585b678178d3944db8bfb816771497321.tar.gz |
pam-arch: Move pam_shells under pam_pkcs11 to support username auto-detect
According to [PAM-PKCS11 User Manual][1], user can provide a empty
username and it will set username by mapped smartcard. However, this
currently does not work for gdm-smartcard, because pam_shells will fail
first on empty username.
Because [pam_shells do not check empty username before checking whether
username exists][2], we can do nothing to workaround it for empty
username, so just move it under pam_pkcs11 so it will check the
auto-detected username.
[1]: http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html#autologin
[2]: https://github.com/linux-pam/linux-pam/commit/b52bd25910c9a8a32a49be7627a709a081a3768c
Diffstat (limited to 'data')
-rw-r--r-- | data/pam-arch/gdm-smartcard.pam | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam index 6d7333bf..357e1d0d 100644 --- a/data/pam-arch/gdm-smartcard.pam +++ b/data/pam-arch/gdm-smartcard.pam @@ -1,9 +1,9 @@ #%PAM-1.0 -auth required pam_shells.so auth requisite pam_nologin.so auth requisite pam_faillock.so preauth auth required pam_pkcs11.so wait_for_card card_only +auth required pam_shells.so auth optional pam_permit.so auth required pam_env.so auth [success=ok default=1] pam_gdm.so |