7 files changed, 53 insertions, 7 deletions

diff --git a/configure.ac b/configure.ac
index cb3a3765..ac6afc55 100644
--- a/configure.ac
+++ b/configure.ac
@@ -522,6 +522,14 @@ if test "x$have_pam" = "xyes"; then
        )
 fi
 
+AC_CHECK_LIB(keyutils, keyctl_read, [
+        AC_DEFINE(HAVE_KEYUTILS, 1, [Define if have keyutils])
+        KEYUTILS_LIBS="-lkeyutils"
+        KEYUTILS_CFLAGS=""
+])
+AC_SUBST(KEYUTILS_LIBS)
+AC_SUBST(KEYUTILS_CFLAGS)
+
 dnl Check if we can use the setpenv function to add specialvariable
 dnl to the environment (such as the /etc/environment file under AIX)
 AC_LINK_IFELSE([
diff --git a/data/pam-arch/gdm-autologin.pam b/data/pam-arch/gdm-autologin.pam
index 9f45c659..99b14209 100644
--- a/data/pam-arch/gdm-autologin.pam
+++ b/data/pam-arch/gdm-autologin.pam
@@ -1,5 +1,7 @@
 auth     requisite pam_nologin.so
 auth     required  pam_env.so
+auth     optional  pam_gdm.so
+auth     optional  pam_gnome_keyring.so
 auth     optional  pam_permit.so
 
 account  include   system-local-login
@@ -8,3 +10,4 @@ password include   system-local-login
 
 session  optional  pam_keyinit.so force revoke
 session  include   system-local-login
+session  optional  pam_gnome_keyring.so auto_start
diff --git a/data/pam-exherbo/gdm-autologin.pam b/data/pam-exherbo/gdm-autologin.pam
index 71556e81..afde048d 100644
--- a/data/pam-exherbo/gdm-autologin.pam
+++ b/data/pam-exherbo/gdm-autologin.pam
@@ -2,11 +2,9 @@
 # except for the authentication method, which is:
 # always permit login
 
-auth        required    pam_env.so
-auth        required    pam_tally.so file=/var/log/faillog onerr=succeed
-auth        required    pam_shells.so
-auth        required    pam_nologin.so
-auth        required    pam_permit.so
+auth        optional    pam_gdm.so
+auth        substack    system-local-login
+auth        sufficient  pam_permit.so
 -auth       optional    pam_gnome_keyring.so
 
 account     include     system-local-login
diff --git a/data/pam-lfs/gdm-autologin.pam b/data/pam-lfs/gdm-autologin.pam
index 13ac13ac..953d47e6 100644
--- a/data/pam-lfs/gdm-autologin.pam
+++ b/data/pam-lfs/gdm-autologin.pam
@@ -4,6 +4,8 @@ auth     requisite      pam_nologin.so
 auth     required       pam_env.so
 
 auth     required       pam_succeed_if.so uid >= 1000 quiet
+auth     optional       pam_gdm.so
+auth     optional       pam_gnome_keyring.so
 auth     required       pam_permit.so
 
 account  include        system-account
@@ -12,5 +14,6 @@ password include        system-password
 session  optional       pam_keyinit.so revoke
 session  required       pam_limits.so
 session  include        system-session
+session  optional       pam_gnome_keyring.so auto_start
 
 # End /etc/pam.d/gdm-autologin
diff --git a/data/pam-redhat/gdm-autologin.pam b/data/pam-redhat/gdm-autologin.pam
index 96fcfe37..c2efea86 100644
--- a/data/pam-redhat/gdm-autologin.pam
+++ b/data/pam-redhat/gdm-autologin.pam
@@ -1,6 +1,8 @@
  #%PAM-1.0
-auth       required    pam_env.so
-auth       required    pam_permit.so
+auth       optional    pam_gdm.so
+auth       substack    password-auth
+auth       optional    pam_gnome_keyring.so
+auth       sufficient  pam_permit.so
 auth       include     postlogin
 account    required    pam_nologin.so
 account    include     system-auth
@@ -12,4 +14,5 @@ session    required    pam_selinux.so open
 session    optional    pam_keyinit.so force revoke
 session    required    pam_namespace.so
 session    include     system-auth
+session    optional    pam_gnome_keyring.so auto_start
 session    include     postlogin
diff --git a/pam_gdm/Makefile.am b/pam_gdm/Makefile.am
index 5ea69d78..61d672b4 100644
--- a/pam_gdm/Makefile.am
+++ b/pam_gdm/Makefile.am
@@ -15,6 +15,7 @@ pam_gdm_la_SOURCES = \
 	$(END_OF_LIST)
 
 pam_gdm_la_CFLAGS = \
+	$(KEYUTILS_CFLAGS) \
 	$(PAM_CFLAGS) \
 	$(END_OF_LIST)
 
@@ -26,6 +27,7 @@ pam_gdm_la_LDFLAGS = \
 	$(END_OF_LIST)
 
 pam_gdm_la_LIBADD = \
+	$(KEYUTILS_LIBS) \
 	$(PAM_LIBS) \
 	$(END_OF_LIST)
 
diff --git a/pam_gdm/pam_gdm.c b/pam_gdm/pam_gdm.c
index 90a05573..7beb04e7 100644
--- a/pam_gdm/pam_gdm.c
+++ b/pam_gdm/pam_gdm.c
@@ -17,18 +17,47 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  *
  */
+#include <config.h>
+
+#include <unistd.h>
+
 #include <security/_pam_macros.h>
 #include <security/pam_ext.h>
 #include <security/pam_misc.h>
 #include <security/pam_modules.h>
 #include <security/pam_modutil.h>
 
+#ifdef HAVE_KEYUTILS
+#include <keyutils.h>
+#endif
+
 int
 pam_sm_authenticate (pam_handle_t  *pamh,
                      int            flags,
                      int            argc,
                      const char   **argv)
 {
+#ifdef HAVE_KEYUTILS
+        int r;
+        void *cached_password = NULL;
+        key_serial_t serial;
+
+        serial = find_key_by_type_and_desc ("user", "cryptsetup", 0);
+        if (serial == 0)
+                return PAM_AUTHINFO_UNAVAIL;
+
+        r = keyctl_read_alloc (serial, &cached_password);
+        if (r < 0)
+                return PAM_AUTHINFO_UNAVAIL;
+
+        r = pam_set_item (pamh, PAM_AUTHTOK, cached_password);
+
+        free (cached_password);
+
+        if (r < 0)
+                return PAM_AUTH_ERR;
+#endif
+
         return PAM_SUCCESS;
 }