From 8528a503ad70669a5f0c03d0a92ba19326983b82 Mon Sep 17 00:00:00 2001 From: "Jan Alexander Steffens (heftig)" Date: Tue, 27 Oct 2020 18:59:14 +0000 Subject: pam-arch: Update to match pambase 20200721.1-2 Update the PAM files for Arch Linux. This has been applied downstream since Aug 2020. https://bugs.archlinux.org/task/67485 --- data/meson.build | 1 - data/pam-arch/gdm-autologin.pam | 22 ++++++++++++---------- data/pam-arch/gdm-fingerprint.pam | 31 ++++++++++++++++++++----------- data/pam-arch/gdm-launch-environment.pam | 24 ++++++++++++++---------- data/pam-arch/gdm-password.pam | 17 +++++++++-------- data/pam-arch/gdm-pin.pam | 13 ------------- data/pam-arch/gdm-smartcard.pam | 31 ++++++++++++++++++++----------- 7 files changed, 75 insertions(+), 64 deletions(-) delete mode 100644 data/pam-arch/gdm-pin.pam (limited to 'data') diff --git a/data/meson.build b/data/meson.build index 23e2d7f9..7c5222ea 100644 --- a/data/meson.build +++ b/data/meson.build @@ -134,7 +134,6 @@ pam_data_files_map = { 'gdm-fingerprint', 'gdm-smartcard', 'gdm-password', - 'gdm-pin', ], 'none': [], # We should no longer have 'autodetect' at this point diff --git a/data/pam-arch/gdm-autologin.pam b/data/pam-arch/gdm-autologin.pam index 99b14209..30bdf529 100644 --- a/data/pam-arch/gdm-autologin.pam +++ b/data/pam-arch/gdm-autologin.pam @@ -1,13 +1,15 @@ -auth requisite pam_nologin.so -auth required pam_env.so -auth optional pam_gdm.so -auth optional pam_gnome_keyring.so -auth optional pam_permit.so +#%PAM-1.0 -account include system-local-login +auth required pam_shells.so +auth requisite pam_nologin.so +auth optional pam_permit.so +auth required pam_env.so +auth [success=ok default=1] pam_gdm.so +auth optional pam_gnome_keyring.so -password include system-local-login +account include system-local-login -session optional pam_keyinit.so force revoke -session include system-local-login -session optional pam_gnome_keyring.so auto_start +password required pam_deny.so + +session include system-local-login +session optional pam_gnome_keyring.so auto_start diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam index a4808617..cc660d9a 100644 --- a/data/pam-arch/gdm-fingerprint.pam +++ b/data/pam-arch/gdm-fingerprint.pam @@ -1,14 +1,23 @@ -auth required pam_tally.so onerr=succeed file=/var/log/faillog -auth required pam_shells.so -auth requisite pam_nologin.so -auth required pam_env.so -auth required pam_fprintd.so -auth optional pam_permit.so +#%PAM-1.0 -account include system-local-login +auth required pam_shells.so +auth requisite pam_nologin.so +auth required pam_faillock.so preauth +# Optionally use requisite above if you do not want to prompt for the fingerprint +# on locked accounts. +auth [success=1 default=ignore] pam_fprintd.so +auth [default=die] pam_faillock.so authfail +auth optional pam_permit.so +auth required pam_env.so +auth required pam_faillock.so authsucc +# If you drop the above call to pam_faillock.so the lock will be done also +# on non-consecutive authentication failures. +auth [success=ok default=1] pam_gdm.so +auth optional pam_gnome_keyring.so -password required pam_fprintd.so -password optional pam_permit.so +account include system-local-login -session optional pam_keyinit.so force revoke -session include system-local-login +password required pam_deny.so + +session include system-local-login +session optional pam_gnome_keyring.so auto_start diff --git a/data/pam-arch/gdm-launch-environment.pam b/data/pam-arch/gdm-launch-environment.pam index d59c9cb9..20d1810a 100644 --- a/data/pam-arch/gdm-launch-environment.pam +++ b/data/pam-arch/gdm-launch-environment.pam @@ -1,13 +1,17 @@ -auth required pam_env.so -auth required pam_succeed_if.so audit quiet_success user = gdm -auth optional pam_permit.so +#%PAM-1.0 -account required pam_succeed_if.so audit quiet_success user = gdm -account optional pam_permit.so +auth required pam_succeed_if.so audit quiet_success user in gdm:gnome-initial-setup +auth optional pam_permit.so +auth required pam_env.so -password required pam_deny.so +account required pam_succeed_if.so audit quiet_success user in gdm:gnome-initial-setup +account optional pam_permit.so -session optional pam_keyinit.so force revoke -session required pam_succeed_if.so audit quiet_success user = gdm -session required pam_systemd.so -session optional pam_permit.so +password required pam_deny.so + +session optional pam_loginuid.so +session optional pam_keyinit.so force revoke +session required pam_succeed_if.so audit quiet_success user in gdm:gnome-initial-setup +session optional pam_permit.so +-session optional pam_systemd.so +session required pam_env.so user_readenv=1 diff --git a/data/pam-arch/gdm-password.pam b/data/pam-arch/gdm-password.pam index 8d34794e..137242a6 100644 --- a/data/pam-arch/gdm-password.pam +++ b/data/pam-arch/gdm-password.pam @@ -1,11 +1,12 @@ -auth include system-local-login -auth optional pam_gnome_keyring.so +#%PAM-1.0 -account include system-local-login +auth include system-local-login +auth optional pam_gnome_keyring.so -password include system-local-login -password optional pam_gnome_keyring.so use_authtok +account include system-local-login -session optional pam_keyinit.so force revoke -session include system-local-login -session optional pam_gnome_keyring.so auto_start +password include system-local-login +password optional pam_gnome_keyring.so use_authtok + +session include system-local-login +session optional pam_gnome_keyring.so auto_start diff --git a/data/pam-arch/gdm-pin.pam b/data/pam-arch/gdm-pin.pam deleted file mode 100644 index 135e205e..00000000 --- a/data/pam-arch/gdm-pin.pam +++ /dev/null @@ -1,13 +0,0 @@ -auth requisite pam_pin.so -auth include system-local-login -auth optional pam_gnome_keyring.so - -account include system-local-login - -password include system-local-login -password optional pam_pin.so -password optional pam_gnome_keyring.so use_authtok - -session optional pam_keyinit.so force revoke -session include system-local-login -session optional pam_gnome_keyring.so auto_start diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam index ec6f75d5..e6ec1299 100644 --- a/data/pam-arch/gdm-smartcard.pam +++ b/data/pam-arch/gdm-smartcard.pam @@ -1,14 +1,23 @@ -auth required pam_tally.so onerr=succeed file=/var/log/faillog -auth required pam_shells.so -auth requisite pam_nologin.so -auth required pam_env.so -auth required pam_pkcs11.so wait_for_card card_only -auth optional pam_permit.so +#%PAM-1.0 -account include system-local-login +auth required pam_shells.so +auth requisite pam_nologin.so +auth required pam_faillock.so preauth +# Optionally use requisite above if you do not want to prompt for the smartcard +# on locked accounts. +auth [success=1 default=ignore] pam_pkcs11.so wait_for_card card_only +auth [default=die] pam_faillock.so authfail +auth optional pam_permit.so +auth required pam_env.so +auth required pam_faillock.so authsucc +# If you drop the above call to pam_faillock.so the lock will be done also +# on non-consecutive authentication failures. +auth [success=ok default=1] pam_gdm.so +auth optional pam_gnome_keyring.so -password required pam_pkcs11.so -password optional pam_permit.so +account include system-local-login -session optional pam_keyinit.so force revoke -session include system-local-login +password required pam_deny.so + +session include system-local-login +session optional pam_gnome_keyring.so auto_start -- cgit v1.2.1