From f26947c585b678178d3944db8bfb816771497321 Mon Sep 17 00:00:00 2001
From: Alynx Zhou <alynx.zhou@gmail.com>
Date: Wed, 30 Nov 2022 20:36:36 +0800
Subject: pam-arch: Move pam_shells under pam_pkcs11 to support username
 auto-detect

According to [PAM-PKCS11 User Manual][1], user can provide a empty
username and it will set username by mapped smartcard. However, this
currently does not work for gdm-smartcard, because pam_shells will fail
first on empty username.

Because [pam_shells do not check empty username before checking whether
username exists][2], we can do nothing to workaround it for empty
username, so just move it under pam_pkcs11 so it will check the
auto-detected username.

[1]: http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html#autologin
[2]: https://github.com/linux-pam/linux-pam/commit/b52bd25910c9a8a32a49be7627a709a081a3768c
---
 data/pam-arch/gdm-smartcard.pam | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'data')

diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam
index 6d7333bf..357e1d0d 100644
--- a/data/pam-arch/gdm-smartcard.pam
+++ b/data/pam-arch/gdm-smartcard.pam
@@ -1,9 +1,9 @@
 #%PAM-1.0
 
-auth       required                    pam_shells.so
 auth       requisite                   pam_nologin.so
 auth       requisite                   pam_faillock.so      preauth
 auth       required                    pam_pkcs11.so        wait_for_card card_only
+auth       required                    pam_shells.so
 auth       optional                    pam_permit.so
 auth       required                    pam_env.so
 auth       [success=ok default=1]      pam_gdm.so
-- 
cgit v1.2.1