Added new GNOME specific PAM configuration to install-files

The new PAM configuration ensures both that:

  o Setting a user's password updates the keyring

  o Starting a user session automatically unlocks the
    keyring with the users login

  o Fixes bug in systemd installed system-auth file which
    tries to pass try_authtok to pam_unix.so, which is not
    a valid option for that module

Overall the PAM configuration is custom and modeled after
the fedora configuration but without the selinux bits.

Change-Id: I348e2e520e186fc7592d2aa167abae73152bf8c1

1 files changed, 24 insertions, 0 deletions

diff --git a/install-files/gnome/etc/pam.d/gdm-password b/install-files/gnome/etc/pam.d/gdm-password
new file mode 100644
index 00000000..798d40a6
--- /dev/null
+++ b/install-files/gnome/etc/pam.d/gdm-password
@@ -0,0 +1,24 @@
+# Baserock customized /etc/pam.d/gdm-password
+#
+# This configuration ensures that the default keyring
+# is unlocked at gdm login time, and also that the
+# authentication token is used to update the keyring
+# when the password is set.
+
+auth     requisite      pam_nologin.so
+auth     required       pam_env.so
+
+auth     required       pam_succeed_if.so uid >= 1000 quiet
+auth     substack       system-auth
+auth     optional       pam_gnome_keyring.so
+
+account  include        system-auth
+password substack       system-auth
+password optional       pam_gnome_keyring.so use_authtok
+
+session  required       pam_limits.so
+session  required       pam_loginuid.so
+session  optional       pam_keyinit.so force revoke
+session  required       pam_namespace.so
+session  substack       system-auth
+session  optional       pam_gnome_keyring.so auto_start