diff options
author | Tristan Van Berkom <tristan.vanberkom@codethink.co.uk> | 2015-11-19 18:11:30 +0900 |
---|---|---|
committer | Tristan Van Berkom <tristan.vanberkom@codethink.co.uk> | 2015-11-24 14:21:04 +0000 |
commit | 0b192f6183ceefda0551ecd76e851b76ad1f226f (patch) | |
tree | 6c17a2f1ee0404c885d6728b5d2d76dec2245fbd /install-files/gnome/etc/pam.d/gdm-password | |
parent | 2e38801d10846e91a0afe7c7e330e345d70147cd (diff) | |
download | definitions-0b192f6183ceefda0551ecd76e851b76ad1f226f.tar.gz |
Added new GNOME specific PAM configuration to install-files
The new PAM configuration ensures both that:
o Setting a user's password updates the keyring
o Starting a user session automatically unlocks the
keyring with the users login
o Fixes bug in systemd installed system-auth file which
tries to pass try_authtok to pam_unix.so, which is not
a valid option for that module
Overall the PAM configuration is custom and modeled after
the fedora configuration but without the selinux bits.
Change-Id: I348e2e520e186fc7592d2aa167abae73152bf8c1
Diffstat (limited to 'install-files/gnome/etc/pam.d/gdm-password')
-rw-r--r-- | install-files/gnome/etc/pam.d/gdm-password | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/install-files/gnome/etc/pam.d/gdm-password b/install-files/gnome/etc/pam.d/gdm-password new file mode 100644 index 00000000..798d40a6 --- /dev/null +++ b/install-files/gnome/etc/pam.d/gdm-password @@ -0,0 +1,24 @@ +# Baserock customized /etc/pam.d/gdm-password +# +# This configuration ensures that the default keyring +# is unlocked at gdm login time, and also that the +# authentication token is used to update the keyring +# when the password is set. + +auth requisite pam_nologin.so +auth required pam_env.so + +auth required pam_succeed_if.so uid >= 1000 quiet +auth substack system-auth +auth optional pam_gnome_keyring.so + +account include system-auth +password substack system-auth +password optional pam_gnome_keyring.so use_authtok + +session required pam_limits.so +session required pam_loginuid.so +session optional pam_keyinit.so force revoke +session required pam_namespace.so +session substack system-auth +session optional pam_gnome_keyring.so auto_start |