From 0b192f6183ceefda0551ecd76e851b76ad1f226f Mon Sep 17 00:00:00 2001 From: Tristan Van Berkom Date: Thu, 19 Nov 2015 18:11:30 +0900 Subject: Added new GNOME specific PAM configuration to install-files The new PAM configuration ensures both that: o Setting a user's password updates the keyring o Starting a user session automatically unlocks the keyring with the users login o Fixes bug in systemd installed system-auth file which tries to pass try_authtok to pam_unix.so, which is not a valid option for that module Overall the PAM configuration is custom and modeled after the fedora configuration but without the selinux bits. Change-Id: I348e2e520e186fc7592d2aa167abae73152bf8c1 --- install-files/gnome/etc/pam.d/gdm | 15 ++++++++++++++ install-files/gnome/etc/pam.d/gdm-autologin | 17 +++++++++++++++ .../gnome/etc/pam.d/gdm-launch-environment | 8 +++----- install-files/gnome/etc/pam.d/gdm-password | 24 ++++++++++++++++++++++ install-files/gnome/etc/pam.d/passwd | 10 +++++++++ install-files/gnome/etc/pam.d/system-auth | 19 +++++++++++++++++ 6 files changed, 88 insertions(+), 5 deletions(-) create mode 100644 install-files/gnome/etc/pam.d/gdm create mode 100644 install-files/gnome/etc/pam.d/gdm-autologin create mode 100644 install-files/gnome/etc/pam.d/gdm-password create mode 100644 install-files/gnome/etc/pam.d/passwd create mode 100644 install-files/gnome/etc/pam.d/system-auth (limited to 'install-files/gnome/etc') diff --git a/install-files/gnome/etc/pam.d/gdm b/install-files/gnome/etc/pam.d/gdm new file mode 100644 index 00000000..42036102 --- /dev/null +++ b/install-files/gnome/etc/pam.d/gdm @@ -0,0 +1,15 @@ +# Baserock customized /etc/pam.d/gdm +# + +auth requisite pam_nologin.so +auth required pam_env.so + +auth required pam_succeed_if.so uid >= 1000 quiet +auth include system-auth + +account include system-auth +password include system-auth + +session optional pam_keyinit.so force revoke +session include system-auth +session required pam_loginuid.so diff --git a/install-files/gnome/etc/pam.d/gdm-autologin b/install-files/gnome/etc/pam.d/gdm-autologin new file mode 100644 index 00000000..c99449ac --- /dev/null +++ b/install-files/gnome/etc/pam.d/gdm-autologin @@ -0,0 +1,17 @@ +# Baserock customized /etc/pam.d/gdm-autologin +# + +auth requisite pam_nologin.so +auth required pam_env.so + +auth required pam_succeed_if.so uid >= 1000 quiet +auth required pam_permit.so +auth optional pam_gnome_keyring.so + +account include system-auth +password include system-auth + +session required pam_loginuid.so +session optional pam_keyinit.so force revoke +session required pam_namespace.so +session include system-auth diff --git a/install-files/gnome/etc/pam.d/gdm-launch-environment b/install-files/gnome/etc/pam.d/gdm-launch-environment index 0e49df04..f63c80fa 100644 --- a/install-files/gnome/etc/pam.d/gdm-launch-environment +++ b/install-files/gnome/etc/pam.d/gdm-launch-environment @@ -1,13 +1,11 @@ -# Begin /etc/pam.d/gdm-launch-environment +# Baserock customized /etc/pam.d/gdm-launch-environment +# auth required pam_env.so auth optional pam_permit.so account include system-auth - -password required pam_deny.so +password include system-auth session optional pam_keyinit.so force revoke session include system-auth - -# End /etc/pam.d/gdm-launch-environment diff --git a/install-files/gnome/etc/pam.d/gdm-password b/install-files/gnome/etc/pam.d/gdm-password new file mode 100644 index 00000000..798d40a6 --- /dev/null +++ b/install-files/gnome/etc/pam.d/gdm-password @@ -0,0 +1,24 @@ +# Baserock customized /etc/pam.d/gdm-password +# +# This configuration ensures that the default keyring +# is unlocked at gdm login time, and also that the +# authentication token is used to update the keyring +# when the password is set. + +auth requisite pam_nologin.so +auth required pam_env.so + +auth required pam_succeed_if.so uid >= 1000 quiet +auth substack system-auth +auth optional pam_gnome_keyring.so + +account include system-auth +password substack system-auth +password optional pam_gnome_keyring.so use_authtok + +session required pam_limits.so +session required pam_loginuid.so +session optional pam_keyinit.so force revoke +session required pam_namespace.so +session substack system-auth +session optional pam_gnome_keyring.so auto_start diff --git a/install-files/gnome/etc/pam.d/passwd b/install-files/gnome/etc/pam.d/passwd new file mode 100644 index 00000000..e0c98057 --- /dev/null +++ b/install-files/gnome/etc/pam.d/passwd @@ -0,0 +1,10 @@ +# Baserock customized /etc/pam.d/passwd +# +# This configuration ensures authentication token +# is used to update the keyring when the password is set +# using the regular passwd mechanism + +auth include system-auth +account include system-auth +password substack system-auth +password optional pam_gnome_keyring.so use_authtok diff --git a/install-files/gnome/etc/pam.d/system-auth b/install-files/gnome/etc/pam.d/system-auth new file mode 100644 index 00000000..73d3968c --- /dev/null +++ b/install-files/gnome/etc/pam.d/system-auth @@ -0,0 +1,19 @@ +# Baserock customized /etc/pam.d/system-auth +# +# This configuration is modified from the upstream +# systemd provided file mostly because the upstream file +# tries to pass the invalid 'try_authtok' option to the +# pam_unix.so module. + +auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_deny.so + +account required pam_nologin.so +account sufficient pam_unix.so + +password sufficient pam_unix.so nullok sha512 shadow try_first_pass +password required pam_deny.so + +-session optional pam_loginuid.so +-session optional pam_systemd.so +session sufficient pam_unix.so -- cgit v1.2.1