[gdm] pam: update exherbo configuration

[Marc-Antoine Perennou <marcop src gnome org>]

commit b663f7cf8f57a83ea5f371d0f3e2f4df24b26869
Author: Marc-Antoine Perennou <Marc-Antoine Perennou com>
Date:   Sat Sep 22 22:49:01 2012 +0200

    pam: update exherbo configuration
    
    This is a backport from exherbo changes by Saleem Abdulrasool <compnerd compnerd org>
    
    Signed-off-by: Marc-Antoine Perennou <Marc-Antoine Perennou com>

 data/pam-exherbo/gdm-fingerprint.pam        |   19 ++++++-------------
 data/pam-exherbo/gdm-launch-environment.pam |   15 ++++++++++-----
 data/pam-exherbo/gdm-password.pam           |   20 ++++++--------------
 3 files changed, 22 insertions(+), 32 deletions(-)
---
diff --git a/data/pam-exherbo/gdm-fingerprint.pam b/data/pam-exherbo/gdm-fingerprint.pam
index 15f24fa..41639ec 100644
--- a/data/pam-exherbo/gdm-fingerprint.pam
+++ b/data/pam-exherbo/gdm-fingerprint.pam
@@ -1,17 +1,10 @@
-# mirrors system-auth / system(-local)-login
-# except for the authentication method, which is:
-# fingerprint login
+account  include  system-login
 
-auth        required    pam_env.so
-auth        required    pam_tally.so file=/var/log/faillog onerr=succeed
-auth        required    pam_shells.so
-auth        required    pam_nologin.so
-auth        required    pam_fprintd.so
--auth       optional    pam_gnome_keyring.so
+auth     substack fingerprint-auth
+auth     optional pam_gnome_keyring.so
 
-account     include     system-local-login
+password required pam_deny.so
 
-password    include     system-local-login
+session  substack system-login
+session  optional pam_gnome_keyring.so auto_start
 
-session     include     system-local-login
--session    optional    pam_gnome_keyring.so auto_start
diff --git a/data/pam-exherbo/gdm-launch-environment.pam b/data/pam-exherbo/gdm-launch-environment.pam
index 1c96229..8357e23 100644
--- a/data/pam-exherbo/gdm-launch-environment.pam
+++ b/data/pam-exherbo/gdm-launch-environment.pam
@@ -1,11 +1,16 @@
-# this is for the session that gdm spawns to show the login screen
+account     required    pam_nologin.so
+account     required    pam_succeed_if.so audit quiet_success user = gdm
+account     required    pam_permit.so
 
 auth        required    pam_env.so
-auth        required    pam_nologin.so
+auth        required    pam_succeed_if.so audit quiet_success user = gdm
 auth        required    pam_permit.so
 
-account     include     system-local-login
+password    required    pam_deny.so
 
-password    include     system-local-login
+session     required    pam_loginuid.so
+session     required    pam_systemd.so kill-session-processes=1
+session     optional    pam_keyinit.so force revoke
+session     required    pam_succeed_if.so audit quiet_success user = gdm
+session     required    pam_permit.so
 
-session     include     system-local-login
diff --git a/data/pam-exherbo/gdm-password.pam b/data/pam-exherbo/gdm-password.pam
index 3ad9ce5..d223f66 100644
--- a/data/pam-exherbo/gdm-password.pam
+++ b/data/pam-exherbo/gdm-password.pam
@@ -1,18 +1,10 @@
-# mirrors system-auth / system(-local)-login
-# except for the authentication method, which is:
-# password login
+account  include  system-login
 
-auth        required    pam_env.so
-auth        required    pam_tally.so file=/var/log/faillog onerr=succeed
-auth        required    pam_shells.so
-auth        required    pam_nologin.so
-auth        required    pam_unix.so try_first_pass likeauth nullok
--auth       optional    pam_gnome_keyring.so
+auth     substack system-login
+auth     optional pam_gnome_keyring.so
 
-account     include     system-local-login
+password required pam_deny.so
 
-password    include     system-local-login
-
-session     include     system-local-login
--session    optional    pam_gnome_keyring.so auto_start
+session  substack system-login
+session  optional pam_gnome_keyring.so auto_start