[gnome-build-meta/tristan/gnome-boot: 6/11] core/gdm.bst: Added custom GDM pam configuration



commit 7253316b2c6352c296ff2a65a0def726d45f32aa
Author: Tristan Van Berkom <tristan vanberkom codethink co uk>
Date:   Fri Jul 12 19:13:36 2019 +0900

    core/gdm.bst: Added custom GDM pam configuration
    
    Our PAM configuration resembles the redhat one, but we do not
    use selinux, and we do not build PAM with the third party patch
    which enables the pam_console.so module, so we need a different
    variant.
    
    Eventually we could upstream a GNOME configuration for
    GDM integration into GNOME system images.

 elements/core/gdm.bst                |  9 ++++++++-
 files/gdm/gdm-autologin.pam          | 13 +++++++++++++
 files/gdm/gdm-fingerprint.pam        | 13 +++++++++++++
 files/gdm/gdm-launch-environment.pam |  9 +++++++++
 files/gdm/gdm-password.pam           | 16 ++++++++++++++++
 files/gdm/gdm-pin.pam                | 17 +++++++++++++++++
 files/gdm/gdm-smartcard.pam          | 13 +++++++++++++
 7 files changed, 89 insertions(+), 1 deletion(-)
---
diff --git a/elements/core/gdm.bst b/elements/core/gdm.bst
index d3ae046f..76601dcd 100644
--- a/elements/core/gdm.bst
+++ b/elements/core/gdm.bst
@@ -21,10 +21,10 @@ depends:
   junction: freedesktop-sdk.bst
 variables:
   sysusersdir: "%{prefix}/lib/sysusers.d"
+  pamdir: "%{sysconfdir}/pam.d"
   conf-local: >-
     --enable-wayland-support
     --with-pam-prefix=%{sysconfdir}
-    --with-default-pam-config=lfs
     --with-run-dir=/run/gdm
     --with-plymouth=no
 
@@ -33,3 +33,10 @@ config:
     (>):
     - mkdir -p %{install-root}%{sysusersdir}
     - install -m 644 gdm-config/gdm-sysusers.conf %{install-root}%{sysusersdir}/gdm.conf
+
+    - mkdir -p %{pamdir}
+    - |
+      # Our configuration is similar to redhat but without selinux
+      for conffile in `find gdm-config/ -name "*.pam"`; do
+        install -m 644 $conffile %{install-root}%{pamdir}/$(basename ${conffile%.pam})
+      done
diff --git a/files/gdm/gdm-autologin.pam b/files/gdm/gdm-autologin.pam
new file mode 100644
index 00000000..939dc8ce
--- /dev/null
+++ b/files/gdm/gdm-autologin.pam
@@ -0,0 +1,13 @@
+#%PAM-1.0
+auth       [success=ok default=1] pam_gdm.so
+-auth      optional    pam_gnome_keyring.so
+auth       sufficient  pam_permit.so
+account    required    pam_nologin.so
+account    include     system-auth
+password   include     system-auth
+session    required    pam_loginuid.so
+session    optional    pam_keyinit.so force revoke
+session    required    pam_namespace.so
+session    include     system-auth
+session    optional    pam_gnome_keyring.so auto_start
+session    include     postlogin
diff --git a/files/gdm/gdm-fingerprint.pam b/files/gdm/gdm-fingerprint.pam
new file mode 100644
index 00000000..0c15cf48
--- /dev/null
+++ b/files/gdm/gdm-fingerprint.pam
@@ -0,0 +1,13 @@
+auth        substack      fingerprint-auth
+auth        include       postlogin
+
+account     required      pam_nologin.so
+account     include       fingerprint-auth
+
+password    include       fingerprint-auth
+
+session     required      pam_loginuid.so
+session     optional      pam_keyinit.so force revoke
+session     required      pam_namespace.so
+session     include       fingerprint-auth
+session     include       postlogin
diff --git a/files/gdm/gdm-launch-environment.pam b/files/gdm/gdm-launch-environment.pam
new file mode 100644
index 00000000..2e9ea2b9
--- /dev/null
+++ b/files/gdm/gdm-launch-environment.pam
@@ -0,0 +1,9 @@
+#%PAM-1.0
+auth       required    pam_env.so
+auth       required    pam_permit.so
+auth       include     postlogin
+account    required    pam_permit.so
+password   required    pam_permit.so
+session    optional    pam_keyinit.so force revoke
+session    include     system-auth
+session    include     postlogin
diff --git a/files/gdm/gdm-password.pam b/files/gdm/gdm-password.pam
new file mode 100644
index 00000000..f74c29a0
--- /dev/null
+++ b/files/gdm/gdm-password.pam
@@ -0,0 +1,16 @@
+auth        substack      password-auth
+auth        optional      pam_gnome_keyring.so
+auth        include       postlogin
+
+account     required      pam_nologin.so
+account     include       password-auth
+
+password    substack       password-auth
+-password   optional       pam_gnome_keyring.so use_authtok
+
+session     required      pam_loginuid.so
+session     optional      pam_keyinit.so force revoke
+session     required      pam_namespace.so
+session     include       password-auth
+session     optional      pam_gnome_keyring.so auto_start
+session     include       postlogin
diff --git a/files/gdm/gdm-pin.pam b/files/gdm/gdm-pin.pam
new file mode 100644
index 00000000..bdd52a0a
--- /dev/null
+++ b/files/gdm/gdm-pin.pam
@@ -0,0 +1,17 @@
+auth        requisite     pam_pin.so
+auth        substack      password-auth
+auth        optional      pam_gnome_keyring.so
+auth        include       postlogin
+
+account     required      pam_nologin.so
+account     include       password-auth
+
+password    include       password-auth
+password    optional      pam_pin.so
+
+session     required      pam_loginuid.so
+session     optional      pam_keyinit.so force revoke
+session     required      pam_namespace.so
+session     include       password-auth
+session     optional      pam_gnome_keyring.so auto_start
+session     include       postlogin
diff --git a/files/gdm/gdm-smartcard.pam b/files/gdm/gdm-smartcard.pam
new file mode 100644
index 00000000..618d1ccb
--- /dev/null
+++ b/files/gdm/gdm-smartcard.pam
@@ -0,0 +1,13 @@
+auth        substack      smartcard-auth
+auth        include       postlogin
+
+account     required      pam_nologin.so
+account     include       smartcard-auth
+
+password    include       smartcard-auth
+
+session     required      pam_loginuid.so
+session     optional      pam_keyinit.so force revoke
+session     required      pam_namespace.so
+session     include       smartcard-auth
+session     include       postlogin


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]