[gdm: 1/2] pam-arch: Update to match pambase 20200721.1-2
- From: Ray Strode <halfline src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gdm: 1/2] pam-arch: Update to match pambase 20200721.1-2
- Date: Wed, 31 Mar 2021 00:07:23 +0000 (UTC)
commit 8528a503ad70669a5f0c03d0a92ba19326983b82
Author: Jan Alexander Steffens (heftig) <heftig archlinux org>
Date: Tue Oct 27 18:59:14 2020 +0000
pam-arch: Update to match pambase 20200721.1-2
Update the PAM files for Arch Linux. This has been applied downstream
since Aug 2020.
https://bugs.archlinux.org/task/67485
data/meson.build | 1 -
data/pam-arch/gdm-autologin.pam | 22 ++++++++++++----------
data/pam-arch/gdm-fingerprint.pam | 31 ++++++++++++++++++++-----------
data/pam-arch/gdm-launch-environment.pam | 24 ++++++++++++++----------
data/pam-arch/gdm-password.pam | 17 +++++++++--------
data/pam-arch/gdm-pin.pam | 13 -------------
data/pam-arch/gdm-smartcard.pam | 31 ++++++++++++++++++++-----------
7 files changed, 75 insertions(+), 64 deletions(-)
---
diff --git a/data/meson.build b/data/meson.build
index 23e2d7f9f..7c5222eaf 100644
--- a/data/meson.build
+++ b/data/meson.build
@@ -134,7 +134,6 @@ pam_data_files_map = {
'gdm-fingerprint',
'gdm-smartcard',
'gdm-password',
- 'gdm-pin',
],
'none': [],
# We should no longer have 'autodetect' at this point
diff --git a/data/pam-arch/gdm-autologin.pam b/data/pam-arch/gdm-autologin.pam
index 99b142096..30bdf5294 100644
--- a/data/pam-arch/gdm-autologin.pam
+++ b/data/pam-arch/gdm-autologin.pam
@@ -1,13 +1,15 @@
-auth requisite pam_nologin.so
-auth required pam_env.so
-auth optional pam_gdm.so
-auth optional pam_gnome_keyring.so
-auth optional pam_permit.so
+#%PAM-1.0
-account include system-local-login
+auth required pam_shells.so
+auth requisite pam_nologin.so
+auth optional pam_permit.so
+auth required pam_env.so
+auth [success=ok default=1] pam_gdm.so
+auth optional pam_gnome_keyring.so
-password include system-local-login
+account include system-local-login
-session optional pam_keyinit.so force revoke
-session include system-local-login
-session optional pam_gnome_keyring.so auto_start
+password required pam_deny.so
+
+session include system-local-login
+session optional pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam
index a48086176..cc660d9a9 100644
--- a/data/pam-arch/gdm-fingerprint.pam
+++ b/data/pam-arch/gdm-fingerprint.pam
@@ -1,14 +1,23 @@
-auth required pam_tally.so onerr=succeed file=/var/log/faillog
-auth required pam_shells.so
-auth requisite pam_nologin.so
-auth required pam_env.so
-auth required pam_fprintd.so
-auth optional pam_permit.so
+#%PAM-1.0
-account include system-local-login
+auth required pam_shells.so
+auth requisite pam_nologin.so
+auth required pam_faillock.so preauth
+# Optionally use requisite above if you do not want to prompt for the fingerprint
+# on locked accounts.
+auth [success=1 default=ignore] pam_fprintd.so
+auth [default=die] pam_faillock.so authfail
+auth optional pam_permit.so
+auth required pam_env.so
+auth required pam_faillock.so authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+auth [success=ok default=1] pam_gdm.so
+auth optional pam_gnome_keyring.so
-password required pam_fprintd.so
-password optional pam_permit.so
+account include system-local-login
-session optional pam_keyinit.so force revoke
-session include system-local-login
+password required pam_deny.so
+
+session include system-local-login
+session optional pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-launch-environment.pam b/data/pam-arch/gdm-launch-environment.pam
index d59c9cb99..20d1810a6 100644
--- a/data/pam-arch/gdm-launch-environment.pam
+++ b/data/pam-arch/gdm-launch-environment.pam
@@ -1,13 +1,17 @@
-auth required pam_env.so
-auth required pam_succeed_if.so audit quiet_success user = gdm
-auth optional pam_permit.so
+#%PAM-1.0
-account required pam_succeed_if.so audit quiet_success user = gdm
-account optional pam_permit.so
+auth required pam_succeed_if.so audit quiet_success user in
gdm:gnome-initial-setup
+auth optional pam_permit.so
+auth required pam_env.so
-password required pam_deny.so
+account required pam_succeed_if.so audit quiet_success user in
gdm:gnome-initial-setup
+account optional pam_permit.so
-session optional pam_keyinit.so force revoke
-session required pam_succeed_if.so audit quiet_success user = gdm
-session required pam_systemd.so
-session optional pam_permit.so
+password required pam_deny.so
+
+session optional pam_loginuid.so
+session optional pam_keyinit.so force revoke
+session required pam_succeed_if.so audit quiet_success user in
gdm:gnome-initial-setup
+session optional pam_permit.so
+-session optional pam_systemd.so
+session required pam_env.so user_readenv=1
diff --git a/data/pam-arch/gdm-password.pam b/data/pam-arch/gdm-password.pam
index 8d34794e4..137242a69 100644
--- a/data/pam-arch/gdm-password.pam
+++ b/data/pam-arch/gdm-password.pam
@@ -1,11 +1,12 @@
-auth include system-local-login
-auth optional pam_gnome_keyring.so
+#%PAM-1.0
-account include system-local-login
+auth include system-local-login
+auth optional pam_gnome_keyring.so
-password include system-local-login
-password optional pam_gnome_keyring.so use_authtok
+account include system-local-login
-session optional pam_keyinit.so force revoke
-session include system-local-login
-session optional pam_gnome_keyring.so auto_start
+password include system-local-login
+password optional pam_gnome_keyring.so use_authtok
+
+session include system-local-login
+session optional pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam
index ec6f75d5b..e6ec12994 100644
--- a/data/pam-arch/gdm-smartcard.pam
+++ b/data/pam-arch/gdm-smartcard.pam
@@ -1,14 +1,23 @@
-auth required pam_tally.so onerr=succeed file=/var/log/faillog
-auth required pam_shells.so
-auth requisite pam_nologin.so
-auth required pam_env.so
-auth required pam_pkcs11.so wait_for_card card_only
-auth optional pam_permit.so
+#%PAM-1.0
-account include system-local-login
+auth required pam_shells.so
+auth requisite pam_nologin.so
+auth required pam_faillock.so preauth
+# Optionally use requisite above if you do not want to prompt for the smartcard
+# on locked accounts.
+auth [success=1 default=ignore] pam_pkcs11.so wait_for_card card_only
+auth [default=die] pam_faillock.so authfail
+auth optional pam_permit.so
+auth required pam_env.so
+auth required pam_faillock.so authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+auth [success=ok default=1] pam_gdm.so
+auth optional pam_gnome_keyring.so
-password required pam_pkcs11.so
-password optional pam_permit.so
+account include system-local-login
-session optional pam_keyinit.so force revoke
-session include system-local-login
+password required pam_deny.so
+
+session include system-local-login
+session optional pam_gnome_keyring.so auto_start
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
