aboutsummaryrefslogblamecommitdiffstats
path: root/community/gdm/0004-pam-arch-Update-to-match-pambase-20200721.1-2.patch
blob: a5b7bfbadf28b86acacf03dea5dc71f276e3800c (plain) (tree)



























































































                                                                                                                                                                             
                 
                              
                                                                    





                                                                                     

                                                                    






                                                                                     
                                                                    
































                                                                                     






































                                                                                    
Upstream: No
Reason: Required to work with linux-pam>=1.4
Source: https://raw.githubusercontent.com/archlinux/svntogit-packages/4c8454ff599d65024580291563f502fad58f0adb/trunk/0004-pam-arch-Update-to-match-pambase-20200721.1-2.patch
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
Date: Sun, 9 Aug 2020 00:34:37 +0000
Subject: [PATCH] pam-arch: Update to match pambase 20200721.1-2

https://bugs.archlinux.org/task/67485
---
 data/pam-arch/gdm-autologin.pam          | 22 +++++++++--------
 data/pam-arch/gdm-fingerprint.pam        | 31 +++++++++++++++---------
 data/pam-arch/gdm-launch-environment.pam | 24 ++++++++++--------
 data/pam-arch/gdm-password.pam           | 17 +++++++------
 data/pam-arch/gdm-pin.pam                | 13 ----------
 data/pam-arch/gdm-smartcard.pam          | 31 +++++++++++++++---------
 6 files changed, 75 insertions(+), 63 deletions(-)
 delete mode 100644 data/pam-arch/gdm-pin.pam

diff --git a/data/pam-arch/gdm-autologin.pam b/data/pam-arch/gdm-autologin.pam
index 99b14209..30bdf529 100644
--- a/data/pam-arch/gdm-autologin.pam
+++ b/data/pam-arch/gdm-autologin.pam
@@ -1,13 +1,15 @@
-auth     requisite pam_nologin.so
-auth     required  pam_env.so
-auth     optional  pam_gdm.so
-auth     optional  pam_gnome_keyring.so
-auth     optional  pam_permit.so
+#%PAM-1.0
 
-account  include   system-local-login
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       [success=ok default=1]      pam_gdm.so
+auth       optional                    pam_gnome_keyring.so
 
-password include   system-local-login
+account    include                     system-local-login
 
-session  optional  pam_keyinit.so force revoke
-session  include   system-local-login
-session  optional  pam_gnome_keyring.so auto_start
+password   required                    pam_deny.so
+
+session    include                     system-local-login
+session    optional                    pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam
index a4808617..cc660d9a 100644
--- a/data/pam-arch/gdm-fingerprint.pam
+++ b/data/pam-arch/gdm-fingerprint.pam
@@ -1,14 +1,23 @@
-auth     required  pam_tally.so onerr=succeed file=/var/log/faillog
-auth     required  pam_shells.so
-auth     requisite pam_nologin.so
-auth     required  pam_env.so
-auth     required  pam_fprintd.so
-auth     optional  pam_permit.so
+#%PAM-1.0
 
-account  include   system-local-login
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       required                    pam_faillock.so      preauth
+# Optionally use requisite above if you do not want to prompt for the fingerprint
+# on locked accounts.
+auth       [success=1 default=ignore]  pam_fprintd.so
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+auth       [success=ok default=1]      pam_gdm.so
+auth       optional                    pam_gnome_keyring.so
 
-password required  pam_fprintd.so
-password optional  pam_permit.so
+account    include                     system-local-login
 
-session  optional  pam_keyinit.so force revoke
-session  include   system-local-login
+password   required                    pam_deny.so
+
+session    include                     system-local-login
+session    optional                    pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-launch-environment.pam b/data/pam-arch/gdm-launch-environment.pam
index d59c9cb9..2ff5ae56 100644
--- a/data/pam-arch/gdm-launch-environment.pam
+++ b/data/pam-arch/gdm-launch-environment.pam
@@ -1,13 +1,16 @@
-auth     required  pam_env.so
-auth     required  pam_succeed_if.so audit quiet_success user = gdm
-auth     optional  pam_permit.so
+#%PAM-1.0
+auth       required                    pam_succeed_if.so    quiet_success user = gdm
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
 
-account  required  pam_succeed_if.so audit quiet_success user = gdm
-account  optional  pam_permit.so
+account    required                    pam_succeed_if.so    quiet_success user = gdm
+account    optional                    pam_permit.so
 
-password required  pam_deny.so
+password   required                    pam_deny.so
 
-session  optional  pam_keyinit.so force revoke
-session  required  pam_succeed_if.so audit quiet_success user = gdm
-session  required  pam_systemd.so
-session  optional  pam_permit.so
+session    optional                    pam_loginuid.so
+session    optional                    pam_keyinit.so       force revoke
+session    required                    pam_succeed_if.so    quiet_success user = gdm
+session    optional                    pam_permit.so
+-session   optional                    pam_systemd.so
+session    required                    pam_env.so           user_readenv=1
diff --git a/data/pam-arch/gdm-password.pam b/data/pam-arch/gdm-password.pam
index 8d34794e..137242a6 100644
--- a/data/pam-arch/gdm-password.pam
+++ b/data/pam-arch/gdm-password.pam
@@ -1,11 +1,12 @@
-auth     include   system-local-login
-auth     optional  pam_gnome_keyring.so
+#%PAM-1.0
 
-account  include   system-local-login
+auth       include                     system-local-login
+auth       optional                    pam_gnome_keyring.so
 
-password include   system-local-login
-password optional  pam_gnome_keyring.so use_authtok
+account    include                     system-local-login
 
-session  optional  pam_keyinit.so force revoke
-session  include   system-local-login
-session  optional  pam_gnome_keyring.so auto_start
+password   include                     system-local-login
+password   optional                    pam_gnome_keyring.so use_authtok
+
+session    include                     system-local-login
+session    optional                    pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam
index ec6f75d5..e6ec1299 100644
--- a/data/pam-arch/gdm-smartcard.pam
+++ b/data/pam-arch/gdm-smartcard.pam
@@ -1,14 +1,23 @@
-auth     required  pam_tally.so onerr=succeed file=/var/log/faillog
-auth     required  pam_shells.so
-auth     requisite pam_nologin.so
-auth     required  pam_env.so
-auth     required  pam_pkcs11.so wait_for_card card_only
-auth     optional  pam_permit.so
+#%PAM-1.0
 
-account  include   system-local-login
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       required                    pam_faillock.so      preauth
+# Optionally use requisite above if you do not want to prompt for the smartcard
+# on locked accounts.
+auth       [success=1 default=ignore]  pam_pkcs11.so        wait_for_card card_only
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+auth       [success=ok default=1]      pam_gdm.so
+auth       optional                    pam_gnome_keyring.so
 
-password required  pam_pkcs11.so
-password optional  pam_permit.so
+account    include                     system-local-login
 
-session  optional  pam_keyinit.so force revoke
-session  include   system-local-login
+password   required                    pam_deny.so
+
+session    include                     system-local-login
+session    optional                    pam_gnome_keyring.so auto_start