aboutsummaryrefslogtreecommitdiffstats
path: root/community/gdm/0004-pam-arch-Update-to-match-pambase-20200721.1-2.patch
blob: a5b7bfbadf28b86acacf03dea5dc71f276e3800c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
Upstream: No
Reason: Required to work with linux-pam>=1.4
Source: https://raw.githubusercontent.com/archlinux/svntogit-packages/4c8454ff599d65024580291563f502fad58f0adb/trunk/0004-pam-arch-Update-to-match-pambase-20200721.1-2.patch
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
Date: Sun, 9 Aug 2020 00:34:37 +0000
Subject: [PATCH] pam-arch: Update to match pambase 20200721.1-2

https://bugs.archlinux.org/task/67485
---
 data/pam-arch/gdm-autologin.pam          | 22 +++++++++--------
 data/pam-arch/gdm-fingerprint.pam        | 31 +++++++++++++++---------
 data/pam-arch/gdm-launch-environment.pam | 24 ++++++++++--------
 data/pam-arch/gdm-password.pam           | 17 +++++++------
 data/pam-arch/gdm-pin.pam                | 13 ----------
 data/pam-arch/gdm-smartcard.pam          | 31 +++++++++++++++---------
 6 files changed, 75 insertions(+), 63 deletions(-)
 delete mode 100644 data/pam-arch/gdm-pin.pam

diff --git a/data/pam-arch/gdm-autologin.pam b/data/pam-arch/gdm-autologin.pam
index 99b14209..30bdf529 100644
--- a/data/pam-arch/gdm-autologin.pam
+++ b/data/pam-arch/gdm-autologin.pam
@@ -1,13 +1,15 @@
-auth     requisite pam_nologin.so
-auth     required  pam_env.so
-auth     optional  pam_gdm.so
-auth     optional  pam_gnome_keyring.so
-auth     optional  pam_permit.so
+#%PAM-1.0
 
-account  include   system-local-login
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       [success=ok default=1]      pam_gdm.so
+auth       optional                    pam_gnome_keyring.so
 
-password include   system-local-login
+account    include                     system-local-login
 
-session  optional  pam_keyinit.so force revoke
-session  include   system-local-login
-session  optional  pam_gnome_keyring.so auto_start
+password   required                    pam_deny.so
+
+session    include                     system-local-login
+session    optional                    pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam
index a4808617..cc660d9a 100644
--- a/data/pam-arch/gdm-fingerprint.pam
+++ b/data/pam-arch/gdm-fingerprint.pam
@@ -1,14 +1,23 @@
-auth     required  pam_tally.so onerr=succeed file=/var/log/faillog
-auth     required  pam_shells.so
-auth     requisite pam_nologin.so
-auth     required  pam_env.so
-auth     required  pam_fprintd.so
-auth     optional  pam_permit.so
+#%PAM-1.0
 
-account  include   system-local-login
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       required                    pam_faillock.so      preauth
+# Optionally use requisite above if you do not want to prompt for the fingerprint
+# on locked accounts.
+auth       [success=1 default=ignore]  pam_fprintd.so
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+auth       [success=ok default=1]      pam_gdm.so
+auth       optional                    pam_gnome_keyring.so
 
-password required  pam_fprintd.so
-password optional  pam_permit.so
+account    include                     system-local-login
 
-session  optional  pam_keyinit.so force revoke
-session  include   system-local-login
+password   required                    pam_deny.so
+
+session    include                     system-local-login
+session    optional                    pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-launch-environment.pam b/data/pam-arch/gdm-launch-environment.pam
index d59c9cb9..2ff5ae56 100644
--- a/data/pam-arch/gdm-launch-environment.pam
+++ b/data/pam-arch/gdm-launch-environment.pam
@@ -1,13 +1,16 @@
-auth     required  pam_env.so
-auth     required  pam_succeed_if.so audit quiet_success user = gdm
-auth     optional  pam_permit.so
+#%PAM-1.0
+auth       required                    pam_succeed_if.so    quiet_success user = gdm
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
 
-account  required  pam_succeed_if.so audit quiet_success user = gdm
-account  optional  pam_permit.so
+account    required                    pam_succeed_if.so    quiet_success user = gdm
+account    optional                    pam_permit.so
 
-password required  pam_deny.so
+password   required                    pam_deny.so
 
-session  optional  pam_keyinit.so force revoke
-session  required  pam_succeed_if.so audit quiet_success user = gdm
-session  required  pam_systemd.so
-session  optional  pam_permit.so
+session    optional                    pam_loginuid.so
+session    optional                    pam_keyinit.so       force revoke
+session    required                    pam_succeed_if.so    quiet_success user = gdm
+session    optional                    pam_permit.so
+-session   optional                    pam_systemd.so
+session    required                    pam_env.so           user_readenv=1
diff --git a/data/pam-arch/gdm-password.pam b/data/pam-arch/gdm-password.pam
index 8d34794e..137242a6 100644
--- a/data/pam-arch/gdm-password.pam
+++ b/data/pam-arch/gdm-password.pam
@@ -1,11 +1,12 @@
-auth     include   system-local-login
-auth     optional  pam_gnome_keyring.so
+#%PAM-1.0
 
-account  include   system-local-login
+auth       include                     system-local-login
+auth       optional                    pam_gnome_keyring.so
 
-password include   system-local-login
-password optional  pam_gnome_keyring.so use_authtok
+account    include                     system-local-login
 
-session  optional  pam_keyinit.so force revoke
-session  include   system-local-login
-session  optional  pam_gnome_keyring.so auto_start
+password   include                     system-local-login
+password   optional                    pam_gnome_keyring.so use_authtok
+
+session    include                     system-local-login
+session    optional                    pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam
index ec6f75d5..e6ec1299 100644
--- a/data/pam-arch/gdm-smartcard.pam
+++ b/data/pam-arch/gdm-smartcard.pam
@@ -1,14 +1,23 @@
-auth     required  pam_tally.so onerr=succeed file=/var/log/faillog
-auth     required  pam_shells.so
-auth     requisite pam_nologin.so
-auth     required  pam_env.so
-auth     required  pam_pkcs11.so wait_for_card card_only
-auth     optional  pam_permit.so
+#%PAM-1.0
 
-account  include   system-local-login
+auth       required                    pam_shells.so
+auth       requisite                   pam_nologin.so
+auth       required                    pam_faillock.so      preauth
+# Optionally use requisite above if you do not want to prompt for the smartcard
+# on locked accounts.
+auth       [success=1 default=ignore]  pam_pkcs11.so        wait_for_card card_only
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+auth       [success=ok default=1]      pam_gdm.so
+auth       optional                    pam_gnome_keyring.so
 
-password required  pam_pkcs11.so
-password optional  pam_permit.so
+account    include                     system-local-login
 
-session  optional  pam_keyinit.so force revoke
-session  include   system-local-login
+password   required                    pam_deny.so
+
+session    include                     system-local-login
+session    optional                    pam_gnome_keyring.so auto_start