|
 |
afb90ea |
From 0a7779b47319eb47b4d5d51f6eb653434c204c29 Mon Sep 17 00:00:00 2001
|
|
|
afb90ea |
From: Ray Strode <rstrode@redhat.com>
|
|
|
afb90ea |
Date: Tue, 30 Aug 2016 16:10:19 -0400
|
|
|
afb90ea |
Subject: [PATCH 1/2] pam_gdm: return AUTHINFO_UNAVAIL if kernel keyring
|
|
|
afb90ea |
unavailable
|
|
|
afb90ea |
|
|
|
afb90ea |
right now we return PAM_SUCCESS if keyutils are unavailable.
|
|
|
afb90ea |
This is the wrong default, we should fail if we aren't able to
|
|
|
afb90ea |
get the password.
|
|
|
afb90ea |
|
|
|
afb90ea |
https://bugzilla.gnome.org/show_bug.cgi?id=770612
|
|
|
afb90ea |
---
|
|
|
afb90ea |
pam_gdm/pam_gdm.c | 2 +-
|
|
|
afb90ea |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
afb90ea |
|
|
|
afb90ea |
diff --git a/pam_gdm/pam_gdm.c b/pam_gdm/pam_gdm.c
|
|
|
afb90ea |
index 7beb04e..f491b8d 100644
|
|
|
afb90ea |
--- a/pam_gdm/pam_gdm.c
|
|
|
afb90ea |
+++ b/pam_gdm/pam_gdm.c
|
|
|
afb90ea |
@@ -31,61 +31,61 @@
|
|
|
afb90ea |
#include <keyutils.h>
|
|
|
afb90ea |
#endif
|
|
|
afb90ea |
|
|
|
afb90ea |
int
|
|
|
afb90ea |
pam_sm_authenticate (pam_handle_t *pamh,
|
|
|
afb90ea |
int flags,
|
|
|
afb90ea |
int argc,
|
|
|
afb90ea |
const char **argv)
|
|
|
afb90ea |
{
|
|
|
afb90ea |
#ifdef HAVE_KEYUTILS
|
|
|
afb90ea |
int r;
|
|
|
afb90ea |
void *cached_password = NULL;
|
|
|
afb90ea |
key_serial_t serial;
|
|
|
afb90ea |
|
|
|
afb90ea |
serial = find_key_by_type_and_desc ("user", "cryptsetup", 0);
|
|
|
afb90ea |
if (serial == 0)
|
|
|
afb90ea |
return PAM_AUTHINFO_UNAVAIL;
|
|
|
afb90ea |
|
|
|
afb90ea |
r = keyctl_read_alloc (serial, &cached_password);
|
|
|
afb90ea |
if (r < 0)
|
|
|
afb90ea |
return PAM_AUTHINFO_UNAVAIL;
|
|
|
afb90ea |
|
|
|
afb90ea |
r = pam_set_item (pamh, PAM_AUTHTOK, cached_password);
|
|
|
afb90ea |
|
|
|
afb90ea |
free (cached_password);
|
|
|
afb90ea |
|
|
|
afb90ea |
if (r < 0)
|
|
|
afb90ea |
return PAM_AUTH_ERR;
|
|
|
afb90ea |
#endif
|
|
|
afb90ea |
|
|
|
afb90ea |
- return PAM_SUCCESS;
|
|
|
afb90ea |
+ return PAM_AUTHINFO_UNAVAIL;
|
|
|
afb90ea |
}
|
|
|
afb90ea |
|
|
|
afb90ea |
int
|
|
|
afb90ea |
pam_sm_setcred (pam_handle_t *pamh,
|
|
|
afb90ea |
int flags,
|
|
|
afb90ea |
int argc,
|
|
|
afb90ea |
const char **argv)
|
|
|
afb90ea |
{
|
|
|
afb90ea |
return PAM_SUCCESS;
|
|
|
afb90ea |
}
|
|
|
afb90ea |
|
|
|
afb90ea |
int
|
|
|
afb90ea |
pam_sm_acct_mgmt (pam_handle_t *pamh,
|
|
|
afb90ea |
int flags,
|
|
|
afb90ea |
int argc,
|
|
|
afb90ea |
const char **argv)
|
|
|
afb90ea |
{
|
|
|
afb90ea |
return PAM_SUCCESS;
|
|
|
afb90ea |
}
|
|
|
afb90ea |
|
|
|
afb90ea |
int
|
|
|
afb90ea |
pam_sm_chauthtok (pam_handle_t *pamh,
|
|
|
afb90ea |
int flags,
|
|
|
afb90ea |
int argc,
|
|
|
afb90ea |
const char **argv)
|
|
|
afb90ea |
{
|
|
|
afb90ea |
return PAM_SUCCESS;
|
|
|
afb90ea |
}
|
|
|
afb90ea |
|
|
|
afb90ea |
int
|
|
|
afb90ea |
--
|
|
|
afb90ea |
2.7.4
|
|
|
afb90ea |
|
|
|
afb90ea |
|
|
|
afb90ea |
From 5716de2c0ec11a77c279c6952ea76d173d46b0e3 Mon Sep 17 00:00:00 2001
|
|
|
afb90ea |
From: Ray Strode <rstrode@redhat.com>
|
|
|
afb90ea |
Date: Tue, 30 Aug 2016 15:58:15 -0400
|
|
|
afb90ea |
Subject: [PATCH 2/2] pam: don't call into pam_unix if pam_gdm fails for
|
|
|
afb90ea |
autolgoin
|
|
|
afb90ea |
|
|
|
afb90ea |
If pam_gdm fails we shouldn't call into pam_unix since it can lead
|
|
|
afb90ea |
to the system asking for a password, and autologin isn't equipped for
|
|
|
afb90ea |
that.
|
|
|
afb90ea |
|
|
|
afb90ea |
This commit changes the pam configuration to jump to pam_permit if
|
|
|
afb90ea |
pam_gdm fails.
|
|
|
afb90ea |
|
|
|
afb90ea |
https://bugzilla.gnome.org/show_bug.cgi?id=770612
|
|
|
afb90ea |
---
|
|
|
afb90ea |
data/pam-exherbo/gdm-autologin.pam | 4 ++--
|
|
|
afb90ea |
data/pam-redhat/gdm-autologin.pam | 2 +-
|
|
|
afb90ea |
2 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
afb90ea |
|
|
|
afb90ea |
diff --git a/data/pam-exherbo/gdm-autologin.pam b/data/pam-exherbo/gdm-autologin.pam
|
|
|
afb90ea |
index afde048..61f8e54 100644
|
|
|
afb90ea |
--- a/data/pam-exherbo/gdm-autologin.pam
|
|
|
afb90ea |
+++ b/data/pam-exherbo/gdm-autologin.pam
|
|
|
afb90ea |
@@ -1,15 +1,15 @@
|
|
|
afb90ea |
# mirrors system-auth / system(-local)-login
|
|
|
afb90ea |
# except for the authentication method, which is:
|
|
|
afb90ea |
# always permit login
|
|
|
afb90ea |
|
|
|
afb90ea |
-auth optional pam_gdm.so
|
|
|
afb90ea |
+auth [success=ok default=2] pam_gdm.so
|
|
|
afb90ea |
auth substack system-local-login
|
|
|
afb90ea |
-auth sufficient pam_permit.so
|
|
|
afb90ea |
-auth optional pam_gnome_keyring.so
|
|
|
afb90ea |
+auth sufficient pam_permit.so
|
|
|
afb90ea |
|
|
|
afb90ea |
account include system-local-login
|
|
|
afb90ea |
|
|
|
afb90ea |
password include system-local-login
|
|
|
afb90ea |
|
|
|
afb90ea |
session include system-local-login
|
|
|
afb90ea |
-session optional pam_gnome_keyring.so auto_start
|
|
|
afb90ea |
diff --git a/data/pam-redhat/gdm-autologin.pam b/data/pam-redhat/gdm-autologin.pam
|
|
|
afb90ea |
index c2efea8..fbc9d9c 100644
|
|
|
afb90ea |
--- a/data/pam-redhat/gdm-autologin.pam
|
|
|
afb90ea |
+++ b/data/pam-redhat/gdm-autologin.pam
|
|
|
afb90ea |
@@ -1,18 +1,18 @@
|
|
|
afb90ea |
#%PAM-1.0
|
|
|
afb90ea |
-auth optional pam_gdm.so
|
|
|
afb90ea |
+auth [success=ok default=2] pam_gdm.so
|
|
|
afb90ea |
auth substack password-auth
|
|
|
afb90ea |
auth optional pam_gnome_keyring.so
|
|
|
afb90ea |
auth sufficient pam_permit.so
|
|
|
afb90ea |
auth include postlogin
|
|
|
afb90ea |
account required pam_nologin.so
|
|
|
afb90ea |
account include system-auth
|
|
|
afb90ea |
password include system-auth
|
|
|
afb90ea |
session required pam_selinux.so close
|
|
|
afb90ea |
session required pam_loginuid.so
|
|
|
afb90ea |
session optional pam_console.so
|
|
|
afb90ea |
session required pam_selinux.so open
|
|
|
afb90ea |
session optional pam_keyinit.so force revoke
|
|
|
afb90ea |
session required pam_namespace.so
|
|
|
afb90ea |
session include system-auth
|
|
|
afb90ea |
session optional pam_gnome_keyring.so auto_start
|
|
|
afb90ea |
session include postlogin
|
|
|
afb90ea |
--
|
|
|
afb90ea |
2.7.4
|
|
|
afb90ea |
|