From 0a7779b47319eb47b4d5d51f6eb653434c204c29 Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Tue, 30 Aug 2016 16:10:19 -0400 Subject: [PATCH 1/2] pam_gdm: return AUTHINFO_UNAVAIL if kernel keyring unavailable right now we return PAM_SUCCESS if keyutils are unavailable. This is the wrong default, we should fail if we aren't able to get the password. https://bugzilla.gnome.org/show_bug.cgi?id=770612 --- pam_gdm/pam_gdm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pam_gdm/pam_gdm.c b/pam_gdm/pam_gdm.c index 7beb04e..f491b8d 100644 --- a/pam_gdm/pam_gdm.c +++ b/pam_gdm/pam_gdm.c @@ -31,61 +31,61 @@ #include #endif int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv) { #ifdef HAVE_KEYUTILS int r; void *cached_password = NULL; key_serial_t serial; serial = find_key_by_type_and_desc ("user", "cryptsetup", 0); if (serial == 0) return PAM_AUTHINFO_UNAVAIL; r = keyctl_read_alloc (serial, &cached_password); if (r < 0) return PAM_AUTHINFO_UNAVAIL; r = pam_set_item (pamh, PAM_AUTHTOK, cached_password); free (cached_password); if (r < 0) return PAM_AUTH_ERR; #endif - return PAM_SUCCESS; + return PAM_AUTHINFO_UNAVAIL; } int pam_sm_setcred (pam_handle_t *pamh, int flags, int argc, const char **argv) { return PAM_SUCCESS; } int pam_sm_acct_mgmt (pam_handle_t *pamh, int flags, int argc, const char **argv) { return PAM_SUCCESS; } int pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) { return PAM_SUCCESS; } int -- 2.7.4 From 5716de2c0ec11a77c279c6952ea76d173d46b0e3 Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Tue, 30 Aug 2016 15:58:15 -0400 Subject: [PATCH 2/2] pam: don't call into pam_unix if pam_gdm fails for autolgoin If pam_gdm fails we shouldn't call into pam_unix since it can lead to the system asking for a password, and autologin isn't equipped for that. This commit changes the pam configuration to jump to pam_permit if pam_gdm fails. https://bugzilla.gnome.org/show_bug.cgi?id=770612 --- data/pam-exherbo/gdm-autologin.pam | 4 ++-- data/pam-redhat/gdm-autologin.pam | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/data/pam-exherbo/gdm-autologin.pam b/data/pam-exherbo/gdm-autologin.pam index afde048..61f8e54 100644 --- a/data/pam-exherbo/gdm-autologin.pam +++ b/data/pam-exherbo/gdm-autologin.pam @@ -1,15 +1,15 @@ # mirrors system-auth / system(-local)-login # except for the authentication method, which is: # always permit login -auth optional pam_gdm.so +auth [success=ok default=2] pam_gdm.so auth substack system-local-login -auth sufficient pam_permit.so -auth optional pam_gnome_keyring.so +auth sufficient pam_permit.so account include system-local-login password include system-local-login session include system-local-login -session optional pam_gnome_keyring.so auto_start diff --git a/data/pam-redhat/gdm-autologin.pam b/data/pam-redhat/gdm-autologin.pam index c2efea8..fbc9d9c 100644 --- a/data/pam-redhat/gdm-autologin.pam +++ b/data/pam-redhat/gdm-autologin.pam @@ -1,18 +1,18 @@ #%PAM-1.0 -auth optional pam_gdm.so +auth [success=ok default=2] pam_gdm.so auth substack password-auth auth optional pam_gnome_keyring.so auth sufficient pam_permit.so auth include postlogin account required pam_nologin.so account include system-auth password include system-auth session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session include system-auth session optional pam_gnome_keyring.so auto_start session include postlogin -- 2.7.4