summarylogtreecommitdiffstats
path: root/0001-pam-arch-Update-to-match-pambase-20200721.1-2.patch
diff options
context:
space:
mode:
Diffstat (limited to '0001-pam-arch-Update-to-match-pambase-20200721.1-2.patch')
-rw-r--r--0001-pam-arch-Update-to-match-pambase-20200721.1-2.patch216
1 files changed, 216 insertions, 0 deletions
diff --git a/0001-pam-arch-Update-to-match-pambase-20200721.1-2.patch b/0001-pam-arch-Update-to-match-pambase-20200721.1-2.patch
new file mode 100644
index 00000000000..9f4cce14fc5
--- /dev/null
+++ b/0001-pam-arch-Update-to-match-pambase-20200721.1-2.patch
@@ -0,0 +1,216 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
+Date: Tue, 27 Oct 2020 18:59:14 +0000
+Subject: [PATCH] pam-arch: Update to match pambase 20200721.1-2
+
+Update the PAM files for Arch Linux. This has been applied downstream
+since Aug 2020.
+
+https://bugs.archlinux.org/task/67485
+---
+ data/meson.build | 1 -
+ data/pam-arch/gdm-autologin.pam | 22 +++++++++--------
+ data/pam-arch/gdm-fingerprint.pam | 31 +++++++++++++++---------
+ data/pam-arch/gdm-launch-environment.pam | 24 ++++++++++--------
+ data/pam-arch/gdm-password.pam | 17 +++++++------
+ data/pam-arch/gdm-pin.pam | 13 ----------
+ data/pam-arch/gdm-smartcard.pam | 31 +++++++++++++++---------
+ 7 files changed, 75 insertions(+), 64 deletions(-)
+ delete mode 100644 data/pam-arch/gdm-pin.pam
+
+diff --git a/data/meson.build b/data/meson.build
+index 23e2d7f9..7c5222ea 100644
+--- a/data/meson.build
++++ b/data/meson.build
+@@ -134,7 +134,6 @@ pam_data_files_map = {
+ 'gdm-fingerprint',
+ 'gdm-smartcard',
+ 'gdm-password',
+- 'gdm-pin',
+ ],
+ 'none': [],
+ # We should no longer have 'autodetect' at this point
+diff --git a/data/pam-arch/gdm-autologin.pam b/data/pam-arch/gdm-autologin.pam
+index 99b14209..30bdf529 100644
+--- a/data/pam-arch/gdm-autologin.pam
++++ b/data/pam-arch/gdm-autologin.pam
+@@ -1,13 +1,15 @@
+-auth requisite pam_nologin.so
+-auth required pam_env.so
+-auth optional pam_gdm.so
+-auth optional pam_gnome_keyring.so
+-auth optional pam_permit.so
++#%PAM-1.0
+
+-account include system-local-login
++auth required pam_shells.so
++auth requisite pam_nologin.so
++auth optional pam_permit.so
++auth required pam_env.so
++auth [success=ok default=1] pam_gdm.so
++auth optional pam_gnome_keyring.so
+
+-password include system-local-login
++account include system-local-login
+
+-session optional pam_keyinit.so force revoke
+-session include system-local-login
+-session optional pam_gnome_keyring.so auto_start
++password required pam_deny.so
++
++session include system-local-login
++session optional pam_gnome_keyring.so auto_start
+diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam
+index a4808617..cc660d9a 100644
+--- a/data/pam-arch/gdm-fingerprint.pam
++++ b/data/pam-arch/gdm-fingerprint.pam
+@@ -1,14 +1,23 @@
+-auth required pam_tally.so onerr=succeed file=/var/log/faillog
+-auth required pam_shells.so
+-auth requisite pam_nologin.so
+-auth required pam_env.so
+-auth required pam_fprintd.so
+-auth optional pam_permit.so
++#%PAM-1.0
+
+-account include system-local-login
++auth required pam_shells.so
++auth requisite pam_nologin.so
++auth required pam_faillock.so preauth
++# Optionally use requisite above if you do not want to prompt for the fingerprint
++# on locked accounts.
++auth [success=1 default=ignore] pam_fprintd.so
++auth [default=die] pam_faillock.so authfail
++auth optional pam_permit.so
++auth required pam_env.so
++auth required pam_faillock.so authsucc
++# If you drop the above call to pam_faillock.so the lock will be done also
++# on non-consecutive authentication failures.
++auth [success=ok default=1] pam_gdm.so
++auth optional pam_gnome_keyring.so
+
+-password required pam_fprintd.so
+-password optional pam_permit.so
++account include system-local-login
+
+-session optional pam_keyinit.so force revoke
+-session include system-local-login
++password required pam_deny.so
++
++session include system-local-login
++session optional pam_gnome_keyring.so auto_start
+diff --git a/data/pam-arch/gdm-launch-environment.pam b/data/pam-arch/gdm-launch-environment.pam
+index d59c9cb9..20d1810a 100644
+--- a/data/pam-arch/gdm-launch-environment.pam
++++ b/data/pam-arch/gdm-launch-environment.pam
+@@ -1,13 +1,17 @@
+-auth required pam_env.so
+-auth required pam_succeed_if.so audit quiet_success user = gdm
+-auth optional pam_permit.so
++#%PAM-1.0
+
+-account required pam_succeed_if.so audit quiet_success user = gdm
+-account optional pam_permit.so
++auth required pam_succeed_if.so audit quiet_success user in gdm:gnome-initial-setup
++auth optional pam_permit.so
++auth required pam_env.so
+
+-password required pam_deny.so
++account required pam_succeed_if.so audit quiet_success user in gdm:gnome-initial-setup
++account optional pam_permit.so
+
+-session optional pam_keyinit.so force revoke
+-session required pam_succeed_if.so audit quiet_success user = gdm
+-session required pam_systemd.so
+-session optional pam_permit.so
++password required pam_deny.so
++
++session optional pam_loginuid.so
++session optional pam_keyinit.so force revoke
++session required pam_succeed_if.so audit quiet_success user in gdm:gnome-initial-setup
++session optional pam_permit.so
++-session optional pam_systemd.so
++session required pam_env.so user_readenv=1
+diff --git a/data/pam-arch/gdm-password.pam b/data/pam-arch/gdm-password.pam
+index 8d34794e..137242a6 100644
+--- a/data/pam-arch/gdm-password.pam
++++ b/data/pam-arch/gdm-password.pam
+@@ -1,11 +1,12 @@
+-auth include system-local-login
+-auth optional pam_gnome_keyring.so
++#%PAM-1.0
+
+-account include system-local-login
++auth include system-local-login
++auth optional pam_gnome_keyring.so
+
+-password include system-local-login
+-password optional pam_gnome_keyring.so use_authtok
++account include system-local-login
+
+-session optional pam_keyinit.so force revoke
+-session include system-local-login
+-session optional pam_gnome_keyring.so auto_start
++password include system-local-login
++password optional pam_gnome_keyring.so use_authtok
++
++session include system-local-login
++session optional pam_gnome_keyring.so auto_start
+diff --git a/data/pam-arch/gdm-pin.pam b/data/pam-arch/gdm-pin.pam
+deleted file mode 100644
+index 135e205e..00000000
+--- a/data/pam-arch/gdm-pin.pam
++++ /dev/null
+@@ -1,13 +0,0 @@
+-auth requisite pam_pin.so
+-auth include system-local-login
+-auth optional pam_gnome_keyring.so
+-
+-account include system-local-login
+-
+-password include system-local-login
+-password optional pam_pin.so
+-password optional pam_gnome_keyring.so use_authtok
+-
+-session optional pam_keyinit.so force revoke
+-session include system-local-login
+-session optional pam_gnome_keyring.so auto_start
+diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam
+index ec6f75d5..e6ec1299 100644
+--- a/data/pam-arch/gdm-smartcard.pam
++++ b/data/pam-arch/gdm-smartcard.pam
+@@ -1,14 +1,23 @@
+-auth required pam_tally.so onerr=succeed file=/var/log/faillog
+-auth required pam_shells.so
+-auth requisite pam_nologin.so
+-auth required pam_env.so
+-auth required pam_pkcs11.so wait_for_card card_only
+-auth optional pam_permit.so
++#%PAM-1.0
+
+-account include system-local-login
++auth required pam_shells.so
++auth requisite pam_nologin.so
++auth required pam_faillock.so preauth
++# Optionally use requisite above if you do not want to prompt for the smartcard
++# on locked accounts.
++auth [success=1 default=ignore] pam_pkcs11.so wait_for_card card_only
++auth [default=die] pam_faillock.so authfail
++auth optional pam_permit.so
++auth required pam_env.so
++auth required pam_faillock.so authsucc
++# If you drop the above call to pam_faillock.so the lock will be done also
++# on non-consecutive authentication failures.
++auth [success=ok default=1] pam_gdm.so
++auth optional pam_gnome_keyring.so
+
+-password required pam_pkcs11.so
+-password optional pam_permit.so
++account include system-local-login
+
+-session optional pam_keyinit.so force revoke
+-session include system-local-login
++password required pam_deny.so
++
++session include system-local-login
++session optional pam_gnome_keyring.so auto_start