From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: "Jan Alexander Steffens (heftig)" Date: Sun, 9 Aug 2020 00:34:37 +0000 Subject: [PATCH] pam-arch: Update to match pambase 20200721.1-2 https://bugs.archlinux.org/task/67485 --- data/pam-arch/gdm-autologin.pam | 22 +++++++++-------- data/pam-arch/gdm-fingerprint.pam | 31 +++++++++++++++--------- data/pam-arch/gdm-launch-environment.pam | 24 ++++++++++-------- data/pam-arch/gdm-password.pam | 17 +++++++------ data/pam-arch/gdm-pin.pam | 13 ---------- data/pam-arch/gdm-smartcard.pam | 31 +++++++++++++++--------- 6 files changed, 75 insertions(+), 63 deletions(-) delete mode 100644 data/pam-arch/gdm-pin.pam diff --git a/data/pam-arch/gdm-autologin.pam b/data/pam-arch/gdm-autologin.pam index 99b14209..30bdf529 100644 --- a/data/pam-arch/gdm-autologin.pam +++ b/data/pam-arch/gdm-autologin.pam @@ -1,13 +1,15 @@ -auth requisite pam_nologin.so -auth required pam_env.so -auth optional pam_gdm.so -auth optional pam_gnome_keyring.so -auth optional pam_permit.so +#%PAM-1.0 -account include system-local-login +auth required pam_shells.so +auth requisite pam_nologin.so +auth optional pam_permit.so +auth required pam_env.so +auth [success=ok default=1] pam_gdm.so +auth optional pam_gnome_keyring.so -password include system-local-login +account include system-local-login -session optional pam_keyinit.so force revoke -session include system-local-login -session optional pam_gnome_keyring.so auto_start +password required pam_deny.so + +session include system-local-login +session optional pam_gnome_keyring.so auto_start diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam index a4808617..cc660d9a 100644 --- a/data/pam-arch/gdm-fingerprint.pam +++ b/data/pam-arch/gdm-fingerprint.pam @@ -1,14 +1,23 @@ -auth required pam_tally.so onerr=succeed file=/var/log/faillog -auth required pam_shells.so -auth requisite pam_nologin.so -auth required pam_env.so -auth required pam_fprintd.so -auth optional pam_permit.so +#%PAM-1.0 -account include system-local-login +auth required pam_shells.so +auth requisite pam_nologin.so +auth required pam_faillock.so preauth +# Optionally use requisite above if you do not want to prompt for the fingerprint +# on locked accounts. +auth [success=1 default=ignore] pam_fprintd.so +auth [default=die] pam_faillock.so authfail +auth optional pam_permit.so +auth required pam_env.so +auth required pam_faillock.so authsucc +# If you drop the above call to pam_faillock.so the lock will be done also +# on non-consecutive authentication failures. +auth [success=ok default=1] pam_gdm.so +auth optional pam_gnome_keyring.so -password required pam_fprintd.so -password optional pam_permit.so +account include system-local-login -session optional pam_keyinit.so force revoke -session include system-local-login +password required pam_deny.so + +session include system-local-login +session optional pam_gnome_keyring.so auto_start diff --git a/data/pam-arch/gdm-launch-environment.pam b/data/pam-arch/gdm-launch-environment.pam index d59c9cb9..2ff5ae56 100644 --- a/data/pam-arch/gdm-launch-environment.pam +++ b/data/pam-arch/gdm-launch-environment.pam @@ -1,13 +1,17 @@ -auth required pam_env.so -auth required pam_succeed_if.so audit quiet_success user = gdm -auth optional pam_permit.so +#%PAM-1.0 -account required pam_succeed_if.so audit quiet_success user = gdm -account optional pam_permit.so +auth required pam_succeed_if.so audit quiet_success user = gdm +auth optional pam_permit.so +auth required pam_env.so -password required pam_deny.so +account required pam_succeed_if.so audit quiet_success user = gdm +account optional pam_permit.so -session optional pam_keyinit.so force revoke -session required pam_succeed_if.so audit quiet_success user = gdm -session required pam_systemd.so -session optional pam_permit.so +password required pam_deny.so + +session optional pam_loginuid.so +session optional pam_keyinit.so force revoke +session required pam_succeed_if.so audit quiet_success user = gdm +session optional pam_permit.so +-session optional pam_systemd.so +session required pam_env.so user_readenv=1 diff --git a/data/pam-arch/gdm-password.pam b/data/pam-arch/gdm-password.pam index 8d34794e..137242a6 100644 --- a/data/pam-arch/gdm-password.pam +++ b/data/pam-arch/gdm-password.pam @@ -1,11 +1,12 @@ -auth include system-local-login -auth optional pam_gnome_keyring.so +#%PAM-1.0 -account include system-local-login +auth include system-local-login +auth optional pam_gnome_keyring.so -password include system-local-login -password optional pam_gnome_keyring.so use_authtok +account include system-local-login -session optional pam_keyinit.so force revoke -session include system-local-login -session optional pam_gnome_keyring.so auto_start +password include system-local-login +password optional pam_gnome_keyring.so use_authtok + +session include system-local-login +session optional pam_gnome_keyring.so auto_start diff --git a/data/pam-arch/gdm-pin.pam b/data/pam-arch/gdm-pin.pam deleted file mode 100644 index 135e205e..00000000 --- a/data/pam-arch/gdm-pin.pam +++ /dev/null @@ -1,13 +0,0 @@ -auth requisite pam_pin.so -auth include system-local-login -auth optional pam_gnome_keyring.so - -account include system-local-login - -password include system-local-login -password optional pam_pin.so -password optional pam_gnome_keyring.so use_authtok - -session optional pam_keyinit.so force revoke -session include system-local-login -session optional pam_gnome_keyring.so auto_start diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam index ec6f75d5..e6ec1299 100644 --- a/data/pam-arch/gdm-smartcard.pam +++ b/data/pam-arch/gdm-smartcard.pam @@ -1,14 +1,23 @@ -auth required pam_tally.so onerr=succeed file=/var/log/faillog -auth required pam_shells.so -auth requisite pam_nologin.so -auth required pam_env.so -auth required pam_pkcs11.so wait_for_card card_only -auth optional pam_permit.so +#%PAM-1.0 -account include system-local-login +auth required pam_shells.so +auth requisite pam_nologin.so +auth required pam_faillock.so preauth +# Optionally use requisite above if you do not want to prompt for the smartcard +# on locked accounts. +auth [success=1 default=ignore] pam_pkcs11.so wait_for_card card_only +auth [default=die] pam_faillock.so authfail +auth optional pam_permit.so +auth required pam_env.so +auth required pam_faillock.so authsucc +# If you drop the above call to pam_faillock.so the lock will be done also +# on non-consecutive authentication failures. +auth [success=ok default=1] pam_gdm.so +auth optional pam_gnome_keyring.so -password required pam_pkcs11.so -password optional pam_permit.so +account include system-local-login -session optional pam_keyinit.so force revoke -session include system-local-login +password required pam_deny.so + +session include system-local-login +session optional pam_gnome_keyring.so auto_start