1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
Date: Tue, 27 Oct 2020 18:59:14 +0000
Subject: [PATCH] pam-arch: Update to match pambase 20200721.1-2
https://bugs.archlinux.org/task/67485
---
data/meson.build | 1 -
data/pam-arch/gdm-autologin.pam | 22 +++++++++--------
data/pam-arch/gdm-fingerprint.pam | 31 +++++++++++++++---------
data/pam-arch/gdm-launch-environment.pam | 24 ++++++++++--------
data/pam-arch/gdm-password.pam | 17 +++++++------
data/pam-arch/gdm-pin.pam | 13 ----------
data/pam-arch/gdm-smartcard.pam | 31 +++++++++++++++---------
7 files changed, 75 insertions(+), 64 deletions(-)
delete mode 100644 data/pam-arch/gdm-pin.pam
diff --git a/data/meson.build b/data/meson.build
index 05a20117..5d9e2847 100644
--- a/data/meson.build
+++ b/data/meson.build
@@ -135,7 +135,6 @@ pam_data_files_map = {
'gdm-fingerprint',
'gdm-smartcard',
'gdm-password',
- 'gdm-pin',
],
'none': [],
# We should no longer have 'autodetect' at this point
diff --git a/data/pam-arch/gdm-autologin.pam b/data/pam-arch/gdm-autologin.pam
index 99b14209..30bdf529 100644
--- a/data/pam-arch/gdm-autologin.pam
+++ b/data/pam-arch/gdm-autologin.pam
@@ -1,13 +1,15 @@
-auth requisite pam_nologin.so
-auth required pam_env.so
-auth optional pam_gdm.so
-auth optional pam_gnome_keyring.so
-auth optional pam_permit.so
+#%PAM-1.0
-account include system-local-login
+auth required pam_shells.so
+auth requisite pam_nologin.so
+auth optional pam_permit.so
+auth required pam_env.so
+auth [success=ok default=1] pam_gdm.so
+auth optional pam_gnome_keyring.so
-password include system-local-login
+account include system-local-login
-session optional pam_keyinit.so force revoke
-session include system-local-login
-session optional pam_gnome_keyring.so auto_start
+password required pam_deny.so
+
+session include system-local-login
+session optional pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam
index a4808617..cc660d9a 100644
--- a/data/pam-arch/gdm-fingerprint.pam
+++ b/data/pam-arch/gdm-fingerprint.pam
@@ -1,14 +1,23 @@
-auth required pam_tally.so onerr=succeed file=/var/log/faillog
-auth required pam_shells.so
-auth requisite pam_nologin.so
-auth required pam_env.so
-auth required pam_fprintd.so
-auth optional pam_permit.so
+#%PAM-1.0
-account include system-local-login
+auth required pam_shells.so
+auth requisite pam_nologin.so
+auth required pam_faillock.so preauth
+# Optionally use requisite above if you do not want to prompt for the fingerprint
+# on locked accounts.
+auth [success=1 default=ignore] pam_fprintd.so
+auth [default=die] pam_faillock.so authfail
+auth optional pam_permit.so
+auth required pam_env.so
+auth required pam_faillock.so authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+auth [success=ok default=1] pam_gdm.so
+auth optional pam_gnome_keyring.so
-password required pam_fprintd.so
-password optional pam_permit.so
+account include system-local-login
-session optional pam_keyinit.so force revoke
-session include system-local-login
+password required pam_deny.so
+
+session include system-local-login
+session optional pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-launch-environment.pam b/data/pam-arch/gdm-launch-environment.pam
index d59c9cb9..20d1810a 100644
--- a/data/pam-arch/gdm-launch-environment.pam
+++ b/data/pam-arch/gdm-launch-environment.pam
@@ -1,13 +1,17 @@
-auth required pam_env.so
-auth required pam_succeed_if.so audit quiet_success user = gdm
-auth optional pam_permit.so
+#%PAM-1.0
-account required pam_succeed_if.so audit quiet_success user = gdm
-account optional pam_permit.so
+auth required pam_succeed_if.so audit quiet_success user in gdm:gnome-initial-setup
+auth optional pam_permit.so
+auth required pam_env.so
-password required pam_deny.so
+account required pam_succeed_if.so audit quiet_success user in gdm:gnome-initial-setup
+account optional pam_permit.so
-session optional pam_keyinit.so force revoke
-session required pam_succeed_if.so audit quiet_success user = gdm
-session required pam_systemd.so
-session optional pam_permit.so
+password required pam_deny.so
+
+session optional pam_loginuid.so
+session optional pam_keyinit.so force revoke
+session required pam_succeed_if.so audit quiet_success user in gdm:gnome-initial-setup
+session optional pam_permit.so
+-session optional pam_systemd.so
+session required pam_env.so user_readenv=1
diff --git a/data/pam-arch/gdm-password.pam b/data/pam-arch/gdm-password.pam
index 8d34794e..137242a6 100644
--- a/data/pam-arch/gdm-password.pam
+++ b/data/pam-arch/gdm-password.pam
@@ -1,11 +1,12 @@
-auth include system-local-login
-auth optional pam_gnome_keyring.so
+#%PAM-1.0
-account include system-local-login
+auth include system-local-login
+auth optional pam_gnome_keyring.so
-password include system-local-login
-password optional pam_gnome_keyring.so use_authtok
+account include system-local-login
-session optional pam_keyinit.so force revoke
-session include system-local-login
-session optional pam_gnome_keyring.so auto_start
+password include system-local-login
+password optional pam_gnome_keyring.so use_authtok
+
+session include system-local-login
+session optional pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-pin.pam b/data/pam-arch/gdm-pin.pam
deleted file mode 100644
index 135e205e..00000000
--- a/data/pam-arch/gdm-pin.pam
+++ /dev/null
@@ -1,13 +0,0 @@
-auth requisite pam_pin.so
-auth include system-local-login
-auth optional pam_gnome_keyring.so
-
-account include system-local-login
-
-password include system-local-login
-password optional pam_pin.so
-password optional pam_gnome_keyring.so use_authtok
-
-session optional pam_keyinit.so force revoke
-session include system-local-login
-session optional pam_gnome_keyring.so auto_start
diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam
index ec6f75d5..e6ec1299 100644
--- a/data/pam-arch/gdm-smartcard.pam
+++ b/data/pam-arch/gdm-smartcard.pam
@@ -1,14 +1,23 @@
-auth required pam_tally.so onerr=succeed file=/var/log/faillog
-auth required pam_shells.so
-auth requisite pam_nologin.so
-auth required pam_env.so
-auth required pam_pkcs11.so wait_for_card card_only
-auth optional pam_permit.so
+#%PAM-1.0
-account include system-local-login
+auth required pam_shells.so
+auth requisite pam_nologin.so
+auth required pam_faillock.so preauth
+# Optionally use requisite above if you do not want to prompt for the smartcard
+# on locked accounts.
+auth [success=1 default=ignore] pam_pkcs11.so wait_for_card card_only
+auth [default=die] pam_faillock.so authfail
+auth optional pam_permit.so
+auth required pam_env.so
+auth required pam_faillock.so authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+auth [success=ok default=1] pam_gdm.so
+auth optional pam_gnome_keyring.so
-password required pam_pkcs11.so
-password optional pam_permit.so
+account include system-local-login
-session optional pam_keyinit.so force revoke
-session include system-local-login
+password required pam_deny.so
+
+session include system-local-login
+session optional pam_gnome_keyring.so auto_start
|