From 5b9895b1a077c5c431b08a88749a4958472cab3c Mon Sep 17 00:00:00 2001 From: Alexander Kahl Date: Fri, 13 Jan 2017 17:16:55 +0100 Subject: [PATCH 1/2] nixos/gdm: use provided PAM login configuration wherever possible Fixes #21859 --- .../desktops/gnome3/gnome-keyring.nix | 2 + .../services/x11/display-managers/gdm.nix | 73 +++---------------- 2 files changed, 13 insertions(+), 62 deletions(-) diff --git a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix index 5ea4350be5b4..4c350d8bb1c6 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix @@ -35,6 +35,8 @@ with lib; services.dbus.packages = [ pkgs.gnome3.gnome-keyring pkgs.gcr ]; + security.pam.services.login.enableGnomeKeyring = true; + }; } diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index 226fee7491c1..3edf7c8d9cab 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -208,76 +208,25 @@ in session optional pam_permit.so ''; - gdm.text = '' - auth requisite pam_nologin.so - auth required pam_env.so envfile=${config.system.build.pamEnvironment} - - auth required pam_succeed_if.so uid >= 1000 quiet - auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so - auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth - ${optionalString config.security.pam.enableEcryptfs - "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} - - ${optionalString (! config.security.pam.enableEcryptfs) - "auth required pam_deny.so"} - - account sufficient pam_unix.so - - password requisite pam_unix.so nullok sha512 - ${optionalString config.security.pam.enableEcryptfs - "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - - session required pam_env.so envfile=${config.system.build.pamEnvironment} - session required pam_unix.so - ${optionalString config.security.pam.enableEcryptfs - "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - session required pam_loginuid.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so - session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start - ''; - gdm-password.text = '' - auth requisite pam_nologin.so - auth required pam_env.so envfile=${config.system.build.pamEnvironment} - - auth required pam_succeed_if.so uid >= 1000 quiet - auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so - auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth - ${optionalString config.security.pam.enableEcryptfs - "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} - ${optionalString (! config.security.pam.enableEcryptfs) - "auth required pam_deny.so"} - - account sufficient pam_unix.so - - password requisite pam_unix.so nullok sha512 - ${optionalString config.security.pam.enableEcryptfs - "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - - session required pam_env.so envfile=${config.system.build.pamEnvironment} - session required pam_unix.so - ${optionalString config.security.pam.enableEcryptfs - "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - session required pam_loginuid.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so - session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start + auth substack login + account include login + password substack login + session include login ''; gdm-autologin.text = '' - auth requisite pam_nologin.so + auth requisite pam_nologin.so - auth required pam_succeed_if.so uid >= 1000 quiet - auth required pam_permit.so + auth required pam_succeed_if.so uid >= 1000 quiet + auth required pam_permit.so - account sufficient pam_unix.so + account sufficient pam_unix.so - password requisite pam_unix.so nullok sha512 + password requisite pam_unix.so nullok sha512 - session optional pam_keyinit.so revoke - session required pam_env.so envfile=${config.system.build.pamEnvironment} - session required pam_unix.so - session required pam_loginuid.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional pam_keyinit.so revoke + session include login ''; }; From 56bd0110e7f3ad5ea5a0870d1f47279e7b4e410e Mon Sep 17 00:00:00 2001 From: Alexander Kahl Date: Sun, 14 Apr 2019 12:46:47 +0200 Subject: [PATCH 2/2] nixos/pam: Add GNOME keyring use_authtok directive to password group --- nixos/modules/security/pam.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 46ce274a2a9a..89e71c5136e4 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -410,6 +410,8 @@ let "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} ${optionalString config.services.samba.syncPasswordsByPam "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"} + ${optionalString cfg.enableGnomeKeyring + "password optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"} # Session management. ${optionalString cfg.setEnvironment ''