aboutsummaryrefslogtreecommitdiff
Commit message (Expand)AuthorAgeFilesLines
* system-local-login: move pam_gnome_keyring after system-login if systemd•••We previously moved pam_gnome_keyring before system-login to fix an issue when using OpenRC (bug #964268). However, having pam_gnome_keyring before system-login, and thereby before pam_systemd, breaks automatic keyring unlock via pam_gnome_keyring on systemd systems (bug #964306). This adjusts the ninja template so that pam_gnome_keyring is only before system-login if --openrc is provided. Otherwise, pam_gnome_keyring is placed after system-login, just as it was before a507d2e4bf70 ("system-local-login: move pam_gnome_keyring before system-login"). Thanks to Christopher Head for reporting this. Closes: https://bugs.gentoo.org/964306 Signed-off-by: Florian Schmaus <flow@gentoo.org> Part-of: https://github.com/gentoo/pambase/pull/28 Closes: https://github.com/gentoo/pambase/pull/28 Signed-off-by: Sam James <sam@gentoo.org> HEADpambase-20251104masterFlorian Schmaus2025-11-041-1/+4
* system-local-login: move pam_gnome_keyring before system-login•••Otherwise, pam_openrc seems to break pam_gnome_keyring's session handling. Before, we get something like: ``` - Last output repeated 2 times - Oct 13 15:54:19 [elogind-daemon] New session 2 of user larry. Oct 13 15:54:19 [pam_openrc] starting session Oct 13 15:54:19 [pam_openrc] 1 sessions Oct 13 15:54:19 [supervise-daemon] Supervisor command line: supervise-daemon user.larry --start --respawn-max 3 --respawn-period 5 --notify fd:3 /usr/libexec/rc/bin/openrc-user -- larry Oct 13 15:54:19 [supervise-daemon] Child command line: /usr/libexec/rc/bin/openrc-user larry Oct 13 15:54:19 [elogind-daemon] Existing logind session ID 2 used by new audit session, ignoring. Oct 13 15:54:19 [gnome-keyring-daemon] module_instances: assertion 'funcs != NULL && "instances"' failed - Last output repeated twice - Oct 13 15:54:19 [gnome-keyring-daemon] lookup_login_keyring: assertion 'GCK_IS_SESSION (session)' failed Oct 13 15:54:19 [gnome-keyring-daemon] create_credential: assertion 'GCK_IS_SESSION (session)' failed Oct 13 15:54:19 [gnome-keyring-daemon] egg_error_message: assertion 'error' failed Oct 13 15:54:19 [gnome-keyring-daemon] couldn't create login credential: (unknown) Oct 13 15:54:19 [pam_openrc] gkr-pam: the password for the login keyring was invalid. Oct 13 15:54:19 [pam_openrc] gkr-pam: couldn't unlock the login keyring. ``` After, we get: ``` Oct 13 16:17:06 [gnome-session-binary] CODE_FILE=../gnome-session-48.0/gnome-session/gsm-manager.c:CODE_LINE=1408:start_phase:Entering running state Oct 13 16:17:07 [gnome-keyring-daemon] couldn't access control socket: /run/user/32/keyring/control: No such file or directory Oct 13 16:17:07 [gnome-keyring-daemon] discover_other_daemon: 0 [...] - Last output repeated 2 times - Oct 13 16:17:11 [elogind-daemon] New session 2 of user larry. Oct 13 16:17:11 [pam_openrc] starting session Oct 13 16:17:11 [pam_openrc] 1 sessions Oct 13 16:17:11 [supervise-daemon] Supervisor command line: supervise-daemon user.larry --start --respawn-max 3 --respawn-period 5 --notify fd:3 /usr/libexec/rc/bin/openrc-user -- larry Oct 13 16:17:11 [supervise-daemon] Child command line: /usr/libexec/rc/bin/openrc-user larry Oct 13 16:17:11 [elogind-daemon] Existing logind session ID 2 used by new audit session, ignoring. Oct 13 16:17:11 [pam_openrc] gkr-pam: couldn't unlock the login keyring. ``` I'm not completely happy with this still, but I'm happy enough to go with it. There's definitely a missing session in the 1st case. I'm wondering if pam_openrc is doing something wrong but I haven't spotted *what* yet. Thanks to zyxhere for interactively debugging with me on IRC. Closes: https://bugs.gentoo.org/964268 Closes: https://github.com/gentoo/pambase/pull/27 Signed-off-by: Sam James <sam@gentoo.org> pambase-20251013Sam James2025-10-131-1/+1
* system-session: fix whitespace•••Signed-off-by: Sam James <sam@gentoo.org> Sam James2025-10-131-1/+1
* gnome-keyring: only set use_authtok for 'password'•••Noticed this when thinking about the linked bug. https://wiki.gnome.org/Projects(2f)GnomeKeyring(2f)Pam.html says: > use_authtok > valid for groups: password Bug: https://bugs.gentoo.org/964268 Signed-off-by: Sam James <sam@gentoo.org> Sam James2025-10-131-2/+2
* Run pam_mktemp then pam_env•••This allows pam_env to include a newly-created temporary directory. Bug: https://bugs.gentoo.org/780441 Signed-off-by: Sam James <sam@gentoo.org> pambase-20250906Sam James2025-09-051-1/+1
* Keep pam_gnome_keyring in passwd too•••We want to update pam_gnome_keyring's record of the user's password so it can be decrypted. Fixes: 74cbdaf50983f1eb06f82bdb5fbe7f762b859dd3 Bug: https://github.com/gentoo/pambase/issues/8 Signed-off-by: Sam James <sam@gentoo.org> Sam James2025-09-051-0/+4
* Add pam_gnome_keybase to auth, session stacks too•••Quoting the bug: > pam_gnome_keyring.so is, according to its own documentation [0], an authentication module, > a session module, and a password management module. The expected way to use this module, > AFAICT, is to place it in all three stacks, with the auto_start command line parameter > present in the session line. In this configuration, the auth stack will hold onto the > user’s passphrase, the session stack will launch a gnome-keyring-daemon process and hand > over the passphrase to unlock the login keyring, and the password stack will change the > encryption password for the login keyring when the user changes their system password. [0] https://wiki.gnome.org/Projects/GnomeKeyring/Pam/Manual Closes: https://github.com/gentoo/pambase/issues/8 Signed-off-by: Sam James <sam@gentoo.org> Sam James2025-09-052-4/+9
* Rework pam_krb5 auth•••If pam_krb5 succeeds, set the action to ok and use a dummy pam_permit to skip over the other auth modules. This should fix breakage triggered by removing pam_shells by default. Bug: https://bugs.gentoo.org/939892 Bug: https://bugs.gentoo.org/956600 Signed-off-by: Mike Gilbert <floppym@gentoo.org> pambase-20250826Mike Gilbert2025-05-251-1/+2
* Replace --sha512 and --yescrypt with --encrypt option•••Signed-off-by: Mike Gilbert <floppym@gentoo.org> Mike Gilbert2025-04-056-24/+9
* tox: enable py313•••Signed-off-by: Mike Gilbert <floppym@gentoo.org> Mike Gilbert2025-04-051-1/+1
* Drop blank variables logic•••Signed-off-by: Mike Gilbert <floppym@gentoo.org> Mike Gilbert2025-04-051-8/+1
* Inline 'unix_authtok' variable•••Signed-off-by: Mike Gilbert <floppym@gentoo.org> Mike Gilbert2025-04-053-6/+2
* Drop unused variable 'likeauth'•••Signed-off-by: Mike Gilbert <floppym@gentoo.org> Mike Gilbert2025-04-051-2/+0
* Inline krb5_params•••Signed-off-by: Mike Gilbert <floppym@gentoo.org> Mike Gilbert2025-04-053-7/+4
* Fix debug option for krb5•••Signed-off-by: Mike Gilbert <floppym@gentoo.org> Mike Gilbert2025-04-041-1/+1
* Drop unused krb5_authtok variable•••Signed-off-by: Mike Gilbert <floppym@gentoo.org> Mike Gilbert2025-04-041-1/+0
* Eliminate local_users_only variable•••Replace with inline conditional in the template. Signed-off-by: Mike Gilbert <floppym@gentoo.org> Mike Gilbert2025-04-042-5/+1
* Simplify debug and nullok options•••Signed-off-by: Mike Gilbert <floppym@gentoo.org> Mike Gilbert2025-04-044-25/+24
* Run black on pambase.py•••Signed-off-by: Mike Gilbert <floppym@gentoo.org> Mike Gilbert2025-04-041-28/+74
* templates/*: replace groups of spaces by tabulations•••Signed-off-by: Thibaud CANALE <thican@thican.net> Closes: https://github.com/gentoo/pambase/pull/23 Signed-off-by: Sam James <sam@gentoo.org> Thibaud CANALE2025-03-1314-29/+29
* system-login: display lastlog previous login too•••Keep displaying the fail attempts while also inform about previous logging. Closes: https://bugs.gentoo.org/950228 Signed-off-by: Thibaud CANALE <thican@thican.net> Closes: https://github.com/gentoo/pambase/pull/22 Signed-off-by: Sam James <sam@gentoo.org> Thibaud CANALE2025-03-133-3/+3
* system-login: put lastlog failed login after MotD•••Provide the lastlog information after MotD, the latter can be too big and then eclipse the former, which usually is limited to one or two lines. Closes: https://bugs.gentoo.org/950228 Signed-off-by: Thibaud CANALE <thican@thican.net> Signed-off-by: Sam James <sam@gentoo.org> Thibaud CANALE2025-03-133-8/+3
* system-login.tpl: add pam_openrc.so•••Signed-off-by: Anna (navi) Figueiredo Gomes <navi@vlhl.dev> Closes: https://github.com/gentoo/pambase/pull/24 Signed-off-by: Sam James <sam@gentoo.org> pambase-20250228Anna (navi) Figueiredo Gomes2025-02-282-0/+5
* tox: allowlist_externals = diff•••Signed-off-by: Mike Gilbert <floppym@gentoo.org> Closes: https://github.com/gentoo/pambase/pull/20 Signed-off-by: Sam James <sam@gentoo.org> pambase-20250223Mike Gilbert2025-02-231-1/+1
* Make pam_shells optional•••Bug: https://bugs.gentoo.org/939892 Signed-off-by: Mike Gilbert <floppym@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> Mike Gilbert2025-02-235-3/+4
* login.tpl: remove duplicated lastlog module call•••It displays two entries when authenticating through TTY, the last having the current time so pointless. Also it is not discarded in minimal configuration. First introduced in commit ae72ea9e54b7f5035fb6b3120c0e75e79860e819, tag pambase-20140313. Then imported for rework in commit 405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c. Bug: https://bugs.gentoo.org/950186 Signed-off-by: Thibaud CANALE <thican@thican.net> Closes: https://github.com/gentoo/pambase/pull/21 Signed-off-by: Sam James <sam@gentoo.org> Thibaud CANALE2025-02-234-4/+0
* system-auth.tpl: fix sssd's pam_deny•••Closes: https://bugs.gentoo.org/922918 Signed-off-by: Sam James <sam@gentoo.org> pambase-20240128Sam James2024-01-281-1/+1
* Add sssd support•••Bug: https://bugs.gentoo.org/726050 Closes: https://github.com/gentoo/pambase/issues/1 Signed-off-by: Christopher Byrne <salah.coronya@gmail.com> Closes: https://github.com/gentoo/pambase/pull/17 Signed-off-by: Sam James <sam@gentoo.org> pambase-20240119Christopher Byrne2024-01-193-7/+42
* Honor pam_unix.so return value•••Commit eb138196aa2d3cb860d5eb5ab1d05985df34ad2c changed the return value of pam_authenticate() for the case when the user enters an incorrect password. Prior to that change pam_authenticate() would return PAM_AUTH_ERR for an incorrect password, while after it would return PAM_PERM_DENIED. The root cause is that after that change, nothing in the stack before the final pam_faillock.so auth entry is setting `impression` in _pam_dispatch_aux(). If the user has not reached the maximum number of tries, pam_faillock.so returns PAM_IGNORE [1] and thus _pam_dispatch_aux() sets `status` to PAM_MUST_FAIL_CODE [2], which is defined to be PAM_PERM_DENIED [3]. This ends up being the return value for pam_authenticate(). This commit addresses the problem by changing the `default` control action for the pam_unix.so auth entry from `ignore` to `bad` (the same as when its control value was `required`). Thus when processing the pam_unix.so entry, _pam_dispatch_aux() will set `impression` to _PAM_NEGATIVE and `status` to the return value of pam_unix.so, PAM_AUTH_ERR [4]. _pam_dispatch_aux() will then continue to the final pam_faillock.so auth entry. Because `impression` is now _PAM_NEGATIVE, _pam_dispatch_aux() will not change the value of `status` and the return value of pam_authenticate() is PAM_AUTH_ERR as desired. Also ensure that `new_authtok_reqd` is handled correctly when returned from from pam_unix.so. [1] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/modules/pam_faillock/pam_faillock.c#L712 [2] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L244 [3] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L17 [4] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L246 Signed-off-by: Daniel Harding <dharding@living180.net> Closes: https://github.com/gentoo/pambase/pull/10 Signed-off-by: Sam James <sam@gentoo.org> Daniel Harding2023-12-174-4/+4
* Add README.md•••Closes: https://github.com/gentoo/pambase/pull/18 Signed-off-by: Sam James <sam@gentoo.org> Aliaksei Urbanski2023-11-131-0/+18
* Add a GitHub Actions workflow for tests•••These changes enable tests on the GitHub side. The implementation relies on Official Gentoo Docker images, since I believe it's a better way to test Gentoo-specific packages. Useful links: * https://www.gentoo.org/news/2020/07/04/official-docker.html * https://github.com/gentoo/gentoo-docker-images * https://github.com/docker/build-push-action * https://docs.docker.com/build/ci/github-actions/cache/ Signed-off-by: Sam James <sam@gentoo.org> Aliaksei Urbanski2023-11-133-0/+46
* Add basic rendering tests with tox•••Signed-off-by: Aliaksei Urbanski <aliaksei.urbanski@gmail.com> Signed-off-by: Sam James <sam@gentoo.org> Aliaksei Urbanski2023-11-1329-0/+195
* system-login.tpl: Fix whitespace•••Closes: https://github.com/gentoo/pambase/pull/16 Signed-off-by: Sam James <sam@gentoo.org> Michael Jones2022-08-131-4/+4
* other.tpl: Fix whitespace•••Closes: https://github.com/gentoo/pambase/pull/14 Signed-off-by: Sam James <sam@gentoo.org> Michael Jones2022-08-131-2/+2
* login.tpl: Fix unnecessary space character•••Closes: https://github.com/gentoo/pambase/pull/13 Signed-off-by: Sam James <sam@gentoo.org> Michael Jones2022-08-131-1/+1
* homed: add before pam_unix•••- --homed inserts pam_systemd_home before pam_unix - --homed --krb5 does that and adjusts krb5's jump to 4 modules Signed-off-by: Alexandra Parker <alex.iris.parker@gmail.com> Closes: https://bugs.gentoo.org/808993 Closes: https://github.com/gentoo/pambase/pull/9 Signed-off-by: Sam James <sam@gentoo.org> pambase-20220214Alexandra Parker2022-02-141-5/+3
* Add yescrypt support•••Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> pambase-20211218Mikle Kolyada2021-11-141-1/+4
* templates/system-auth.tpl: fix try_first_pass typo•••Closes: https://github.com/gentoo/pambase/issues/6 Signed-off-by: Sam James <sam@gentoo.org> pambase-20210201.1Sam James2021-02-021-1/+1
* systemd-auth: add systemd-homed support•••Signed-off-by: Mikle KOlyada <zlogene@gentoo.org> Closes: https://github.com/gentoo/pambase/pull/5 Signed-off-by: Sam James <sam@gentoo.org> pambase-20210201Mikle KOlyada2021-01-313-2/+21
* Revert "systemd-auth: add systemd-homed support"•••This reverts commit 5a545eb14a1220af1ba8031f3669471e77edbc2f. Auto-merged on a reverted commit. Signed-off-by: Sam James <sam@gentoo.org> Sam James2021-01-313-21/+2
* Revert "Add systemd-homed support"•••This reverts commit 639b45ccb986de7314372a4a841e6f04c536c49a. Unintentionally had this staged still. Signed-off-by: Sam James <sam@gentoo.org> Sam James2021-01-313-11/+0
* systemd-auth: add systemd-homed support•••Signed-off-by: Mikle KOlyada <zlogene@gentoo.org> Closes: https://github.com/gentoo/pambase/pull/5 Signed-off-by: Sam James <sam@gentoo.org> Mikle KOlyada2021-01-313-2/+21
* Add systemd-homed support•••Bug: https://bugs.gentoo.org/767784 Signed-off-by: Sam James <sam@gentoo.org> Sam James2021-01-293-0/+11
* system-login: add pam_time.so•••Signed-off-by: Mikle KOlyada <zlogene@gentoo.org> Mikle KOlyada2020-12-201-0/+1
* strip pam_permit.so from system-auth•••Signed-off-by: Mikle KOlyada <zlogene@gentoo.org> Mikle KOlyada2020-12-202-6/+0
* templates/system-auth.tpl: shift cap to be with other auth•••Signed-off-by: Sam James <sam@gentoo.org> pambase-20201103Sam James2020-11-031-4/+4
* pambase.py: rename --libcap -> --caps•••Signed-off-by: Sam James <sam@gentoo.org> pambase-20201102Sam James2020-11-022-2/+2
* templates/system-auth.tpl: fix pam_cap realm•••This fixes the pam_cap realm which can only be auth. This is a regression from old pre-rewrite pambase. It was however exposed by the fixing of an incorrect module name (pam_libcap -> pam_cap) not long ago. Bug: https://bugs.gentoo.org/751946 Signed-off-by: Sam James <sam@gentoo.org> Sam James2020-11-021-1/+1
* fix number of jumps when pam_krb5 used•••Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> pambase-20201028.1Mikle Kolyada2020-10-282-2/+1
* Do not use use_authtok if no passwd module was stacked•••Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> pambase-20201028Mikle Kolyada2020-10-281-0/+5