| Commit message (Expand) | Author | Age | Files | Lines |
| * | system-local-login: move pam_gnome_keyring after system-login if systemd•••We previously moved pam_gnome_keyring before system-login to fix an
issue when using OpenRC (bug #964268). However, having
pam_gnome_keyring before system-login, and thereby before pam_systemd,
breaks automatic keyring unlock via pam_gnome_keyring on systemd
systems (bug #964306).
This adjusts the ninja template so that pam_gnome_keyring is only
before system-login if --openrc is provided. Otherwise,
pam_gnome_keyring is placed after system-login, just as it was before
a507d2e4bf70 ("system-local-login: move pam_gnome_keyring before
system-login").
Thanks to Christopher Head for reporting this.
Closes: https://bugs.gentoo.org/964306
Signed-off-by: Florian Schmaus <flow@gentoo.org>
Part-of: https://github.com/gentoo/pambase/pull/28
Closes: https://github.com/gentoo/pambase/pull/28
Signed-off-by: Sam James <sam@gentoo.org>
HEADpambase-20251104master |  Florian Schmaus | 2025-11-04 | 1 | -1/+4 |
| * | system-local-login: move pam_gnome_keyring before system-login•••Otherwise, pam_openrc seems to break pam_gnome_keyring's session handling.
Before, we get something like:
```
- Last output repeated 2 times -
Oct 13 15:54:19 [elogind-daemon] New session 2 of user larry.
Oct 13 15:54:19 [pam_openrc] starting session
Oct 13 15:54:19 [pam_openrc] 1 sessions
Oct 13 15:54:19 [supervise-daemon] Supervisor command line: supervise-daemon user.larry --start --respawn-max 3 --respawn-period 5 --notify fd:3 /usr/libexec/rc/bin/openrc-user -- larry
Oct 13 15:54:19 [supervise-daemon] Child command line: /usr/libexec/rc/bin/openrc-user larry
Oct 13 15:54:19 [elogind-daemon] Existing logind session ID 2 used by new audit session, ignoring.
Oct 13 15:54:19 [gnome-keyring-daemon] module_instances: assertion 'funcs != NULL && "instances"' failed
- Last output repeated twice -
Oct 13 15:54:19 [gnome-keyring-daemon] lookup_login_keyring: assertion 'GCK_IS_SESSION (session)' failed
Oct 13 15:54:19 [gnome-keyring-daemon] create_credential: assertion 'GCK_IS_SESSION (session)' failed
Oct 13 15:54:19 [gnome-keyring-daemon] egg_error_message: assertion 'error' failed
Oct 13 15:54:19 [gnome-keyring-daemon] couldn't create login credential: (unknown)
Oct 13 15:54:19 [pam_openrc] gkr-pam: the password for the login keyring was invalid.
Oct 13 15:54:19 [pam_openrc] gkr-pam: couldn't unlock the login keyring.
```
After, we get:
```
Oct 13 16:17:06 [gnome-session-binary] CODE_FILE=../gnome-session-48.0/gnome-session/gsm-manager.c:CODE_LINE=1408:start_phase:Entering running state
Oct 13 16:17:07 [gnome-keyring-daemon] couldn't access control socket: /run/user/32/keyring/control: No such file or directory
Oct 13 16:17:07 [gnome-keyring-daemon] discover_other_daemon: 0
[...]
- Last output repeated 2 times -
Oct 13 16:17:11 [elogind-daemon] New session 2 of user larry.
Oct 13 16:17:11 [pam_openrc] starting session
Oct 13 16:17:11 [pam_openrc] 1 sessions
Oct 13 16:17:11 [supervise-daemon] Supervisor command line: supervise-daemon user.larry --start --respawn-max 3 --respawn-period 5 --notify fd:3 /usr/libexec/rc/bin/openrc-user -- larry
Oct 13 16:17:11 [supervise-daemon] Child command line: /usr/libexec/rc/bin/openrc-user larry
Oct 13 16:17:11 [elogind-daemon] Existing logind session ID 2 used by new audit session, ignoring.
Oct 13 16:17:11 [pam_openrc] gkr-pam: couldn't unlock the login keyring.
```
I'm not completely happy with this still, but I'm happy enough to go with
it. There's definitely a missing session in the 1st case. I'm wondering
if pam_openrc is doing something wrong but I haven't spotted *what*
yet.
Thanks to zyxhere for interactively debugging with me on IRC.
Closes: https://bugs.gentoo.org/964268
Closes: https://github.com/gentoo/pambase/pull/27
Signed-off-by: Sam James <sam@gentoo.org>
pambase-20251013 |  Sam James | 2025-10-13 | 1 | -1/+1 |
| * | system-session: fix whitespace•••Signed-off-by: Sam James <sam@gentoo.org>
|  Sam James | 2025-10-13 | 1 | -1/+1 |
| * | gnome-keyring: only set use_authtok for 'password'•••Noticed this when thinking about the linked bug. https://wiki.gnome.org/Projects(2f)GnomeKeyring(2f)Pam.html
says:
> use_authtok
> valid for groups: password
Bug: https://bugs.gentoo.org/964268
Signed-off-by: Sam James <sam@gentoo.org>
|  Sam James | 2025-10-13 | 1 | -2/+2 |
| * | Run pam_mktemp then pam_env•••This allows pam_env to include a newly-created temporary directory.
Bug: https://bugs.gentoo.org/780441
Signed-off-by: Sam James <sam@gentoo.org>
pambase-20250906 |  Sam James | 2025-09-05 | 1 | -1/+1 |
| * | Keep pam_gnome_keyring in passwd too•••We want to update pam_gnome_keyring's record of the user's password
so it can be decrypted.
Fixes: 74cbdaf50983f1eb06f82bdb5fbe7f762b859dd3
Bug: https://github.com/gentoo/pambase/issues/8
Signed-off-by: Sam James <sam@gentoo.org>
|  Sam James | 2025-09-05 | 1 | -0/+4 |
| * | Add pam_gnome_keybase to auth, session stacks too•••Quoting the bug:
> pam_gnome_keyring.so is, according to its own documentation [0], an authentication module,
> a session module, and a password management module. The expected way to use this module,
> AFAICT, is to place it in all three stacks, with the auto_start command line parameter
> present in the session line. In this configuration, the auth stack will hold onto the
> user’s passphrase, the session stack will launch a gnome-keyring-daemon process and hand
> over the passphrase to unlock the login keyring, and the password stack will change the
> encryption password for the login keyring when the user changes their system password.
[0] https://wiki.gnome.org/Projects/GnomeKeyring/Pam/Manual
Closes: https://github.com/gentoo/pambase/issues/8
Signed-off-by: Sam James <sam@gentoo.org>
|  Sam James | 2025-09-05 | 2 | -4/+9 |
| * | Rework pam_krb5 auth•••If pam_krb5 succeeds, set the action to ok and use a dummy pam_permit
to skip over the other auth modules.
This should fix breakage triggered by removing pam_shells by default.
Bug: https://bugs.gentoo.org/939892
Bug: https://bugs.gentoo.org/956600
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
pambase-20250826 |  Mike Gilbert | 2025-05-25 | 1 | -1/+2 |
| * | Replace --sha512 and --yescrypt with --encrypt option•••Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|  Mike Gilbert | 2025-04-05 | 6 | -24/+9 |
| * | tox: enable py313•••Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|  Mike Gilbert | 2025-04-05 | 1 | -1/+1 |
| * | Drop blank variables logic•••Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|  Mike Gilbert | 2025-04-05 | 1 | -8/+1 |
| * | Inline 'unix_authtok' variable•••Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|  Mike Gilbert | 2025-04-05 | 3 | -6/+2 |
| * | Drop unused variable 'likeauth'•••Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|  Mike Gilbert | 2025-04-05 | 1 | -2/+0 |
| * | Inline krb5_params•••Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|  Mike Gilbert | 2025-04-05 | 3 | -7/+4 |
| * | Fix debug option for krb5•••Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|  Mike Gilbert | 2025-04-04 | 1 | -1/+1 |
| * | Drop unused krb5_authtok variable•••Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|  Mike Gilbert | 2025-04-04 | 1 | -1/+0 |
| * | Eliminate local_users_only variable•••Replace with inline conditional in the template.
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|  Mike Gilbert | 2025-04-04 | 2 | -5/+1 |
| * | Simplify debug and nullok options•••Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|  Mike Gilbert | 2025-04-04 | 4 | -25/+24 |
| * | Run black on pambase.py•••Signed-off-by: Mike Gilbert <floppym@gentoo.org>
|  Mike Gilbert | 2025-04-04 | 1 | -28/+74 |
| * | templates/*: replace groups of spaces by tabulations•••Signed-off-by: Thibaud CANALE <thican@thican.net>
Closes: https://github.com/gentoo/pambase/pull/23
Signed-off-by: Sam James <sam@gentoo.org>
|  Thibaud CANALE | 2025-03-13 | 14 | -29/+29 |
| * | system-login: display lastlog previous login too•••Keep displaying the fail attempts while also inform about previous
logging.
Closes: https://bugs.gentoo.org/950228
Signed-off-by: Thibaud CANALE <thican@thican.net>
Closes: https://github.com/gentoo/pambase/pull/22
Signed-off-by: Sam James <sam@gentoo.org>
|  Thibaud CANALE | 2025-03-13 | 3 | -3/+3 |
| * | system-login: put lastlog failed login after MotD•••Provide the lastlog information after MotD, the latter can be too big
and then eclipse the former, which usually is limited to one or two
lines.
Closes: https://bugs.gentoo.org/950228
Signed-off-by: Thibaud CANALE <thican@thican.net>
Signed-off-by: Sam James <sam@gentoo.org>
|  Thibaud CANALE | 2025-03-13 | 3 | -8/+3 |
| * | system-login.tpl: add pam_openrc.so•••Signed-off-by: Anna (navi) Figueiredo Gomes <navi@vlhl.dev>
Closes: https://github.com/gentoo/pambase/pull/24
Signed-off-by: Sam James <sam@gentoo.org>
pambase-20250228 |  Anna (navi) Figueiredo Gomes | 2025-02-28 | 2 | -0/+5 |
| * | tox: allowlist_externals = diff•••Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Closes: https://github.com/gentoo/pambase/pull/20
Signed-off-by: Sam James <sam@gentoo.org>
pambase-20250223 |  Mike Gilbert | 2025-02-23 | 1 | -1/+1 |
| * | Make pam_shells optional•••Bug: https://bugs.gentoo.org/939892
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Signed-off-by: Sam James <sam@gentoo.org>
|  Mike Gilbert | 2025-02-23 | 5 | -3/+4 |
| * | login.tpl: remove duplicated lastlog module call•••It displays two entries when authenticating through TTY, the last having
the current time so pointless.
Also it is not discarded in minimal configuration.
First introduced in commit ae72ea9e54b7f5035fb6b3120c0e75e79860e819, tag pambase-20140313.
Then imported for rework in commit 405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c.
Bug: https://bugs.gentoo.org/950186
Signed-off-by: Thibaud CANALE <thican@thican.net>
Closes: https://github.com/gentoo/pambase/pull/21
Signed-off-by: Sam James <sam@gentoo.org>
|  Thibaud CANALE | 2025-02-23 | 4 | -4/+0 |
| * | system-auth.tpl: fix sssd's pam_deny•••Closes: https://bugs.gentoo.org/922918
Signed-off-by: Sam James <sam@gentoo.org>
pambase-20240128 |  Sam James | 2024-01-28 | 1 | -1/+1 |
| * | Add sssd support•••Bug: https://bugs.gentoo.org/726050
Closes: https://github.com/gentoo/pambase/issues/1
Signed-off-by: Christopher Byrne <salah.coronya@gmail.com>
Closes: https://github.com/gentoo/pambase/pull/17
Signed-off-by: Sam James <sam@gentoo.org>
pambase-20240119 |  Christopher Byrne | 2024-01-19 | 3 | -7/+42 |
| * | Honor pam_unix.so return value•••Commit eb138196aa2d3cb860d5eb5ab1d05985df34ad2c changed the return value
of pam_authenticate() for the case when the user enters an incorrect
password. Prior to that change pam_authenticate() would return
PAM_AUTH_ERR for an incorrect password, while after it would return
PAM_PERM_DENIED.
The root cause is that after that change, nothing in the stack before
the final pam_faillock.so auth entry is setting `impression` in
_pam_dispatch_aux(). If the user has not reached the maximum number of
tries, pam_faillock.so returns PAM_IGNORE [1] and thus
_pam_dispatch_aux() sets `status` to PAM_MUST_FAIL_CODE [2], which is
defined to be PAM_PERM_DENIED [3]. This ends up being the return value
for pam_authenticate().
This commit addresses the problem by changing the `default` control
action for the pam_unix.so auth entry from `ignore` to `bad` (the same
as when its control value was `required`). Thus when processing the
pam_unix.so entry, _pam_dispatch_aux() will set `impression` to
_PAM_NEGATIVE and `status` to the return value of pam_unix.so,
PAM_AUTH_ERR [4]. _pam_dispatch_aux() will then continue to the final
pam_faillock.so auth entry. Because `impression` is now _PAM_NEGATIVE,
_pam_dispatch_aux() will not change the value of `status` and the return
value of pam_authenticate() is PAM_AUTH_ERR as desired.
Also ensure that `new_authtok_reqd` is handled correctly when returned
from from pam_unix.so.
[1] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/modules/pam_faillock/pam_faillock.c#L712
[2] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L244
[3] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L17
[4] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L246
Signed-off-by: Daniel Harding <dharding@living180.net>
Closes: https://github.com/gentoo/pambase/pull/10
Signed-off-by: Sam James <sam@gentoo.org>
|  Daniel Harding | 2023-12-17 | 4 | -4/+4 |
| * | Add README.md•••Closes: https://github.com/gentoo/pambase/pull/18
Signed-off-by: Sam James <sam@gentoo.org>
|  Aliaksei Urbanski | 2023-11-13 | 1 | -0/+18 |
| * | Add a GitHub Actions workflow for tests•••These changes enable tests on the GitHub side.
The implementation relies on Official Gentoo Docker images,
since I believe it's a better way to test Gentoo-specific packages.
Useful links:
* https://www.gentoo.org/news/2020/07/04/official-docker.html
* https://github.com/gentoo/gentoo-docker-images
* https://github.com/docker/build-push-action
* https://docs.docker.com/build/ci/github-actions/cache/
Signed-off-by: Sam James <sam@gentoo.org>
|  Aliaksei Urbanski | 2023-11-13 | 3 | -0/+46 |
| * | Add basic rendering tests with tox•••Signed-off-by: Aliaksei Urbanski <aliaksei.urbanski@gmail.com>
Signed-off-by: Sam James <sam@gentoo.org>
|  Aliaksei Urbanski | 2023-11-13 | 29 | -0/+195 |
| * | system-login.tpl: Fix whitespace•••Closes: https://github.com/gentoo/pambase/pull/16
Signed-off-by: Sam James <sam@gentoo.org>
|  Michael Jones | 2022-08-13 | 1 | -4/+4 |
| * | other.tpl: Fix whitespace•••Closes: https://github.com/gentoo/pambase/pull/14
Signed-off-by: Sam James <sam@gentoo.org>
|  Michael Jones | 2022-08-13 | 1 | -2/+2 |
| * | login.tpl: Fix unnecessary space character•••Closes: https://github.com/gentoo/pambase/pull/13
Signed-off-by: Sam James <sam@gentoo.org>
|  Michael Jones | 2022-08-13 | 1 | -1/+1 |
| * | homed: add before pam_unix•••- --homed inserts pam_systemd_home before pam_unix
- --homed --krb5 does that and adjusts krb5's jump to 4 modules
Signed-off-by: Alexandra Parker <alex.iris.parker@gmail.com>
Closes: https://bugs.gentoo.org/808993
Closes: https://github.com/gentoo/pambase/pull/9
Signed-off-by: Sam James <sam@gentoo.org>
pambase-20220214 |  Alexandra Parker | 2022-02-14 | 1 | -5/+3 |
| * | Add yescrypt support•••Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
pambase-20211218 |  Mikle Kolyada | 2021-11-14 | 1 | -1/+4 |
| * | templates/system-auth.tpl: fix try_first_pass typo•••Closes: https://github.com/gentoo/pambase/issues/6
Signed-off-by: Sam James <sam@gentoo.org>
pambase-20210201.1 |  Sam James | 2021-02-02 | 1 | -1/+1 |
| * | systemd-auth: add systemd-homed support•••Signed-off-by: Mikle KOlyada <zlogene@gentoo.org>
Closes: https://github.com/gentoo/pambase/pull/5
Signed-off-by: Sam James <sam@gentoo.org>
pambase-20210201 |  Mikle KOlyada | 2021-01-31 | 3 | -2/+21 |
| * | Revert "systemd-auth: add systemd-homed support"•••This reverts commit 5a545eb14a1220af1ba8031f3669471e77edbc2f.
Auto-merged on a reverted commit.
Signed-off-by: Sam James <sam@gentoo.org>
|  Sam James | 2021-01-31 | 3 | -21/+2 |
| * | Revert "Add systemd-homed support"•••This reverts commit 639b45ccb986de7314372a4a841e6f04c536c49a.
Unintentionally had this staged still.
Signed-off-by: Sam James <sam@gentoo.org>
|  Sam James | 2021-01-31 | 3 | -11/+0 |
| * | systemd-auth: add systemd-homed support•••Signed-off-by: Mikle KOlyada <zlogene@gentoo.org>
Closes: https://github.com/gentoo/pambase/pull/5
Signed-off-by: Sam James <sam@gentoo.org>
|  Mikle KOlyada | 2021-01-31 | 3 | -2/+21 |
| * | Add systemd-homed support•••Bug: https://bugs.gentoo.org/767784
Signed-off-by: Sam James <sam@gentoo.org>
|  Sam James | 2021-01-29 | 3 | -0/+11 |
| * | system-login: add pam_time.so•••Signed-off-by: Mikle KOlyada <zlogene@gentoo.org>
|  Mikle KOlyada | 2020-12-20 | 1 | -0/+1 |
| * | strip pam_permit.so from system-auth•••Signed-off-by: Mikle KOlyada <zlogene@gentoo.org>
|  Mikle KOlyada | 2020-12-20 | 2 | -6/+0 |
| * | templates/system-auth.tpl: shift cap to be with other auth•••Signed-off-by: Sam James <sam@gentoo.org>
pambase-20201103 |  Sam James | 2020-11-03 | 1 | -4/+4 |
| * | pambase.py: rename --libcap -> --caps•••Signed-off-by: Sam James <sam@gentoo.org>
pambase-20201102 |  Sam James | 2020-11-02 | 2 | -2/+2 |
| * | templates/system-auth.tpl: fix pam_cap realm•••This fixes the pam_cap realm which can only
be auth. This is a regression from old pre-rewrite
pambase.
It was however exposed by the fixing of an incorrect
module name (pam_libcap -> pam_cap) not long ago.
Bug: https://bugs.gentoo.org/751946
Signed-off-by: Sam James <sam@gentoo.org>
|  Sam James | 2020-11-02 | 1 | -1/+1 |
| * | fix number of jumps when pam_krb5 used•••Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
pambase-20201028.1 |  Mikle Kolyada | 2020-10-28 | 2 | -2/+1 |
| * | Do not use use_authtok if no passwd module was stacked•••Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
pambase-20201028 |  Mikle Kolyada | 2020-10-28 | 1 | -0/+5 |