[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#51785] pam-gnupg
|
From: |
Nicolas Graves |
|
Subject: |
[bug#51785] pam-gnupg |
|
Date: |
Sat, 13 Nov 2021 21:11:58 +0100 |
|
User-agent: |
mu4e 1.6.9; emacs 28.0.50 |
Thanks for your answers Josselin and Tobias,
(For the record, I just pinned all the commits from other channels in my
channels.scm and pulled guix with guix pull --allow-downgrades
--disable-authentication)
I finally managed to get the pam module to work but it eventually raised
more questions than expected.
Basically now the module starts well, but my shepherd service gpg-agent
doesn't (I guess because pam starts it, and that shepherd can't take
over). It's fine for the purpose I was installing pam-gnupg for (having
direct access to password-store passwords after login), but hinders the
rest of related activities (e.g. signing commits).
Above this question, I was wondering about the order of pam-modules
startup. A look at the manual pages and the examples for modules show a
clear hierarchy for at least a few modules (pam_unix > pam_loginuid >
pam_elogind > pam_gnupg for instance), which is not respected in guix's
implementation (pam_elogind > pam_loginuid > pam_gnupg > pam_unix).
Although it seems to work, is it normal / purposeful / without
consequences ?
If no, as a solution, maybe implementing a hierarchy might help. For
instance, something like :
1) Base modules (pam_unix, pam_env, pam_loginuid)
2) Modules added elsewhere with pam-root-service (pam_elogind, graphical
login managers modules)
3) Other modules (pam_gnupg, pam_motd...)
The last question I have is about the configuration of pam_gnupg. On the
official repo (https://github.com/cruegge/pam-gnupg), it seems that
there is a recommended configuration (e.g. setting the priority as
optional), which is once again not respected in the actual
configuration. I did add the few lines to address this (but is there a
reason why that is not the case ?)
I'm willing to help make these changes if useful and on the right track,
but I don't have much experience with guile.
Cheers,
Nicolas
>From dce83f5aeb2e7468a3d457f3d59c8851ac11a897 Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Sat, 13 Nov 2021 13:11:54 +0100
Subject: [PATCH 1/3] [PATCH] gnu : add pam-gnupg to login service
---
gnu/services/base.scm | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 50865055fe..b95fd9a4ff 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -16,6 +16,7 @@
;;; Copyright © 2021 qblade <qblade@protonmail.com>
;;; Copyright © 2021 Hui Lu <luhuins@163.com>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021 Nicolas Graves <ngraves@ngraves.fr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -743,7 +744,9 @@ (define-record-type* <login-configuration>
;; Allow empty passwords by default so that first-time users can log in when
;; the 'root' account has just been created.
(allow-empty-passwords? login-configuration-allow-empty-passwords?
- (default #t))) ;Boolean
+ (default #t)) ;Boolean
+ (gnupg? login-configuration-gnupg?
+ (default #f))) ;Boolean
(define (login-pam-service config)
"Return the list of PAM service needed for CONF."
@@ -753,7 +756,8 @@ (define (login-pam-service config)
#:allow-empty-passwords?
(login-configuration-allow-empty-passwords? config)
#:motd
- (login-configuration-motd config))))
+ (login-configuration-motd config)
+ #:gnupg? (login-configuration-gnupg? config))))
(define login-service-type
(service-type (name 'login)
--
2.33.1
>From 525d70b93b6c6b78a3ced92f72e264b4be1ed3de Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Sat, 13 Nov 2021 20:09:02 +0100
Subject: [PATCH 2/3] Trying to fix pam-gnupg configuration.
---
gnu/system/pam.scm | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index a31daada59..d6d02e59f5 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -235,8 +235,9 @@ (module "pam_unix.so")
unix))
(if gnupg?
(list (pam-entry
- (control "required")
- (module (file-append pam-gnupg
"/lib/security/pam_gnupg.so"))))
+ (control "optional")
+ (module (file-append pam-gnupg
"/lib/security/pam_gnupg.so"))
+ (arguments '("store-only"))))
'())))
(password (list (pam-entry
(control "required")
@@ -255,12 +256,13 @@ (module "pam_motd.so")
(control "required")
(module "pam_loginuid.so")))
'())
+ ,env ,unix
,@(if gnupg?
(list (pam-entry
- (control "required")
+ (control "optional")
(module (file-append pam-gnupg
"/lib/security/pam_gnupg.so"))))
'())
- ,env ,unix))))))
+ ))))))
(define (rootok-pam-service command)
"Return a PAM service for COMMAND such that 'root' does not need to
--
2.33.1
>From 9bb9620620d4e132d0d422bda7a57d2c0dfee28c Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Sat, 13 Nov 2021 21:48:16 +0100
Subject: [PATCH 3/3] Moving parts of pam configuration for better compliance.
---
gnu/system/pam.scm | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index d6d02e59f5..0f0b09e347 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -244,19 +244,19 @@ (module (file-append pam-gnupg
"/lib/security/pam_gnupg.so"))
(module "pam_unix.so")
;; Store SHA-512 encrypted passwords in /etc/shadow.
(arguments '("sha512" "shadow")))))
- (session `(,@(if motd
+ (session `(,env ,unix
+ ,@(if login-uid?
+ (list (pam-entry ;to fill in /proc/self/loginuid
+ (control "required")
+ (module "pam_loginuid.so")))
+ '())
+ ,@(if motd
(list (pam-entry
(control "optional")
(module "pam_motd.so")
(arguments
(list #~(string-append "motd=" #$motd)))))
'())
- ,@(if login-uid?
- (list (pam-entry ;to fill in /proc/self/loginuid
- (control "required")
- (module "pam_loginuid.so")))
- '())
- ,env ,unix
,@(if gnupg?
(list (pam-entry
(control "optional")
--
2.33.1