FS#17188 : [pam] Introduce a common-auth pam file for use in login managers

FS#17188 - [pam] Introduce a common-auth pam file for use in login managers

Attached to Project: Arch Linux
Opened by Xavier (shining) - Wednesday, 18 November 2009, 13:49 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 23 June 2012, 00:57 GMT

Task Type	Feature Request
Category	Security
Status	Closed
Assigned To	Tobias Powalowski (tpowa) Jan de Groot (JGC) Aaron Griffin (phrakture) Thomas Bächler (brain0) Ronald van Haren (pressh) Roman Kyrylych (Romashka) Andrea Scarpino (BaSh) Ionut Biru (wonder) Jan Alexander Steffens (heftig) Dave Reisner (falconindy)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	15 Andrea Scarpino (BaSh) (2012-06-13) zless (roentgen) (2012-04-19) Shanto (Shanto) (2011-11-13) Yang (hongy19) (2011-10-06) Mitchell Richters (mjr4077au) (2011-09-09) Matthias Dienstbier (fs4000) (2011-08-03) Jekyll Wu (adaptee) (2011-05-25) Netanel Shine (netanel) (2011-03-28) Tom Gundersen (tomegun) (2011-01-26) Sébastien Luttringer (seblu) (2011-01-08) Benoit Izac (benizac) (2011-01-04) Jonathan Rascher (bcat) (2011-01-02) Daniel Micay (thestinger) (2010-11-17) Kevin (anonymous_user) (2010-11-04) Smith Dhumbumroong (zodmaner) (2010-11-04)
Private	No

Details

The idea would be to have a general /etc/pam.d/common-auth file than all login managers could re-use.
(like other distrib do ? links to other common-auth files would be useful).

To quote JGC [1] :
"With common-auth, we could just @include common-auth
from the pam file, which is much easier."

First step : create the /etc/pam.d/common-auth file

Second step : make use of it at least for the /etc/pam.d/login file, and then for the main login managers, for example the main ones from inittab : kdm gdm xdm slim

Affected packages and /etc/pam.d/ files :
core/shadow : login
extra/gdm : gdm and gdm-autologin
extra/kdebase-workspace : kde and kde-np
extra/xorg-xdm : xdm
extra/slim : slim

[1] http://mailman.archlinux.org/pipermail/arch-general/2009-November/008973.html

This task depends upon

Closed by Dave Reisner (falconindy)
Saturday, 23 June 2012, 00:57 GMT
Reason for closing: Implemented
Additional comments about closing: Added as core/pambase

Comment by Xavier (shining) - Wednesday, 18 November 2009, 13:51 GMT

Oh I forgot to say. The purpose of this is that it would make it very easy to make a change to the pam login settings.
It would be sufficient to edit the common-auth files, rather than multiple files.
See ~~FS#17157~~ for an example of such change.

Comment by Kaiting Chen (Phoenixfire159) - Monday, 23 November 2009, 00:39 GMT

I'm actually a fan of the way Arch does things now. If a user would like something like common-auth they can create it themselves. I believe all the files in etc/pam.d/ are in the backup array of their respective packages so any changes made to them would be preserved on upgrade.

Comment by Aaron Griffin (phrakture) - Wednesday, 02 December 2009, 21:52 GMT

The problem with the current way is if you (or we) want to change one thing, we have to change it in 3 or 4 locations and packages. I like the idea of a common-auth file.

Comment by trusktr (trusktr) - Wednesday, 16 June 2010, 07:57 GMT

Yes, i agree. We need this feature! I have had to modify my PAM gdm file to enable passwordless login. It'd be nice to have common-auth to avoid editing files incorrectly.

It'd be nice to have this so Gnome will behave like it was intended. Currently, on a fresh install of Gnome, you can change your settings per user to have "password: not asked at login" but it will not work.

I had to modify my /etc/pam.d/gdm file to make it work. It'd be nice to have this included by default and ready for whatever DE the user installs.

Perhaps each DE package (gnome, kde, etc) can be set up so it creates its own common-auth file when installed during pacman, or something similar.

Comment by Paolo (peoro) - Saturday, 04 February 2012, 18:58 GMT

I modified a few PAM configuration files in order to use a common file for any service, similar to how things work in most other distributions (took inspiration from ubuntu and debian PAM conf files.

The common files attached to the tarball are configured to use ldap, and only a few configuration files (the ones I needed) have been edited in order to rely on the common files.

I'm not a PAM expert, and cannot guarantee that this configuration is working fine, although it seems to be on my machines.

pam.d.tar.bz2 (1.3 KiB)

Comment by Dave Reisner (falconindy) - Sunday, 03 June 2012, 00:38 GMT

Rise my minions! Serve your master once more!

http://mailman.archlinux.org/pipermail/arch-dev-public/2012-June/023017.html

Comment by trusktr (trusktr) - Monday, 18 June 2012, 06:45 GMT

@falconindy Awesome.

	Tasks related to this task (2)
	~~FS#17157 - [kdebase-workspace] kdm allows logins even if shell is set to /s~~
	~~FS#19799 - [gdm] /etc/pam.d/gdm to allow passwordless functionality in Gnom~~

Duplicate tasks of this task (0)

Arch Linux

FS#17188 - [pam] Introduce a common-auth pam file for use in login managers

Details

Loading...