FS#17188 - [pam] Introduce a common-auth pam file for use in login managers

Attached to Project: Arch Linux
Opened by Xavier (shining) - Wednesday, 18 November 2009, 13:49 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 23 June 2012, 00:57 GMT
Task Type Feature Request
Category Security
Status Closed
Assigned To Tobias Powalowski (tpowa)
Jan de Groot (JGC)
Aaron Griffin (phrakture)
Thomas Bächler (brain0)
Ronald van Haren (pressh)
Roman Kyrylych (Romashka)
Andrea Scarpino (BaSh)
Ionut Biru (wonder)
Jan Alexander Steffens (heftig)
Dave Reisner (falconindy)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 15
Private No

Details

The idea would be to have a general /etc/pam.d/common-auth file than all login managers could re-use.
(like other distrib do ? links to other common-auth files would be useful).

To quote JGC [1] :
"With common-auth, we could just @include common-auth
from the pam file, which is much easier."

First step : create the /etc/pam.d/common-auth file

Second step : make use of it at least for the /etc/pam.d/login file, and then for the main login managers, for example the main ones from inittab : kdm gdm xdm slim

Affected packages and /etc/pam.d/ files :
core/shadow : login
extra/gdm : gdm and gdm-autologin
extra/kdebase-workspace : kde and kde-np
extra/xorg-xdm : xdm
extra/slim : slim

[1] http://mailman.archlinux.org/pipermail/arch-general/2009-November/008973.html
This task depends upon

Closed by  Dave Reisner (falconindy)
Saturday, 23 June 2012, 00:57 GMT
Reason for closing:  Implemented
Additional comments about closing:  Added as core/pambase
Comment by Xavier (shining) - Wednesday, 18 November 2009, 13:51 GMT
Oh I forgot to say. The purpose of this is that it would make it very easy to make a change to the pam login settings.
It would be sufficient to edit the common-auth files, rather than multiple files.
See  FS#17157  for an example of such change.
Comment by Kaiting Chen (Phoenixfire159) - Monday, 23 November 2009, 00:39 GMT
I'm actually a fan of the way Arch does things now. If a user would like something like common-auth they can create it themselves. I believe all the files in etc/pam.d/ are in the backup array of their respective packages so any changes made to them would be preserved on upgrade.
Comment by Aaron Griffin (phrakture) - Wednesday, 02 December 2009, 21:52 GMT
The problem with the current way is if you (or we) want to change one thing, we have to change it in 3 or 4 locations and packages. I like the idea of a common-auth file.
Comment by trusktr (trusktr) - Wednesday, 16 June 2010, 07:57 GMT
Yes, i agree. We need this feature! I have had to modify my PAM gdm file to enable passwordless login. It'd be nice to have common-auth to avoid editing files incorrectly.

It'd be nice to have this so Gnome will behave like it was intended. Currently, on a fresh install of Gnome, you can change your settings per user to have "password: not asked at login" but it will not work.

I had to modify my /etc/pam.d/gdm file to make it work. It'd be nice to have this included by default and ready for whatever DE the user installs.

Perhaps each DE package (gnome, kde, etc) can be set up so it creates its own common-auth file when installed during pacman, or something similar.
Comment by Paolo (peoro) - Saturday, 04 February 2012, 18:58 GMT
I modified a few PAM configuration files in order to use a common file for any service, similar to how things work in most other distributions (took inspiration from ubuntu and debian PAM conf files.

The common files attached to the tarball are configured to use ldap, and only a few configuration files (the ones I needed) have been edited in order to rely on the common files.

I'm not a PAM expert, and cannot guarantee that this configuration is working fine, although it seems to be on my machines.
Comment by Dave Reisner (falconindy) - Sunday, 03 June 2012, 00:38 GMT Comment by trusktr (trusktr) - Monday, 18 June 2012, 06:45 GMT
@falconindy Awesome.

Loading...