diff --git a/gdm-fingerprint.pamd b/gdm-fingerprint.pamd index bc70b89..26ce17d 100644 --- a/gdm-fingerprint.pamd +++ b/gdm-fingerprint.pamd @@ -1,17 +1,17 @@ -# Sample PAM file for doing fingerprint authentication. -# Distros should replace this with what makes sense for them. -auth requisite pam_nologin.so -auth required pam_env.so -auth sufficient pam_succeed_if.so uid >= 500 quiet -auth required pam_deny.so +#%PAM-1.0 -account required pam_unix.so -account sufficient pam_localuser.so -account sufficient pam_succeed_if.so uid < 500 quiet -account required pam_permit.so +auth required pam_shells.so +auth requisite pam_nologin.so +auth requisite pam_faillock.so preauth +auth required pam_fprintd.so +auth optional pam_permit.so +auth required pam_env.so +auth [success=ok default=1] pam_gdm.so +auth optional pam_gnome_keyring.so -password required pam_deny.so +account include common-account -session optional pam_keyinit.so revoke -session required pam_limits.so -session required pam_unix.so +password required pam_deny.so + +session include common-session +session optional pam_gnome_keyring.so auto_start diff --git a/gdm-smartcard.pamd b/gdm-smartcard.pamd index 5730ff1..9ac6ba2 100644 --- a/gdm-smartcard.pamd +++ b/gdm-smartcard.pamd @@ -1,19 +1,17 @@ -# Sample PAM file for doing smartcard authentication. -# Distros should replace this with what makes sense for them. -auth requisite pam_nologin.so -auth required pam_env.so -auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only -auth requisite pam_succeed_if.so uid >= 500 quiet -auth required pam_deny.so +#%PAM-1.0 -account required pam_unix.so -account sufficient pam_localuser.so -account sufficient pam_succeed_if.so uid < 500 quiet -account required pam_permit.so +auth requisite pam_nologin.so +auth requisite pam_faillock.so preauth +auth required pam_pkcs11.so wait_for_card card_only +auth required pam_shells.so +auth optional pam_permit.so +auth required pam_env.so +auth [success=ok default=1] pam_gdm.so +auth optional pam_gnome_keyring.so -password optional pam_pkcs11.so -password requisite pam_cracklib.so try_first_pass retry=3 type= +account include common-account -session optional pam_keyinit.so revoke -session required pam_limits.so -session required pam_unix.so +password required pam_deny.so + +session include common-session +session optional pam_gnome_keyring.so auto_start diff --git a/gdm.changes b/gdm.changes index f62d239..4b69f70 100644 --- a/gdm.changes +++ b/gdm.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Dec 2 10:05:28 UTC 2022 - Alynx Zhou + +- Update gdm-fingerprint.pamd and gdm-smartcard.pamd: Before this + they do not really support fingerprint and smartcard, just put + correct configuration to make them work (bsc#1205664). +- Enable split authentication because we have correct + gdm-fingerprint.pamd and gdm-smartcard.pamd. + ------------------------------------------------------------------- Mon Oct 31 06:19:21 UTC 2022 - Xiaoguang Wang diff --git a/gdm.spec b/gdm.spec index aa7424d..eee28ee 100644 --- a/gdm.spec +++ b/gdm.spec @@ -16,8 +16,7 @@ # -# FIXME: need to check what should be done to enable this (at least adapt the pam files). See bnc#699999 -%define enable_split_authentication 0 +%define enable_split_authentication 1 # special hack for SLE15/Leap 15: it does not yet know /usr/etc, and files in /etc should be %%config %if 0%{?suse_version} >= 1550 @@ -291,11 +290,6 @@ cp %{SOURCE4} %{buildroot}%{_pam_vendordir}/gdm-fingerprint cp %{SOURCE5} %{buildroot}%{_pam_vendordir}/gdm-smartcard %endif # The default gdm pam configuration is the one to be used as pam-password too -%if %{enable_split_authentication} -rm %{buildroot}%{_pam_vendordir}/gdm-password -echo "We are not ready for this, we need to know what to put in gdm-fingerprint and gdm-smartcard pam config files." -false -%endif ln -s gdm %{buildroot}%{_pam_vendordir}/gdm-password ## Install other files # Install PostLogin script.