Accepting request 1039542 from home:AZhou:branches:GNOME:Factory

- Update gdm-fingerprint.pamd and gdm-smartcard.pamd: Before this they do not really support fingerprint and smartcard, just put correct configuration to make them work (bsc#1205664). - Enable split authentication because we have correct gdm-fingerprint.pamd and gdm-smartcard.pamd. OBS-URL: https://build.opensuse.org/request/show/1039542 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdm?expand=0&rev=509
2022-12-03 11:22:00 +00:00 · 2022-12-03 11:22:00 +00:00 · 71999e468d
commit 71999e468d
parent 9cdbe24f53
4 changed files with 38 additions and 37 deletions
--- a/gdm-fingerprint.pamd
+++ b/gdm-fingerprint.pamd
@ -1,17 +1,17 @@
-# Sample PAM file for doing fingerprint authentication.
+#%PAM-1.0
 # Distros should replace this with what makes sense for them.
 auth        requisite     pam_nologin.so
 auth        required      pam_env.so
 auth        sufficient    pam_succeed_if.so uid >= 500 quiet
 auth        required      pam_deny.so
-account     required      pam_unix.so
+auth       required                    pam_shells.so
-account     sufficient    pam_localuser.so
+auth       requisite                   pam_nologin.so
-account     sufficient    pam_succeed_if.so uid < 500 quiet
+auth       requisite                   pam_faillock.so      preauth
-account     required      pam_permit.so
+auth       required                    pam_fprintd.so
 auth       optional                    pam_permit.so
 auth       required                    pam_env.so
 auth       [success=ok default=1]      pam_gdm.so
 auth       optional                    pam_gnome_keyring.so
-password    required      pam_deny.so
+account    include                     common-account
-session     optional      pam_keyinit.so revoke
+password   required                    pam_deny.so
-session     required      pam_limits.so
+
-session     required      pam_unix.so
+session    include                     common-session
 session    optional                    pam_gnome_keyring.so auto_start
--- a/gdm-smartcard.pamd
+++ b/gdm-smartcard.pamd
@ -1,19 +1,17 @@
-# Sample PAM file for doing smartcard authentication.
+#%PAM-1.0
 # Distros should replace this with what makes sense for them.
 auth        requisite     pam_nologin.so
 auth        required      pam_env.so
 auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        required      pam_deny.so
-account     required      pam_unix.so
+auth       requisite                   pam_nologin.so
-account     sufficient    pam_localuser.so
+auth       requisite                   pam_faillock.so      preauth
-account     sufficient    pam_succeed_if.so uid < 500 quiet
+auth       required                    pam_pkcs11.so        wait_for_card card_only
-account     required      pam_permit.so
+auth       required                    pam_shells.so
 auth       optional                    pam_permit.so
 auth       required                    pam_env.so
 auth       [success=ok default=1]      pam_gdm.so
 auth       optional                    pam_gnome_keyring.so
-password    optional      pam_pkcs11.so
+account    include                     common-account
 password    requisite     pam_cracklib.so try_first_pass retry=3 type=
-session     optional      pam_keyinit.so revoke
+password   required                    pam_deny.so
-session     required      pam_limits.so
+
-session     required      pam_unix.so
+session    include                     common-session
 session    optional                    pam_gnome_keyring.so auto_start
--- a/gdm.changes
+++ b/gdm.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Fri Dec  2 10:05:28 UTC 2022 - Alynx Zhou <alynx.zhou@suse.com>
 - Update gdm-fingerprint.pamd and gdm-smartcard.pamd: Before this
  they do not really support fingerprint and smartcard, just put
  correct configuration to make them work (bsc#1205664).
 - Enable split authentication because we have correct
  gdm-fingerprint.pamd and gdm-smartcard.pamd.
 -------------------------------------------------------------------
 Mon Oct 31 06:19:21 UTC 2022 - Xiaoguang Wang <xiaoguang.wang@suse.com>
--- a/gdm.spec
+++ b/gdm.spec
@ -16,8 +16,7 @@
 #
-# FIXME: need to check what should be done to enable this (at least adapt the pam files). See bnc#699999
+%define enable_split_authentication 1
 %define enable_split_authentication 0
 # special hack for SLE15/Leap 15: it does not yet know /usr/etc, and files in /etc should be %%config
 %if 0%{?suse_version} >= 1550
@ -291,11 +290,6 @@ cp %{SOURCE4} %{buildroot}%{_pam_vendordir}/gdm-fingerprint
 cp %{SOURCE5} %{buildroot}%{_pam_vendordir}/gdm-smartcard
 %endif
 # The default gdm pam configuration is the one to be used as pam-password too
 %if %{enable_split_authentication}
 rm %{buildroot}%{_pam_vendordir}/gdm-password
 echo "We are not ready for this, we need to know what to put in gdm-fingerprint and gdm-smartcard pam config files."
 false
 %endif
 ln -s gdm %{buildroot}%{_pam_vendordir}/gdm-password
 ## Install other files
 # Install PostLogin script.