diff options
author | worldofpeace <worldofpeace@protonmail.ch> | 2019-07-14 06:32:44 -0400 |
---|---|---|
committer | worldofpeace <worldofpeace@protonmail.ch> | 2019-09-06 18:22:22 -0400 |
commit | 0c602541a35a5a01f3a22e82002bde0e66b514d6 (patch) | |
tree | f97ca8b40839acb8eff90b40e3d7dadefc5eda04 /nixos/modules | |
parent | 5d4890b58dcbe0a099cda233a259284a6e5ec9d4 (diff) | |
download | nixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.tar nixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.tar.gz nixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.tar.bz2 nixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.tar.lz nixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.tar.xz nixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.tar.zst nixpkgs-0c602541a35a5a01f3a22e82002bde0e66b514d6.zip |
nixos/lightdm: fix pam rules
Rules are a translation of what's done in the GDM module and adjustments based of looking at Arch Linux's configuration and upstream's. A side effect of this change is that gnome-keyring and kwallet modules should work as expected when in- cluded. Fixes #64259 #62045
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/x11/display-managers/lightdm.nix | 51 |
1 files changed, 28 insertions, 23 deletions
diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index 9aed255f878..2d421e4d6cd 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -232,36 +232,41 @@ in # Enable the accounts daemon to find lightdm's dbus interface environment.systemPackages = [ lightdm ]; - security.pam.services.lightdm = { - allowNullPassword = true; - startSession = true; - }; - security.pam.services.lightdm-greeter = { - allowNullPassword = true; - startSession = true; - text = '' - auth required pam_env.so envfile=${config.system.build.pamEnvironment} - auth required pam_permit.so + security.pam.services.lightdm.text = '' + auth substack login + account include login + password substack login + session include login + ''; - account required pam_permit.so + security.pam.services.lightdm-greeter.text = '' + auth required pam_succeed_if.so audit quiet_success user = lightdm + auth optional pam_permit.so - password required pam_deny.so + account required pam_succeed_if.so audit quiet_success user = lightdm + account sufficient pam_unix.so + + password required pam_deny.so + + session required pam_succeed_if.so audit quiet_success user = lightdm + session required pam_env.so envfile=${config.system.build.pamEnvironment} + session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional pam_keyinit.so force revoke + session optional pam_permit.so + ''; - session required pam_env.so envfile=${config.system.build.pamEnvironment} - session required pam_unix.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so - ''; - }; security.pam.services.lightdm-autologin.text = '' - auth requisite pam_nologin.so - auth required pam_succeed_if.so uid >= 1000 quiet - auth required pam_permit.so + auth requisite pam_nologin.so + + auth required pam_succeed_if.so uid >= 1000 quiet + auth required pam_permit.so - account include lightdm + account sufficient pam_unix.so - password include lightdm + password requisite pam_unix.so nullok sha512 - session include lightdm + session optional pam_keyinit.so revoke + session include login ''; users.users.lightdm = { |