Commit 31ed6f2b authored by Ray Strode's avatar Ray Strode

pam: grab cached password from systemd and pass it on

If the user has an encrypted disk then systemd will cache the password
they type into the keyring. It makes sense to try to use this password
for automatic login purposes first, since on single user machines,
the sole user password is likely to match the disk password.

Of course if it doesn't work we'll fall back to the old way of doing
automatic login without a password (and then the user will have to
manualy enter if they need to for gnome-keyring or whatever)

https://bugzilla.gnome.org/show_bug.cgi?id=769950
parent 714b6af2
......@@ -522,6 +522,14 @@ if test "x$have_pam" = "xyes"; then
)
fi
AC_CHECK_LIB(keyutils, keyctl_read, [
AC_DEFINE(HAVE_KEYUTILS, 1, [Define if have keyutils])
KEYUTILS_LIBS="-lkeyutils"
KEYUTILS_CFLAGS=""
])
AC_SUBST(KEYUTILS_LIBS)
AC_SUBST(KEYUTILS_CFLAGS)
dnl Check if we can use the setpenv function to add specialvariable
dnl to the environment (such as the /etc/environment file under AIX)
AC_LINK_IFELSE([
......
auth requisite pam_nologin.so
auth required pam_env.so
auth optional pam_gdm.so
auth optional pam_gnome_keyring.so
auth optional pam_permit.so
account include system-local-login
......@@ -8,3 +10,4 @@ password include system-local-login
session optional pam_keyinit.so force revoke
session include system-local-login
session optional pam_gnome_keyring.so auto_start
......@@ -2,11 +2,9 @@
# except for the authentication method, which is:
# always permit login
auth required pam_env.so
auth required pam_tally.so file=/var/log/faillog onerr=succeed
auth required pam_shells.so
auth required pam_nologin.so
auth required pam_permit.so
auth optional pam_gdm.so
auth substack system-local-login
auth sufficient pam_permit.so
-auth optional pam_gnome_keyring.so
account include system-local-login
......
......@@ -4,6 +4,8 @@ auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_succeed_if.so uid >= 1000 quiet
auth optional pam_gdm.so
auth optional pam_gnome_keyring.so
auth required pam_permit.so
account include system-account
......@@ -12,5 +14,6 @@ password include system-password
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-session
session optional pam_gnome_keyring.so auto_start
# End /etc/pam.d/gdm-autologin
#%PAM-1.0
auth required pam_env.so
auth required pam_permit.so
auth optional pam_gdm.so
auth substack password-auth
auth optional pam_gnome_keyring.so
auth sufficient pam_permit.so
auth include postlogin
account required pam_nologin.so
account include system-auth
......@@ -12,4 +14,5 @@ session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include system-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin
......@@ -15,6 +15,7 @@ pam_gdm_la_SOURCES = \
$(END_OF_LIST)
pam_gdm_la_CFLAGS = \
$(KEYUTILS_CFLAGS) \
$(PAM_CFLAGS) \
$(END_OF_LIST)
......@@ -26,6 +27,7 @@ pam_gdm_la_LDFLAGS = \
$(END_OF_LIST)
pam_gdm_la_LIBADD = \
$(KEYUTILS_LIBS) \
$(PAM_LIBS) \
$(END_OF_LIST)
......
......@@ -17,18 +17,47 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
*/
#include <config.h>
#include <unistd.h>
#include <security/_pam_macros.h>
#include <security/pam_ext.h>
#include <security/pam_misc.h>
#include <security/pam_modules.h>
#include <security/pam_modutil.h>
#ifdef HAVE_KEYUTILS
#include <keyutils.h>
#endif
int
pam_sm_authenticate (pam_handle_t *pamh,
int flags,
int argc,
const char **argv)
{
#ifdef HAVE_KEYUTILS
int r;
void *cached_password = NULL;
key_serial_t serial;
serial = find_key_by_type_and_desc ("user", "cryptsetup", 0);
if (serial == 0)
return PAM_AUTHINFO_UNAVAIL;
r = keyctl_read_alloc (serial, &cached_password);
if (r < 0)
return PAM_AUTHINFO_UNAVAIL;
r = pam_set_item (pamh, PAM_AUTHTOK, cached_password);
free (cached_password);
if (r < 0)
return PAM_AUTH_ERR;
#endif
return PAM_SUCCESS;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment