Let's move pam_systemd_home before pam_unix in the authentication hook.
Since a while we are exposing shadow entries for homed log entries via
NSS. This means that pam_unix now potentially has enough data for
authenticating a user on its own, without letting pam_systemd_home do
that. This is superficially OK, but also means that authentication will
always go via password, even if pkcs11/fido2 is registered.
Let's move this around, but be careful about it: let's list the precise
errors which we think are enough to terminating further PAM processing,
so that pam_unix comes into control in all cases where it's not clear
that pam_systemd_home owns the user record.
This previously wasn't visible to me, because on Fedora until authselect
1.5.1 (released earleir this year) the NSS shadow stuff was not enabled.
This does the same also for the "account" stack, except that the order
there already was as we want it.
Finally, shorten the account stack, by just requiring pam_unix.so and
dropping pam_permit.so, because it doesn't really serve much purpose
(and Fedora doesn't use it by default either.)
# You really want to adjust this to your local distribution. If you use this
# unmodified you are not building systems safely and securely.
+-auth [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so
auth sufficient pam_unix.so
--auth sufficient pam_systemd_home.so
auth required pam_deny.so
account required pam_nologin.so
--account sufficient pam_systemd_home.so
-account sufficient pam_unix.so
-account required pam_permit.so
+-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
+account required pam_unix.so
-password sufficient pam_systemd_home.so
password sufficient pam_unix.so sha512 shadow try_first_pass
<filename>systemd-logind.service</filename>:</para>
<programlisting>#%PAM-1.0
+-auth [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so
auth sufficient pam_unix.so
--auth sufficient pam_systemd_home.so
auth required pam_deny.so
account required pam_nologin.so
--account sufficient pam_systemd_home.so
-account sufficient pam_unix.so
-account required pam_permit.so
+-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
+account required pam_unix.so
-password sufficient pam_systemd_home.so
password sufficient pam_unix.so sha512 shadow try_first_pass
<filename>systemd-homed.service</filename> to log in:</para>
<programlisting>#%PAM-1.0
+ <command>-auth [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so</command>
auth sufficient pam_unix.so
-<command>-auth sufficient pam_systemd_home.so</command>
auth required pam_deny.so
account required pam_nologin.so
-<command>-account sufficient pam_systemd_home.so</command>
-account sufficient pam_unix.so
-account required pam_permit.so
+<command>-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so</command>
+account required pam_unix.so
<command>-password sufficient pam_systemd_home.so</command>
password sufficient pam_unix.so sha512 shadow try_first_pass
# Used by systemd --user instances.
{% if ENABLE_HOMED %}
--account sufficient pam_systemd_home.so
+-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
{% endif %}
-account sufficient pam_unix.so no_pass_expiry
-account required pam_permit.so
+account required pam_unix.so no_pass_expiry
{% if HAVE_SELINUX %}
session required pam_selinux.so close
# Used by run0 sessions
{% if ENABLE_HOMED %}
--account sufficient pam_systemd_home.so
+-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
{% endif %}
account required pam_unix.so
if [[ -f "$dir/pam.d/sshd" ]]; then
mv "$dir/pam.d/sshd" "$dir/pam.d/sshd.bak"
cat >"$dir/pam.d/sshd" <<EOF
+auth [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so
auth sufficient pam_unix.so nullok
-auth sufficient pam_systemd_home.so debug
auth required pam_deny.so
-account sufficient pam_systemd_home.so debug
-account sufficient pam_unix.so
-account required pam_permit.so
+account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
+account required pam_unix.so
session optional pam_systemd_home.so debug
session optional pam_systemd.so
session required pam_unix.so
projects / thirdparty / systemd.git / commitdiff
