gdm/trunk/0002-pam-arch-Drop-pam_faillock-counting-from-fingerprint.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
   3 Date: Tue, 31 Aug 2021 21:51:46 +0000
   4 Subject: [PATCH] pam-arch: Drop pam_faillock counting from fingerprint and
   5  smartcard
   6
   7 As mentioned in an [fprintd issue comment][1], we need to make sure that
   8 the stack's error status is taken from the main auth module, i.e.
   9 pam_fprintd, otherwise GDM will not behave correctly.
  10
  11 Still use pam_faillock preauth so that we test whether the account is
  12 locked, but don't use authfail/authsucc to log a failure/success so this
  13 stack doesn't participate in triggering the lock.
  14
  15 Ideally we would check which return values we actually want to treat as
  16 a reason to lock the account (e.g. fingerprint mismatch) and which are
  17 neutral (e.g. no fingerprints enrolled), but that's much more effort.
  18
  19 Should fix [FS#71750][2].
  20
  21 [1]: https://gitlab.freedesktop.org/libfprint/fprintd/-/issues/112#note_1016191
  22 [2]: https://bugs.archlinux.org/task/71750
  23 ---
  24  data/pam-arch/gdm-fingerprint.pam | 10 ++--------
  25  data/pam-arch/gdm-smartcard.pam   | 10 ++--------
  26  2 files changed, 4 insertions(+), 16 deletions(-)
  27
  28 diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam
  29 index cc660d9a90ba..2aaf9f6c88a0 100644
  30 --- a/data/pam-arch/gdm-fingerprint.pam
  31 +++ b/data/pam-arch/gdm-fingerprint.pam
  32 @@ -2,16 +2,10 @@
  33
  34  auth       required                    pam_shells.so
  35  auth       requisite                   pam_nologin.so
  36 -auth       required                    pam_faillock.so      preauth
  37 -# Optionally use requisite above if you do not want to prompt for the fingerprint
  38 -# on locked accounts.
  39 -auth       [success=1 default=ignore]  pam_fprintd.so
  40 -auth       [default=die]               pam_faillock.so      authfail
  41 +auth       requisite                   pam_faillock.so      preauth
  42 +auth       required                    pam_fprintd.so
  43  auth       optional                    pam_permit.so
  44  auth       required                    pam_env.so
  45 -auth       required                    pam_faillock.so      authsucc
  46 -# If you drop the above call to pam_faillock.so the lock will be done also
  47 -# on non-consecutive authentication failures.
  48  auth       [success=ok default=1]      pam_gdm.so
  49  auth       optional                    pam_gnome_keyring.so
  50
  51 diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam
  52 index e6ec129948a7..6d7333bf4204 100644
  53 --- a/data/pam-arch/gdm-smartcard.pam
  54 +++ b/data/pam-arch/gdm-smartcard.pam
  55 @@ -2,16 +2,10 @@
  56
  57  auth       required                    pam_shells.so
  58  auth       requisite                   pam_nologin.so
  59 -auth       required                    pam_faillock.so      preauth
  60 -# Optionally use requisite above if you do not want to prompt for the smartcard
  61 -# on locked accounts.
  62 -auth       [success=1 default=ignore]  pam_pkcs11.so        wait_for_card card_only
  63 -auth       [default=die]               pam_faillock.so      authfail
  64 +auth       requisite                   pam_faillock.so      preauth
  65 +auth       required                    pam_pkcs11.so        wait_for_card card_only
  66  auth       optional                    pam_permit.so
  67  auth       required                    pam_env.so
  68 -auth       required                    pam_faillock.so      authsucc
  69 -# If you drop the above call to pam_faillock.so the lock will be done also
  70 -# on non-consecutive authentication failures.
  71  auth       [success=ok default=1]      pam_gdm.so
  72  auth       optional                    pam_gnome_keyring.so
  73