Merge pull request #67917 from worldofpeace/lightdm-pam-gnome-keyring

nixos/lightdm: fix pam rules
2019-09-06 18:50:07 -04:00 · 2019-09-06 18:50:07 -04:00 · 4e89375846
commit 4e89375846
parent 1d6c542b22 0c602541a3
1 changed files with 28 additions and 23 deletions
--- a/nixos/modules/services/x11/display-managers/lightdm.nix
+++ b/nixos/modules/services/x11/display-managers/lightdm.nix
@ -232,36 +232,41 @@ in
    # Enable the accounts daemon to find lightdm's dbus interface
    environment.systemPackages = [ lightdm ];
-    security.pam.services.lightdm = {
+    security.pam.services.lightdm.text = ''
-      allowNullPassword = true;
+        auth      substack      login
-      startSession = true;
+        account   include       login
-    };
+        password  substack      login
-    security.pam.services.lightdm-greeter = {
+        session   include       login
-      allowNullPassword = true;
+    '';
      startSession = true;
      text = ''
        auth     required pam_env.so envfile=${config.system.build.pamEnvironment}
        auth     required pam_permit.so
-        account  required pam_permit.so
+    security.pam.services.lightdm-greeter.text = ''
        auth     required       pam_succeed_if.so audit quiet_success user = lightdm
        auth     optional       pam_permit.so
-        password required pam_deny.so
+        account  required       pam_succeed_if.so audit quiet_success user = lightdm
        account  sufficient     pam_unix.so
        password required       pam_deny.so
        session  required       pam_succeed_if.so audit quiet_success user = lightdm
        session  required       pam_env.so envfile=${config.system.build.pamEnvironment}
        session  optional       ${pkgs.systemd}/lib/security/pam_systemd.so
        session  optional       pam_keyinit.so force revoke
        session  optional       pam_permit.so
    '';
        session  required pam_env.so envfile=${config.system.build.pamEnvironment}
        session  required pam_unix.so
        session  optional ${pkgs.systemd}/lib/security/pam_systemd.so
      '';
    };
    security.pam.services.lightdm-autologin.text = ''
-        auth     requisite pam_nologin.so
+        auth      requisite     pam_nologin.so
        auth     required  pam_succeed_if.so uid >= 1000 quiet
        auth     required  pam_permit.so
-        account  include   lightdm
+        auth      required      pam_succeed_if.so uid >= 1000 quiet
        auth      required      pam_permit.so
-        password include   lightdm
+        account   sufficient    pam_unix.so
-        session  include   lightdm
+        password  requisite     pam_unix.so nullok sha512
        session   optional      pam_keyinit.so revoke
        session   include       login
    '';
    users.users.lightdm = {