diff options
| author | worldofpeace <worldofpeace@protonmail.ch> | 2019-09-06 18:50:07 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-06 18:50:07 -0400 |
| commit | 4e89375846974c7a25123977fef0335c1f91f9e8 (patch) | |
| tree | 0db944df5a381e653ecd1e372c4ae3604bbfccf4 /nixos/modules | |
| parent | 1d6c542b221d330a16f100fa9bbb42bc6d69c5d2 (diff) | |
| parent | 0c602541a35a5a01f3a22e82002bde0e66b514d6 (diff) | |
| download | nixlib-4e89375846974c7a25123977fef0335c1f91f9e8.tar nixlib-4e89375846974c7a25123977fef0335c1f91f9e8.tar.gz nixlib-4e89375846974c7a25123977fef0335c1f91f9e8.tar.bz2 nixlib-4e89375846974c7a25123977fef0335c1f91f9e8.tar.lz nixlib-4e89375846974c7a25123977fef0335c1f91f9e8.tar.xz nixlib-4e89375846974c7a25123977fef0335c1f91f9e8.tar.zst nixlib-4e89375846974c7a25123977fef0335c1f91f9e8.zip | |
Merge pull request #67917 from worldofpeace/lightdm-pam-gnome-keyring
nixos/lightdm: fix pam rules
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/x11/display-managers/lightdm.nix | 51 |
1 files changed, 28 insertions, 23 deletions
diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index 956c95e48220..c26a5b615353 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -232,36 +232,41 @@ in # Enable the accounts daemon to find lightdm's dbus interface environment.systemPackages = [ lightdm ]; - security.pam.services.lightdm = { - allowNullPassword = true; - startSession = true; - }; - security.pam.services.lightdm-greeter = { - allowNullPassword = true; - startSession = true; - text = '' - auth required pam_env.so envfile=${config.system.build.pamEnvironment} - auth required pam_permit.so + security.pam.services.lightdm.text = '' + auth substack login + account include login + password substack login + session include login + ''; - account required pam_permit.so + security.pam.services.lightdm-greeter.text = '' + auth required pam_succeed_if.so audit quiet_success user = lightdm + auth optional pam_permit.so - password required pam_deny.so + account required pam_succeed_if.so audit quiet_success user = lightdm + account sufficient pam_unix.so + + password required pam_deny.so + + session required pam_succeed_if.so audit quiet_success user = lightdm + session required pam_env.so envfile=${config.system.build.pamEnvironment} + session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional pam_keyinit.so force revoke + session optional pam_permit.so + ''; - session required pam_env.so envfile=${config.system.build.pamEnvironment} - session required pam_unix.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so - ''; - }; security.pam.services.lightdm-autologin.text = '' - auth requisite pam_nologin.so - auth required pam_succeed_if.so uid >= 1000 quiet - auth required pam_permit.so + auth requisite pam_nologin.so + + auth required pam_succeed_if.so uid >= 1000 quiet + auth required pam_permit.so - account include lightdm + account sufficient pam_unix.so - password include lightdm + password requisite pam_unix.so nullok sha512 - session include lightdm + session optional pam_keyinit.so revoke + session include login ''; users.users.lightdm = { |