From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7D3CC158015 for ; Wed, 20 Dec 2023 15:47:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 511552BC02B; Wed, 20 Dec 2023 15:47:22 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 378442BC02B for ; Wed, 20 Dec 2023 15:47:22 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7F0F7340813 for ; Wed, 20 Dec 2023 15:47:21 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 1FCA7ACA for ; Wed, 20 Dec 2023 15:47:20 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1703087235.15b01074eef56e2c5e46739cd8ba12fea8d7fbcc.sam@gentoo> Subject: [gentoo-commits] proj/kde:master commit in: kde-plasma/kscreenlocker/files/, kde-plasma/kscreenlocker/ X-VCS-Repository: proj/kde X-VCS-Files: kde-plasma/kscreenlocker/files/kscreenlocker-fingerprint.pam kde-plasma/kscreenlocker/files/kscreenlocker-password.pam kde-plasma/kscreenlocker/files/kscreenlocker-smartcard.pam kde-plasma/kscreenlocker/kscreenlocker-9999.ebuild X-VCS-Directories: kde-plasma/kscreenlocker/files/ kde-plasma/kscreenlocker/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: 15b01074eef56e2c5e46739cd8ba12fea8d7fbcc X-VCS-Branch: master Date: Wed, 20 Dec 2023 15:47:20 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 9713af34-60b9-43e9-afaa-7b1fefd69875 X-Archives-Hash: 73428368c4b128c14c5906b0135ef162 commit: 15b01074eef56e2c5e46739cd8ba12fea8d7fbcc Author: Sam James gentoo org> AuthorDate: Wed Dec 20 15:44:43 2023 +0000 Commit: Sam James gentoo org> CommitDate: Wed Dec 20 15:47:15 2023 +0000 URL: https://gitweb.gentoo.org/proj/kde.git/commit/?id=15b01074 kde-plasma/kscreenlocker: first cut of new PAM configuration As with all of the masked KDE ebuilds, there is ** no warranty **. I've not yet runtime tested this. Don't use this yet on a machine where you rely on kscreenlocker behaving correctly for security. See https://community.kde.org/Plasma/Plasma_6.0_Release_notes#New_required_PAM_configuration and https://invent.kde.org/plasma/kscreenlocker/-/merge_requests/163. Signed-off-by: Sam James gentoo.org> .../kscreenlocker/files/kscreenlocker-fingerprint.pam | 13 +++++++++++++ kde-plasma/kscreenlocker/files/kscreenlocker-password.pam | 9 +++++++++ kde-plasma/kscreenlocker/files/kscreenlocker-smartcard.pam | 13 +++++++++++++ kde-plasma/kscreenlocker/kscreenlocker-9999.ebuild | 6 ++++-- 4 files changed, 39 insertions(+), 2 deletions(-) diff --git a/kde-plasma/kscreenlocker/files/kscreenlocker-fingerprint.pam b/kde-plasma/kscreenlocker/files/kscreenlocker-fingerprint.pam new file mode 100644 index 0000000000..38267de65e --- /dev/null +++ b/kde-plasma/kscreenlocker/files/kscreenlocker-fingerprint.pam @@ -0,0 +1,13 @@ +#%PAM-1.0 + +auth required pam_shells.so +auth required pam_nologin.so +auth required pam_faillock.so preauth +auth required pam_fprintd.so +auth required pam_env.so + +account include system-local-login + +password include system-local-login + +session include system-local-login diff --git a/kde-plasma/kscreenlocker/files/kscreenlocker-password.pam b/kde-plasma/kscreenlocker/files/kscreenlocker-password.pam new file mode 100644 index 0000000000..ce9e84d588 --- /dev/null +++ b/kde-plasma/kscreenlocker/files/kscreenlocker-password.pam @@ -0,0 +1,9 @@ +#%PAM-1.0 + +auth include system-local-login + +account include system-local-login + +password include system-local-login + +session include system-local-login diff --git a/kde-plasma/kscreenlocker/files/kscreenlocker-smartcard.pam b/kde-plasma/kscreenlocker/files/kscreenlocker-smartcard.pam new file mode 100644 index 0000000000..f887c78234 --- /dev/null +++ b/kde-plasma/kscreenlocker/files/kscreenlocker-smartcard.pam @@ -0,0 +1,13 @@ +#%PAM-1.0 + +auth required pam_shells.so +auth required pam_nologin.so +auth required pam_faillock.so preauth +auth required pam_pkcs11.so wait_for_card card_only +auth required pam_env.so + +account include system-local-login + +password include system-local-login + +session include system-local-login diff --git a/kde-plasma/kscreenlocker/kscreenlocker-9999.ebuild b/kde-plasma/kscreenlocker/kscreenlocker-9999.ebuild index da6f0f9036..29c7cf2f72 100644 --- a/kde-plasma/kscreenlocker/kscreenlocker-9999.ebuild +++ b/kde-plasma/kscreenlocker/kscreenlocker-9999.ebuild @@ -74,6 +74,8 @@ src_test() { src_install() { ecm_src_install - newpamd "${FILESDIR}/kde.pam" kde - newpamd "${FILESDIR}/kde-np.pam" kde-np + local config + for config in kscreenlocker-{fingerprint,password,smartcard} ; do + newpamd "${FILESDIR}/${config}.pam" ${config} + done }