GNU bug report logs - #51785
pam-gnupg

Previous Next

Full log

View this message in rfc822 format

From: Nicolas Graves <ngraves <at> ngraves.fr>
To: 51785 <at> debbugs.gnu.org
Cc: Josselin Poiret <dev <at> jpoiret.xyz>, Tobias Geerinckx-Rice <me <at> tobias.gr>
Subject: [bug#51785] pam-gnupg
Date: Sat, 13 Nov 2021 21:11:58 +0100

[Message part 1 (text/plain, inline)]

Thanks for your answers Josselin and Tobias,

(For the record, I just pinned all the commits from other channels in my
channels.scm and pulled guix with guix pull --allow-downgrades
--disable-authentication)

I finally managed to get the pam module to work but it eventually raised
more questions than expected.

Basically now the module starts well, but my shepherd service gpg-agent
doesn't (I guess because pam starts it, and that shepherd can't take
over). It's fine for the purpose I was installing pam-gnupg for (having
direct access to password-store passwords after login), but hinders the
rest of related activities (e.g. signing commits).

Above this question, I was wondering about the order of pam-modules
startup. A look at the manual pages and the examples for modules show a
clear hierarchy for at least a few modules (pam_unix > pam_loginuid >
pam_elogind > pam_gnupg for instance), which is not respected in guix's
implementation (pam_elogind > pam_loginuid > pam_gnupg > pam_unix).

Although it seems to work, is it normal / purposeful / without
consequences ?

If no, as a solution, maybe implementing a hierarchy might help. For
instance, something like :
1) Base modules (pam_unix, pam_env, pam_loginuid)
2) Modules added elsewhere with pam-root-service (pam_elogind, graphical
login managers modules)
3) Other modules (pam_gnupg, pam_motd...)

The last question I have is about the configuration of pam_gnupg. On the
official repo (https://github.com/cruegge/pam-gnupg), it seems that
there is a recommended configuration (e.g. setting the priority as
optional), which is once again not respected in the actual
configuration. I did add the few lines to address this (but is there a
reason why that is not the case ?)

I'm willing to help make these changes if useful and on the right track,
but I don't have much experience with guile.
Cheers,

Nicolas

[0001-PATCH-gnu-add-pam-gnupg-to-login-service.patch (text/x-patch, inline)]

From dce83f5aeb2e7468a3d457f3d59c8851ac11a897 Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Sat, 13 Nov 2021 13:11:54 +0100
Subject: [PATCH 1/3] [PATCH] gnu : add pam-gnupg to login service

---
 gnu/services/base.scm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 50865055fe..b95fd9a4ff 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -16,6 +16,7 @@
 ;;; Copyright © 2021 qblade <qblade <at> protonmail.com>
 ;;; Copyright © 2021 Hui Lu <luhuins <at> 163.com>
 ;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
+;;; Copyright © 2021 Nicolas Graves <ngraves <at> ngraves.fr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -743,7 +744,9 @@ (define-record-type* <login-configuration>
   ;; Allow empty passwords by default so that first-time users can log in when
   ;; the 'root' account has just been created.
   (allow-empty-passwords? login-configuration-allow-empty-passwords?
-                          (default #t)))               ;Boolean
+                          (default #t)) ;Boolean
+  (gnupg? login-configuration-gnupg?
+          (default #f))) ;Boolean
 
 (define (login-pam-service config)
   "Return the list of PAM service needed for CONF."
@@ -753,7 +756,8 @@ (define (login-pam-service config)
                           #:allow-empty-passwords?
                           (login-configuration-allow-empty-passwords? config)
                           #:motd
-                          (login-configuration-motd config))))
+                          (login-configuration-motd config)
+                          #:gnupg? (login-configuration-gnupg? config))))
 
 (define login-service-type
   (service-type (name 'login)
-- 
2.33.1

[0002-Trying-to-fix-pam-gnupg-configuration.patch (text/x-patch, inline)]

From 525d70b93b6c6b78a3ced92f72e264b4be1ed3de Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Sat, 13 Nov 2021 20:09:02 +0100
Subject: [PATCH 2/3] Trying to fix pam-gnupg configuration.

---
 gnu/system/pam.scm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index a31daada59..d6d02e59f5 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -235,8 +235,9 @@ (module "pam_unix.so")
                                unix))
                      (if gnupg?
                          (list (pam-entry
-                                (control "required")
-                                (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+                                (control "optional")
+                                (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))
+                                (arguments '("store-only"))))
                          '())))
        (password (list (pam-entry
                         (control "required")
@@ -255,12 +256,13 @@ (module "pam_motd.so")
                                (control "required")
                                (module "pam_loginuid.so")))
                         '())
+                  ,env ,unix
                   ,@(if gnupg?
                         (list (pam-entry
-                               (control "required")
+                               (control "optional")
                                (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
                         '())
-                  ,env ,unix))))))
+                  ))))))
 
 (define (rootok-pam-service command)
   "Return a PAM service for COMMAND such that 'root' does not need to
-- 
2.33.1

[0003-Moving-parts-of-pam-configuration-for-better-complia.patch (text/x-patch, inline)]

From 9bb9620620d4e132d0d422bda7a57d2c0dfee28c Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Sat, 13 Nov 2021 21:48:16 +0100
Subject: [PATCH 3/3] Moving parts of pam configuration for better compliance.

---
 gnu/system/pam.scm | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index d6d02e59f5..0f0b09e347 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -244,19 +244,19 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))
                         (module "pam_unix.so")
                         ;; Store SHA-512 encrypted passwords in /etc/shadow.
                         (arguments '("sha512" "shadow")))))
-       (session `(,@(if motd
+       (session `(,env ,unix
+                  ,@(if login-uid?
+                        (list (pam-entry       ;to fill in /proc/self/loginuid
+                               (control "required")
+                               (module "pam_loginuid.so")))
+                        '())
+                  ,@(if motd
                         (list (pam-entry
                                (control "optional")
                                (module "pam_motd.so")
                                (arguments
                                 (list #~(string-append "motd=" #$motd)))))
                         '())
-                  ,@(if login-uid?
-                        (list (pam-entry       ;to fill in /proc/self/loginuid
-                               (control "required")
-                               (module "pam_loginuid.so")))
-                        '())
-                  ,env ,unix
                   ,@(if gnupg?
                         (list (pam-entry
                                (control "optional")
-- 
2.33.1

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.