GNU bug report logs -
#47364
[PATCH 0/2] Add pam-gnupg and PAM rules for SLiM
Previous Next
Reported by: Oleg Pykhalov <go.wigust <at> gmail.com>
Date: Wed, 24 Mar 2021 16:50:02 UTC
Severity: normal
Tags: patch
Done: Oleg Pykhalov <go.wigust <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47364 in the body.
You can then email your comments to 47364 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#47364; Package
guix-patches.
(Wed, 24 Mar 2021 16:50:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Oleg Pykhalov <go.wigust <at> gmail.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Wed, 24 Mar 2021 16:50:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
This patch series adds pam-gnupg package and PAM rules for SLiM display
manager.
Oleg Pykhalov (2):
gnu: Add pam-gnupg.
services: slim: Add pam-gnupg support.
doc/guix.texi | 8 ++++++++
gnu/packages/linux.scm | 37 ++++++++++++++++++++++++++++++++++++-
gnu/services/xorg.scm | 7 ++++++-
gnu/system/pam.scm | 15 +++++++++++++--
4 files changed, 63 insertions(+), 4 deletions(-)
--
2.30.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#47364; Package
guix-patches.
(Wed, 24 Mar 2021 16:53:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 47364 <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/linux.scm (pam-gnupg): New variable.
---
gnu/packages/linux.scm | 37 ++++++++++++++++++++++++++++++++++++-
1 file changed, 36 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 0eaf014b5c..fff4a1789e 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -38,7 +38,7 @@
;;; Copyright © 2019 Pierre Langlois <pierre.langlois <at> gmx.com>
;;; Copyright © 2019, 2020 Brice Waegeneire <brice <at> waegenei.re>
;;; Copyright © 2019 Kei Kebreau <kkebreau <at> posteo.net>
-;;; Copyright © 2020 Oleg Pykhalov <go.wigust <at> gmail.com>
+;;; Copyright © 2020, 2021 Oleg Pykhalov <go.wigust <at> gmail.com>
;;; Copyright © 2020 Pierre Neidhardt <mail <at> ambrevar.xyz>
;;; Copyright © 2020 Chris Marusich <cmmarusich <at> gmail.com>
;;; Copyright © 2020 Vincent Legoll <vincent.legoll <at> gmail.com>
@@ -99,6 +99,7 @@
#:use-module (gnu packages gcc)
#:use-module (gnu packages gettext)
#:use-module (gnu packages glib)
+ #:use-module (gnu packages gnupg)
#:use-module (gnu packages golang)
#:use-module (gnu packages gperf)
#:use-module (gnu packages gstreamer)
@@ -1482,6 +1483,40 @@ at login. Local and dynamic reconfiguration are its key features.")
(description "This package provides a PAM interface using @code{ctypes}.")
(license license:expat)))
+(define-public pam-gnupg
+ (package
+ (name "pam-gnupg")
+ (version "0.3")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/cruegge/pam-gnupg")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1bf91gi6zmfzzmczxm7pajxdlgnikasvg5xsd3j0a368rcr7lf9l"))))
+ (build-system gnu-build-system)
+ (inputs
+ `(("gnupg" ,gnupg)
+ ("linux-pam" ,linux-pam)))
+ (native-inputs
+ `(("autoconf" ,autoconf)
+ ("automake" ,automake)
+ ("libtool" ,libtool)))
+ (arguments
+ `(#:tests? #f ;no tests suite
+ #:configure-flags
+ (list (string-append "--with-moduledir="
+ (assoc-ref %outputs "out") "/lib/security"))))
+
+ (home-page "https://github.com/cruegge/pam-gnupg")
+ (synopsis "Unlock GnuPG keys on login")
+ (description "This package provides a PAM module that hands over your
+login password to @code{gpg-agent}. This can be useful if you are using a
+GnuPG-based password manager like @code{pass}.")
+ (license license:gpl3+)))
+
;;;
;;; Miscellaneous.
--
2.30.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#47364; Package
guix-patches.
(Wed, 24 Mar 2021 16:54:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 47364 <at> debbugs.gnu.org (full text, mbox):
* gnu/system/pam.scm (unix-pam-service): Add account and session PAM entries
for pam-gnupg.
* doc/guix.texi (X Window): Document this.
* gnu/services/xorg.scm (<slim-configuration>)[gnupg?]: New record field.
(slim-pam-service): Pass "#:gnupg?" argument to "unix-pam-service".
---
doc/guix.texi | 8 ++++++++
gnu/services/xorg.scm | 7 ++++++-
gnu/system/pam.scm | 15 +++++++++++++--
3 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 94ecd2c247..f549930c63 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17765,6 +17765,14 @@ Data type representing the configuration of @code{slim-service-type}.
@item @code{allow-empty-passwords?} (default: @code{#t})
Whether to allow logins with empty passwords.
+@item @code{gnupg?} (default: @code{#f})
+If enabled, @code{pam-gnupg} will attempt to automatically unlock the
+user's GPG keys with the login password via @code{gpg-agent}. The
+keygrips of all keys to be unlocked should be written to
+@file{~/.pam-gnupg}, and can be queried with @code{gpg -K
+--with-keygrip}. Presetting passphrases must be enabled by adding
+@code{allow-preset-passphrase} in @file{~/.gnupg/gpg-agent.conf}.
+
@item @code{auto-login?} (default: @code{#f})
@itemx @code{default-user} (default: @code{""})
When @code{auto-login?} is false, SLiM presents a log-in screen.
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 60611dc77d..65b138b4f4 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -8,6 +8,7 @@
;;; Copyright © 2020 shtwzrd <shtwzrd <at> protonmail.com>
;;; Copyright © 2020 Jakub Kądziołka <kuba <at> kadziolka.net>
;;; Copyright © 2020 Alex Griffin <a <at> ajgrf.com>
+;;; Copyright © 2021 Oleg Pykhalov <go.wigust <at> gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -541,6 +542,8 @@ a `service-extension', as used by `set-xorg-configuration'."
(default slim))
(allow-empty-passwords? slim-configuration-allow-empty-passwords?
(default #t))
+ (gnupg? slim-configuration-gnupg?
+ (default #f))
(auto-login? slim-configuration-auto-login?
(default #f))
(default-user slim-configuration-default-user
@@ -570,7 +573,9 @@ a `service-extension', as used by `set-xorg-configuration'."
"slim"
#:login-uid? #t
#:allow-empty-passwords?
- (slim-configuration-allow-empty-passwords? config))))
+ (slim-configuration-allow-empty-passwords? config)
+ #:gnupg?
+ (slim-configuration-gnupg? config))))
(define (slim-shepherd-service config)
(let* ((xinitrc (xinitrc #:fallback-session
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index ad02586be8..75edd01908 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -27,6 +27,7 @@
#:use-module (srfi srfi-11)
#:use-module (srfi srfi-26)
#:use-module ((guix utils) #:select (%current-system))
+ #:use-module (gnu packages linux)
#:export (pam-service
pam-service-name
pam-service-account
@@ -208,7 +209,7 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
(control "required")
(module "pam_env.so"))))
(lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
- login-uid?)
+ login-uid? (gnupg? #f))
"Return a standard Unix-style PAM service for NAME. When
ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
true, allow root to run the command without authentication. When MOTD is
@@ -229,7 +230,12 @@ When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
(control "required")
(module "pam_unix.so")
(arguments '("nullok")))
- unix))))
+ unix))
+ (if gnupg?
+ (list (pam-entry
+ (control "required")
+ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ '())))
(password (list (pam-entry
(control "required")
(module "pam_unix.so")
@@ -247,6 +253,11 @@ When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
(control "required")
(module "pam_loginuid.so")))
'())
+ ,@(if gnupg?
+ (list (pam-entry
+ (control "required")
+ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ '())
,env ,unix))))))
(define (rootok-pam-service command)
--
2.30.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#47364; Package
guix-patches.
(Wed, 24 Mar 2021 19:23:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 47364 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
I'm not familiar with PAM, so I can't do much reviewing about that
(seems ok, though I'm no expert). Some nitpicks:
On Wed, 2021-03-24 at 19:52 +0300, Oleg Pykhalov wrote:
> [...]
>
> diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
> index ad02586be8..75edd01908 100644
> --- a/gnu/system/pam.scm
> +++ b/gnu/system/pam.scm
> [...]
> (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
> - login-uid?)
> + login-uid? (gnupg? #f))
Nitpick: keyword variables have #f as default by default, so you could just write ...
(lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
> - login-uid?)
> + login-uid? gnupg?)
... here. As a minimal example, you could run the following code in a Guile REPL:
> ;; These both evaluate to (#f #f)!
> ((lambda* (#:key login-uid? gnupg?) (list login-uid? gnupg?)))
> ((lambda* (#:key login-uid? (gnupg? #f)) (list login-uid? gnupg?)))
Hmm, maybe (allow-root? #f) could be replaced with simply allow-root? here ...
> "Return a standard Unix-style PAM service for NAME. When
> ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
> true, allow root to run the command without authentication. When MOTD is
It would be nice if this docstring documents GNUPG? as well.
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#47364; Package
guix-patches.
(Wed, 24 Mar 2021 19:49:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 47364 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
Thank you for the review!
Maxime Devos <maximedevos <at> telenet.be> writes:
> I'm not familiar with PAM, so I can't do much reviewing about that
> (seems ok, though I'm no expert).
I'm :-) too, but it works for me.
[…]
I applied all your suggestions.
[Message part 2 (text/x-patch, inline)]
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 75edd01908..128b2bb0fe 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -208,14 +208,16 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
(env (pam-entry ; to honor /etc/environment.
(control "required")
(module "pam_env.so"))))
- (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
- login-uid? (gnupg? #f))
+ (lambda* (name #:key allow-empty-passwords? allow-root? motd
+ login-uid? gnupg?)
"Return a standard Unix-style PAM service for NAME. When
ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
true, allow root to run the command without authentication. When MOTD is
true, it should be a file-like object used as the message-of-the-day.
When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
-/proc/self/loginuid, which the libc 'getlogin' function relies on."
+/proc/self/loginuid, which the libc 'getlogin' function relies on. When
+GNUPG? is true, require the 'pam_gnupg.so' module; that module hands over
+login password to 'gpg-agent'."
;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
(pam-service
(name name)
[Message part 3 (text/plain, inline)]
Plus in Git commit message “Don't pass "#f" to "allow-root?" argument,
because "lambda*" already does this by default.”.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#47364; Package
guix-patches.
(Wed, 24 Mar 2021 20:15:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 47364 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, 2021-03-24 at 22:48 +0300, Oleg Pykhalov wrote:
> +/proc/self/loginuid, which the libc 'getlogin' function relies on. When
> +GNUPG? is true, require the 'pam_gnupg.so' module; that module hands over
> +login password to 'gpg-agent'."
Linguistic nitpick:
There seems to be an article missing before "login password".
Maybe add "the".
Also, ideally speaking, there would be a system test in "gnu/tests/" for
this new functionality.
Otherwise no comments, seems good to me to go into the repo
though maybe someone else wants to comment as well.
Greetings,
Maxime
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Oleg Pykhalov <go.wigust <at> gmail.com>:
You have taken responsibility.
(Mon, 16 Aug 2021 22:15:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Oleg Pykhalov <go.wigust <at> gmail.com>:
bug acknowledged by developer.
(Mon, 16 Aug 2021 22:15:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 47364-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Oleg Pykhalov <go.wigust <at> gmail.com> writes:
> This patch series adds pam-gnupg package and PAM rules for SLiM display
> manager.
>
> Oleg Pykhalov (2):
> gnu: Add pam-gnupg.
> services: slim: Add pam-gnupg support.
>
> doc/guix.texi | 8 ++++++++
> gnu/packages/linux.scm | 37 ++++++++++++++++++++++++++++++++++++-
> gnu/services/xorg.scm | 7 ++++++-
> gnu/system/pam.scm | 15 +++++++++++++--
> 4 files changed, 63 insertions(+), 4 deletions(-)
Apologies for a big pause.
Finally tested properly with my heavy configuration. Works great. ;-)
Pushed to master.
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 14 Sep 2021 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 222 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.