@e-user, thanks for your PR! By analyzing the history of the files in this pull request, we identified @lethalman, @obadz and @spacefrogg to be potential reviewers.

Relevant discussion on unified PAM settings #17044

Can we please follow up on this @lethalman @obadz @spacefrogg @FRidh?

I guess there's these configurations to adapt too?

• https://gitlab.gnome.org/GNOME/gdm/blob/master/data/pam-lfs/gdm-fingerprint.pam
• https://gitlab.gnome.org/GNOME/gdm/blob/master/data/pam-lfs/gdm-pin.pam
• https://gitlab.gnome.org/GNOME/gdm/blob/master/data/pam-lfs/gdm-smartcard.pam

It's a pity this did not get any further attention. I don't know much about PAM so I find it hard to review.

cc @jtojnar who works on Gnome package set.

Same here, do not know PAM well enough to review this.

Same here, sorry.

Looks like I'll be learning about PAM when I get some time 😄

Testing this now (the confilcts are pretty simple), and it works as advertised 👍

@hedning care to open a new PR?

@FRidh sure, though I don't know much about pam either 😆

@e-user, it seems like you actually get pam, are you still interested in getting this merged?

So I'm slowly studying how PAM works, but it's unrealistic for me to just learn this so i can review the pr properly.

And I'm thinking having this couldn't possibly be much worse that what's already going on 😄
If I can check if they're aren't any holes in the implementation this should be fine to have.

I'd like to also open a pr for lightdm as gnome-keyring is broken there also.

If you disagree then we should move towards having #17044

And I'm thinking having this couldn't possibly be much worse that what's already going on

That is very true.

I'm guessing the only thing to look out for is the enableEcryptfs, we might need to add that back in. Though I don't know if it currently works, or if it's used a lot.

I'll try to get a PR going soon 🤞

And I'm thinking having this couldn't possibly be much worse that what's already going on

That is very true.

I'm guessing the only thing to look out for is the enableEcryptfs, we might need to add that back in. Though I don't know if it currently works, or if it's used a lot.

I'll try to get a PR going soon crossed_fingers

I agree, as the our experience has been degraded for a while and these pieces have remained relatively the same.

Also I think this probably should be adapted slightly since we have #30686

Also I think this probably should be adapted slightly since we have #30686

True, actually getting that to work might be ideal.

Ugh, guys. After two years, there's finally interest in this.
I don't even have a NixOS installation right now, even though I'm using Nix on many systems.
Can't promise much, but if I get around to install a VM in the near future, I'm happy to pick this up a again, no promises.
What I can tell you however is that PAM is not difficult to grasp, after reading its manuals, esp. pam(8) and pam.d(5). In a nutshell, it works like this: Whenever a service authenticates against PAM, PAM looks up the matching service name in /etc/pam.d/$NAME, e.g. ssh, login or gdm. There are four "groups" in each such definition, account, auth(entication), password and session. These groups are made up of references to PAM "modules", i.e. plugins, with or without parameters, which are processed in the order defined, each within the respective group. For the authentication to succeed, all checks in accounts (which includes authorization aspects) have to pass, plus the checks in auth. password is only for updating passwords AFAIK and session for supplementary actions. Each module can implement functionalities in up to any four of those groups. Lastly, there are control keywords which define success and failure are being handled.

This looks like you're dropping ecryptfs support here. Would be a shame if that's missing in the end :/

Can you merge with master to get rid of the conflicts?

I'm installing NixOS into a VM right now and will pick it up again, for real.

Well, there you go. The ecryptfs stuff gets loaded through login, I double-checked that.

Testing this now 💖

Ok so all the correct keyrings are created on login with GNOME.

I'm wondering if we can use use_authtok?
It's described as

the PAM module will use the provided new authentication token (new password) and will not request one from the user, even if none is available.

but that's not really in scope of this change.

Edit:
noticing you've done that already before syncing this change.

@worldofpeace done, could you please test again with the new commit?

So here's what I've done to test again

1. Logged in
   Saw the login keyring was unlocked ✔️
2. Added some secrets to it (gnome-online-account, ssh, etc.)
   These should be unlocked when I login
3. Logged out and logged in
   Keyring was unlocked and I can see my secrets ❇️

Just changed the commit messages slightly. Going for it.

Can this please be in 19.03?

I've created a quick PR (#61450) with these commits backported to 19.03.