New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/gdm: use provided PAM login configuration wherever possible #21860
nixos/gdm: use provided PAM login configuration wherever possible #21860
Conversation
@e-user, thanks for your PR! By analyzing the history of the files in this pull request, we identified @lethalman, @obadz and @spacefrogg to be potential reviewers. |
Relevant discussion on unified PAM settings #17044 |
Can we please follow up on this @lethalman @obadz @spacefrogg @FRidh? |
It's a pity this did not get any further attention. I don't know much about PAM so I find it hard to review. cc @jtojnar who works on Gnome package set. |
Same here, do not know PAM well enough to review this. |
Same here, sorry. |
Looks like I'll be learning about PAM when I get some time 😄 |
@hedning care to open a new PR? |
@FRidh sure, though I don't know much about pam either 😆 @e-user, it seems like you actually get pam, are you still interested in getting this merged? |
So I'm slowly studying how PAM works, but it's unrealistic for me to just learn this so i can review the pr properly. And I'm thinking having this couldn't possibly be much worse that what's already going on 😄 I'd like to also open a pr for lightdm as gnome-keyring is broken there also. If you disagree then we should move towards having #17044 |
That is very true. I'm guessing the only thing to look out for is the I'll try to get a PR going soon 🤞 |
I agree, as the our experience has been degraded for a while and these pieces have remained relatively the same. Also I think this probably should be adapted slightly since we have #30686 |
True, actually getting that to work might be ideal. |
Ugh, guys. After two years, there's finally interest in this. |
This looks like you're dropping ecryptfs support here. Would be a shame if that's missing in the end :/ Can you merge with master to get rid of the conflicts? |
I'm installing NixOS into a VM right now and will pick it up again, for real. |
085e666
to
37c5435
Compare
Well, there you go. The ecryptfs stuff gets loaded through login, I double-checked that. |
Testing this now 💖 |
Ok so all the correct keyrings are created on login with GNOME. I'm wondering if we can use
but that's not really in scope of this change. Edit: |
@worldofpeace done, could you please test again with the new commit? |
So here's what I've done to test again
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Thank you @e-user for continuing this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for picking this up again ❤️ I've been using the previous version without issue for a while.
The changes looks good, nice getting rid of all the bloat.
gnome-keyring
is now started when logging in to a console too. So I checked that it works logging in to a console before logging in to a gnome session, which it does 👍
Lets merge 🚀
91d4f76
to
56bd011
Compare
Just changed the commit messages slightly. Going for it. |
Can this please be in 19.03? |
I've created a quick PR (#61450) with these commits backported to 19.03. |
Fixes #20608, fixes #21859
Motivation for this change
GDM's PAM modules in NixOS are a mess.
pam.d/gdm
is never used (gdm-password
is used for logging in) and instead of re-using what's provided bypam.nix
, there are half-broken custom modules written beigdm.nix.
These changes substack/include the existing
login
PAM module akin to Fedora and fix two other issues mentioned above. Without this patch, SSSD authentication will also not work because onlypam_unix.so
is loaded.This probably needs more thorough testing, any help appreciated.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)