* [bug#51785] pam-gnupg
@ 2021-11-12 7:45 Nicolas Graves via Guix-patches via
2021-11-12 12:51 ` Tobias Geerinckx-Rice via Guix-patches via
2021-11-13 20:11 ` Nicolas Graves via Guix-patches via
0 siblings, 2 replies; 3+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2021-11-12 7:45 UTC (permalink / raw)
To: 51785
[-- Attachment #1: Type: text/plain, Size: 973 bytes --]
Hi !
I'm still discovering / experimenting with guix thanks to the videos of
David Wilson. Sorry if it's not the appropriate place to discuss this.
I'm trying to add pam-gnupg without having a graphical login manager.
I figured out it should really be as simple as the few lines I added in
the attached patch, since the feature has already been implemented for a
few graphical login managers.
It has been done here : https://issues.guix.gnu.org/47364
So I'm trying to test the patch, have downloaded guix source code, added
it in a new branch, updated my channels, used guix shell for setting the
environment, but now I get the following error when I try to pull to
test my version :
guix pull: erreur : Erreur Git : cannot locate remote-tracking branch
'origin/keyring'
The patch is straightforward, might not need much testing, but if
needed, I would be glad to received some smart advice :)
Thanks in advance, thanks for the outstanding work on Guix !
Nicolas
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Adding-gnupg-to-pam-login-service.patch --]
[-- Type: text/x-patch, Size: 1477 bytes --]
From d8d3d8d7614d443dea805b46589f9b16f8558de2 Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Fri, 12 Nov 2021 00:39:13 +0100
Subject: [PATCH] Adding gnupg to pam-login-service.
---
gnu/services/base.scm | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 50865055fe..887213c52e 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -743,7 +743,9 @@ (define-record-type* <login-configuration>
;; Allow empty passwords by default so that first-time users can log in when
;; the 'root' account has just been created.
(allow-empty-passwords? login-configuration-allow-empty-passwords?
- (default #t))) ;Boolean
+ (default #t)) ;Boolean
+ (gnupg? login-configuration-gnupg?
+ (default #f))) ;Boolean
(define (login-pam-service config)
"Return the list of PAM service needed for CONF."
@@ -753,7 +755,8 @@ (define (login-pam-service config)
#:allow-empty-passwords?
(login-configuration-allow-empty-passwords? config)
#:motd
- (login-configuration-motd config))))
+ (login-configuration-motd config)
+ #:gnupg? (login-configuration-gnupg? config))))
(define login-service-type
(service-type (name 'login)
--
2.33.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [bug#51785] pam-gnupg
2021-11-12 7:45 [bug#51785] pam-gnupg Nicolas Graves via Guix-patches via
@ 2021-11-12 12:51 ` Tobias Geerinckx-Rice via Guix-patches via
2021-11-13 20:11 ` Nicolas Graves via Guix-patches via
1 sibling, 0 replies; 3+ messages in thread
From: Tobias Geerinckx-Rice via Guix-patches via @ 2021-11-12 12:51 UTC (permalink / raw)
To: Nicolas Graves; +Cc: 51785
Nicolas,
On 2021-11-12 8:45, Nicolas Graves via Guix-patches via wrote:
> So I'm trying to test the patch, have downloaded guix source code,
> added
> it in a new branch, updated my channels, used guix shell for setting
> the
> environment, but now I get the following error when I try to pull to
> test my version :
>
> guix pull: erreur : Erreur Git : cannot locate remote-tracking branch
> 'origin/keyring'
Guix authentication code expects a local 'keyring' branch, similar to
how you currently have a local 'master' branch tracking the upstream
'master' branch (which by default is called 'origin/master').
If you haven't changed the default 'origin' name you should be able to
simply
$ git checkout origin/keyring # creates local tracking branch as side
effect
$ git checkout master # to 'switch back'
and be on your merry way. Replace 'origin/' if you have.
(This is from memory; apologies for possible typos/thinkos.)
Kind regards,
T G-R
Sent from a Web browser. Excuse or enjoy my brevity.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [bug#51785] pam-gnupg
2021-11-12 7:45 [bug#51785] pam-gnupg Nicolas Graves via Guix-patches via
2021-11-12 12:51 ` Tobias Geerinckx-Rice via Guix-patches via
@ 2021-11-13 20:11 ` Nicolas Graves via Guix-patches via
1 sibling, 0 replies; 3+ messages in thread
From: Nicolas Graves via Guix-patches via @ 2021-11-13 20:11 UTC (permalink / raw)
To: 51785; +Cc: Josselin Poiret, Tobias Geerinckx-Rice
[-- Attachment #1: Type: text/plain, Size: 1878 bytes --]
Thanks for your answers Josselin and Tobias,
(For the record, I just pinned all the commits from other channels in my
channels.scm and pulled guix with guix pull --allow-downgrades
--disable-authentication)
I finally managed to get the pam module to work but it eventually raised
more questions than expected.
Basically now the module starts well, but my shepherd service gpg-agent
doesn't (I guess because pam starts it, and that shepherd can't take
over). It's fine for the purpose I was installing pam-gnupg for (having
direct access to password-store passwords after login), but hinders the
rest of related activities (e.g. signing commits).
Above this question, I was wondering about the order of pam-modules
startup. A look at the manual pages and the examples for modules show a
clear hierarchy for at least a few modules (pam_unix > pam_loginuid >
pam_elogind > pam_gnupg for instance), which is not respected in guix's
implementation (pam_elogind > pam_loginuid > pam_gnupg > pam_unix).
Although it seems to work, is it normal / purposeful / without
consequences ?
If no, as a solution, maybe implementing a hierarchy might help. For
instance, something like :
1) Base modules (pam_unix, pam_env, pam_loginuid)
2) Modules added elsewhere with pam-root-service (pam_elogind, graphical
login managers modules)
3) Other modules (pam_gnupg, pam_motd...)
The last question I have is about the configuration of pam_gnupg. On the
official repo (https://github.com/cruegge/pam-gnupg), it seems that
there is a recommended configuration (e.g. setting the priority as
optional), which is once again not respected in the actual
configuration. I did add the few lines to address this (but is there a
reason why that is not the case ?)
I'm willing to help make these changes if useful and on the right track,
but I don't have much experience with guile.
Cheers,
Nicolas
[-- Attachment #2: pam-gnupg-1 --]
[-- Type: text/x-patch, Size: 1829 bytes --]
From dce83f5aeb2e7468a3d457f3d59c8851ac11a897 Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Sat, 13 Nov 2021 13:11:54 +0100
Subject: [PATCH 1/3] [PATCH] gnu : add pam-gnupg to login service
---
gnu/services/base.scm | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 50865055fe..b95fd9a4ff 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -16,6 +16,7 @@
;;; Copyright © 2021 qblade <qblade@protonmail.com>
;;; Copyright © 2021 Hui Lu <luhuins@163.com>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021 Nicolas Graves <ngraves@ngraves.fr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -743,7 +744,9 @@ (define-record-type* <login-configuration>
;; Allow empty passwords by default so that first-time users can log in when
;; the 'root' account has just been created.
(allow-empty-passwords? login-configuration-allow-empty-passwords?
- (default #t))) ;Boolean
+ (default #t)) ;Boolean
+ (gnupg? login-configuration-gnupg?
+ (default #f))) ;Boolean
(define (login-pam-service config)
"Return the list of PAM service needed for CONF."
@@ -753,7 +756,8 @@ (define (login-pam-service config)
#:allow-empty-passwords?
(login-configuration-allow-empty-passwords? config)
#:motd
- (login-configuration-motd config))))
+ (login-configuration-motd config)
+ #:gnupg? (login-configuration-gnupg? config))))
(define login-service-type
(service-type (name 'login)
--
2.33.1
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: pam-gnupg-2 --]
[-- Type: text/x-patch, Size: 1786 bytes --]
From 525d70b93b6c6b78a3ced92f72e264b4be1ed3de Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Sat, 13 Nov 2021 20:09:02 +0100
Subject: [PATCH 2/3] Trying to fix pam-gnupg configuration.
---
gnu/system/pam.scm | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index a31daada59..d6d02e59f5 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -235,8 +235,9 @@ (module "pam_unix.so")
unix))
(if gnupg?
(list (pam-entry
- (control "required")
- (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ (control "optional")
+ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))
+ (arguments '("store-only"))))
'())))
(password (list (pam-entry
(control "required")
@@ -255,12 +256,13 @@ (module "pam_motd.so")
(control "required")
(module "pam_loginuid.so")))
'())
+ ,env ,unix
,@(if gnupg?
(list (pam-entry
- (control "required")
+ (control "optional")
(module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
'())
- ,env ,unix))))))
+ ))))))
(define (rootok-pam-service command)
"Return a PAM service for COMMAND such that 'root' does not need to
--
2.33.1
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #4: pam-gnupg-3 --]
[-- Type: text/x-patch, Size: 1812 bytes --]
From 9bb9620620d4e132d0d422bda7a57d2c0dfee28c Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Sat, 13 Nov 2021 21:48:16 +0100
Subject: [PATCH 3/3] Moving parts of pam configuration for better compliance.
---
gnu/system/pam.scm | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index d6d02e59f5..0f0b09e347 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -244,19 +244,19 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))
(module "pam_unix.so")
;; Store SHA-512 encrypted passwords in /etc/shadow.
(arguments '("sha512" "shadow")))))
- (session `(,@(if motd
+ (session `(,env ,unix
+ ,@(if login-uid?
+ (list (pam-entry ;to fill in /proc/self/loginuid
+ (control "required")
+ (module "pam_loginuid.so")))
+ '())
+ ,@(if motd
(list (pam-entry
(control "optional")
(module "pam_motd.so")
(arguments
(list #~(string-append "motd=" #$motd)))))
'())
- ,@(if login-uid?
- (list (pam-entry ;to fill in /proc/self/loginuid
- (control "required")
- (module "pam_loginuid.so")))
- '())
- ,env ,unix
,@(if gnupg?
(list (pam-entry
(control "optional")
--
2.33.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-11-13 22:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-12 7:45 [bug#51785] pam-gnupg Nicolas Graves via Guix-patches via
2021-11-12 12:51 ` Tobias Geerinckx-Rice via Guix-patches via
2021-11-13 20:11 ` Nicolas Graves via Guix-patches via
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).