From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id gKUxMOMLJ2VgmgAAG6o9tA:P1 (envelope-from ) for ; Wed, 11 Oct 2023 22:56:04 +0200 Received: from aspmx1.migadu.com ([2001:41d0:306:2d92::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id gKUxMOMLJ2VgmgAAG6o9tA (envelope-from ) for ; Wed, 11 Oct 2023 22:56:03 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 32AFC54DD7 for ; Wed, 11 Oct 2023 22:56:03 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=fVkG+qw7; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1697057763; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Qzdj5pFOebm7TXDRLSdh4ZlkkbZj/Hkuf3DhOFGb1Zk=; b=El83+JB3lYuulRIVPc+F/1QNBnDryWWXUqKsj1LnlHU6HbttvtJw+qrx0yTZT1cLMHDW/t 7jjOCqLQCHxr4ivFl+Qs4GONAZH4vmnWYd+E8FZYxShdYyotduHmjFxF+RMO36/VDDhZIj u5h2BGivE+1/kuRGEEX6bhSH3OYY4Zv5Ispa0vVglxdAi7Mio+ZphvLuqTia4uVdVidM6l xjfQYmYdUfg2QCvnC0xG52ZtvfObvVK5x9X902fiI7EMK5Fqa6QQyFL2AeIQy8IMYCIznM jVMSqQ+kRzTq1ODn5tVatOpc8RZZ2y7zAHemhNqBfxbovU8R0agayqX6S6k84A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=fVkG+qw7; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1697057763; a=rsa-sha256; cv=none; b=cZGAYoXQcC8tpYmoI0YVMxhDe9DfnChPXx3ogLzFHu48Ws2gdMRWcACzSScnLqJRE9I01b eJiI1bLlH3EhBjKIZ/unmzvfXB+LwwvwNO9aI6I6PC1Xj5t/s/0V9Vdl9X3BhiatbQO+L9 uQA56dglw520P36mskZSnkJNkKnEYj7DeQp/Sj0w2tTq1p/jVOZjsHIp/G4PbZEzwi2Oaz JnHRUhUJyxxLOblRUzTEAVmEG8h8l23Eb8AlfBtPbswiSM2kseRLWQRi9jJI1VbNGWI/Xr 24+sUnfz2teN2tWV8tZBZexKTCWOHmxy0VnnNBsHmB1C7VVJ1PfYhW4fnUJBbw== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qqgF4-0003pV-2G; Wed, 11 Oct 2023 16:55:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qqgF2-0003pI-KE for guix-patches@gnu.org; Wed, 11 Oct 2023 16:55:40 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qqgF2-0007a9-Ba for guix-patches@gnu.org; Wed, 11 Oct 2023 16:55:40 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qqgFN-0006Xb-Qf for guix-patches@gnu.org; Wed, 11 Oct 2023 16:56:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#65538] [PATCH v2] services: greetd: Add pam-gnupg support. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 11 Oct 2023 20:56:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65538 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Carlos =?UTF-8?Q?Dur=C3=A1n_?= =?UTF-8?Q?Dom=C3=ADnguez?= Cc: 65538@debbugs.gnu.org Received: via spool by 65538-submit@debbugs.gnu.org id=B65538.169705770224903 (code B ref 65538); Wed, 11 Oct 2023 20:56:01 +0000 Received: (at 65538) by debbugs.gnu.org; 11 Oct 2023 20:55:02 +0000 Received: from localhost ([127.0.0.1]:40138 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qqgEP-0006TN-B9 for submit@debbugs.gnu.org; Wed, 11 Oct 2023 16:55:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53542) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qqgEL-0006SY-BT for 65538@debbugs.gnu.org; Wed, 11 Oct 2023 16:55:00 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qqgDt-000789-8g; Wed, 11 Oct 2023 16:54:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=Qzdj5pFOebm7TXDRLSdh4ZlkkbZj/Hkuf3DhOFGb1Zk=; b=fVkG+qw7YU2AhwH0FCIE Nz+uKRu9GyJz7vuJwz9DkzyaNzuF/ZNjqmUQb39FeXDXXfIo+1dWN7ws00nfZBGTfydhOFS65S3Yy P8IxCNiSgYG2mHPlxKSVEQBXRqN1efAfvTfcp3lOJJz1g1k/xK/Xq8xVU1HKPHwann4OSiwDp5nc4 OKaWqpHFO3IOB+xhniHVNoWkNCqQffrFxO42+5sEJfxN6tGNLX7ODO3h4/qCHlHLI1rW3sPTtP4r9 EwgS3uGJ/zu06Qq2l0quI7yik4oah1o7wOSzcF2r1tBt32JTxHePqANkUjZeMvWiEt7yy0rzpK6ow SUlovD7BdX+npQ==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: <20231006005327.13903-1-wurt@wurtshell.com> ("Carlos =?UTF-8?Q?Dur=C3=A1n_?= =?UTF-8?Q?Dom=C3=ADnguez?="'s message of "Fri, 6 Oct 2023 02:53:21 +0200") References: <65538@debbugs.gnu.org> <20231006005327.13903-1-wurt@wurtshell.com> Date: Wed, 11 Oct 2023 22:54:25 +0200 Message-ID: <87bkd4swvy.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -6.87 X-Spam-Score: -6.87 X-Migadu-Queue-Id: 32AFC54DD7 X-Migadu-Scanner: mx2.migadu.com X-TUID: h+d1wUjmtbPq Hi, Carlos Dur=C3=A1n Dom=C3=ADnguez skribis: > My main concern is that the new 'pam-gnupg-module?' procedure could be wr= ong, > but I did not find any other solution. OK. > I also think that using 'insert-before' in gnu/services/pam-mount.scm cou= ld be > a problem. If other PAM modules needs to be on certain positions, it coul= d be > an =E2=80=9Cif mess=E2=80=9D or maybe not, I do not know much about PAM m= odules. Yeah, I=E2=80=99m also wondering what will happen if several services have ordering requirements. This seems to break composability, but maybe it=E2=80=99s a problem that PAM has. > +@file{~/.pam-gnupg} (see > +@url{https://github.com/cruegge/pam-gnupg#setup-guide, pam-gnupg setup > +guide}), and can be queried with @code{gpg -K --with-keygrip} > +(@pxref{Commands to select the type of operation,,,gnupg}). Presetting > +passphrases must be enabled by adding @code{allow-preset-passphrase} in > +@file{~/.gnupg/gpg-agent.conf} (@pxref{Put a passphrase into the > +cache,,,gnupg}). Note that @pxref should first name the =E2=80=9Cnode=E2=80=9D (section) of = the manual you=E2=80=99re referring to, and there should be one last argument giving t= he title of the manual: https://www.gnu.org/software/texinfo/manual/texinfo/html_node/Four-and-Fi= ve-Arguments.html The ones above should be adjusted to refer to existing nodes of the GnuPG manual. > (if (member (pam-service-name pam) > '("login" "greetd" "su" "slim" "gdm-password" "sddm")) > (pam-service > + ;; pam-mount module must be before pam-gnupg, because the la= ter > + ;; needs to be at the end (See pam-gnupg README.md) > (inherit pam) I went to look at the =E2=80=98README.md=E2=80=99 file, and all I could fin= d is: At least, `pam_gnupg.so` should come after `pam_unix.so`, `pam_systemd_home.so`, `pam_systemd.so` and `pam_env.so` in case you use those modules. Is it what you=E2=80=99re referring to? The =E2=80=98README.md=E2=80=99 also gave me a sense that pam-gnupg is not = fully baked: The code was written mainly by looking at and occasionally copying from Gnome Keyring's PAM module and pam_mount and is based on a somewhat mediocre understanding of the details of both PAM and C. You should be aware that there may be potentially dangerous bugs lurking. It also makes this recommendation, which I find dubious security-wise: - Add allow-preset-passphrase to `~/.gnupg/gpg-agent.conf`. Optionally, customize the cache timeout v= ia `max-cache-ttl`, e.g. set max-cache-ttl 86400 to have it expire after a day. I guess that=E2=80=99s expected given the purpose of the tool, but still. Overall that made me wonder if this is something we should promote. WDYT? > +(define (pam-gnupg-module? name) > + "Return `#t' if NAME is the path to the pam-gnupg module, `#f' otherwi= se." > + (let ((module (pam-entry-module name))) > + (and (file-append? module) > + (equal? (first (file-append-suffix module)) > + "/lib/security/pam_gnupg.so")))) This is not ideal, because someone might give a module that=E2=80=99s not a , but I can=E2=80=99t think of a better way. > - #:use-module (rnrs io ports) ;need 'port-position' = etc. > + #:use-module (rnrs io ports) ;need 'port-position' etc. > #:use-module ((rnrs bytevectors) #:select (bytevector-u8-set!)) > #:use-module (guix memoization) > #:use-module ((guix build utils) > #:select (dump-port mkdir-p delete-file-recursively > - call-with-temporary-output-file %xz-parallel-a= rgs)) > + call-with-temporary-output-file %xz-= parallel-args)) > #:use-module ((guix build syscalls) #:select (mkdtemp! fdatasync)) > #:use-module ((guix combinators) #:select (fold2)) > - #:use-module (guix diagnostics) ;, &error-location= , etc. > + #:use-module (guix diagnostics) ;, &error-location, et= c. > #:use-module (ice-9 format) > #:use-module ((ice-9 iconv) #:prefix iconv:) > #:use-module (ice-9 match) > @@ -57,7 +58,7 @@ (define-module (guix utils) > #:use-module (ice-9 vlist) > #:autoload (zlib) (make-zlib-input-port make-zlib-output-port) > #:use-module (system foreign) > - #:re-export ( ;for backwards compati= bility > + #:re-export ( ;for backwards compatibility Unnecessary changes. :-) Thanks, Ludo=E2=80=99.