[PATCH 0/2] Add pam-gnupg and PAM rules for SLiM

  • Done
  • quality assurance status badge
Details
2 participants
  • Oleg Pykhalov
  • Maxime Devos
Owner
unassigned
Submitted by
Oleg Pykhalov
Severity
normal
O
O
Oleg Pykhalov wrote on 24 Mar 2021 17:49
(address . guix-patches@gnu.org)(name . Oleg Pykhalov)(address . go.wigust@gmail.com)
20210324164938.27674-1-go.wigust@gmail.com
This patch series adds pam-gnupg package and PAM rules for SLiM display
manager.

Oleg Pykhalov (2):
gnu: Add pam-gnupg.
services: slim: Add pam-gnupg support.

doc/guix.texi | 8 ++++++++
gnu/packages/linux.scm | 37 ++++++++++++++++++++++++++++++++++++-
gnu/services/xorg.scm | 7 ++++++-
gnu/system/pam.scm | 15 +++++++++++++--
4 files changed, 63 insertions(+), 4 deletions(-)

--
2.30.2
O
O
Oleg Pykhalov wrote on 24 Mar 2021 17:52
[PATCH 1/2] gnu: Add pam-gnupg.
(address . 47364@debbugs.gnu.org)(name . Oleg Pykhalov)(address . go.wigust@gmail.com)
20210324165233.28428-1-go.wigust@gmail.com
* gnu/packages/linux.scm (pam-gnupg): New variable.
---
gnu/packages/linux.scm | 37 ++++++++++++++++++++++++++++++++++++-
1 file changed, 36 insertions(+), 1 deletion(-)

Toggle diff (64 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 0eaf014b5c..fff4a1789e 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -38,7 +38,7 @@
;;; Copyright © 2019 Pierre Langlois <pierre.langlois@gmx.com>
;;; Copyright © 2019, 2020 Brice Waegeneire <brice@waegenei.re>
;;; Copyright © 2019 Kei Kebreau <kkebreau@posteo.net>
-;;; Copyright © 2020 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2020, 2021 Oleg Pykhalov <go.wigust@gmail.com>
;;; Copyright © 2020 Pierre Neidhardt <mail@ambrevar.xyz>
;;; Copyright © 2020 Chris Marusich <cmmarusich@gmail.com>
;;; Copyright © 2020 Vincent Legoll <vincent.legoll@gmail.com>
@@ -99,6 +99,7 @@
#:use-module (gnu packages gcc)
#:use-module (gnu packages gettext)
#:use-module (gnu packages glib)
+ #:use-module (gnu packages gnupg)
#:use-module (gnu packages golang)
#:use-module (gnu packages gperf)
#:use-module (gnu packages gstreamer)
@@ -1482,6 +1483,40 @@ at login. Local and dynamic reconfiguration are its key features.")
(description "This package provides a PAM interface using @code{ctypes}.")
(license license:expat)))
+(define-public pam-gnupg
+ (package
+ (name "pam-gnupg")
+ (version "0.3")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/cruegge/pam-gnupg")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1bf91gi6zmfzzmczxm7pajxdlgnikasvg5xsd3j0a368rcr7lf9l"))))
+ (build-system gnu-build-system)
+ (inputs
+ `(("gnupg" ,gnupg)
+ ("linux-pam" ,linux-pam)))
+ (native-inputs
+ `(("autoconf" ,autoconf)
+ ("automake" ,automake)
+ ("libtool" ,libtool)))
+ (arguments
+ `(#:tests? #f ;no tests suite
+ #:configure-flags
+ (list (string-append "--with-moduledir="
+ (assoc-ref %outputs "out") "/lib/security"))))
+
+ (home-page "https://github.com/cruegge/pam-gnupg")
+ (synopsis "Unlock GnuPG keys on login")
+ (description "This package provides a PAM module that hands over your
+login password to @code{gpg-agent}. This can be useful if you are using a
+GnuPG-based password manager like @code{pass}.")
+ (license license:gpl3+)))
+
;;;
;;; Miscellaneous.
--
2.30.2
O
O
Oleg Pykhalov wrote on 24 Mar 2021 17:52
[PATCH 2/2] services: slim: Add pam-gnupg support.
(address . 47364@debbugs.gnu.org)(name . Oleg Pykhalov)(address . go.wigust@gmail.com)
20210324165233.28428-2-go.wigust@gmail.com
* gnu/system/pam.scm (unix-pam-service): Add account and session PAM entries
for pam-gnupg.
* doc/guix.texi (X Window): Document this.
* gnu/services/xorg.scm (<slim-configuration>)[gnupg?]: New record field.
(slim-pam-service): Pass "#:gnupg?" argument to "unix-pam-service".
---
doc/guix.texi | 8 ++++++++
gnu/services/xorg.scm | 7 ++++++-
gnu/system/pam.scm | 15 +++++++++++++--
3 files changed, 27 insertions(+), 3 deletions(-)

Toggle diff (100 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 94ecd2c247..f549930c63 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17765,6 +17765,14 @@ Data type representing the configuration of @code{slim-service-type}.
@item @code{allow-empty-passwords?} (default: @code{#t})
Whether to allow logins with empty passwords.
+@item @code{gnupg?} (default: @code{#f})
+If enabled, @code{pam-gnupg} will attempt to automatically unlock the
+user's GPG keys with the login password via @code{gpg-agent}. The
+keygrips of all keys to be unlocked should be written to
+@file{~/.pam-gnupg}, and can be queried with @code{gpg -K
+--with-keygrip}. Presetting passphrases must be enabled by adding
+@code{allow-preset-passphrase} in @file{~/.gnupg/gpg-agent.conf}.
+
@item @code{auto-login?} (default: @code{#f})
@itemx @code{default-user} (default: @code{""})
When @code{auto-login?} is false, SLiM presents a log-in screen.
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 60611dc77d..65b138b4f4 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -8,6 +8,7 @@
;;; Copyright © 2020 shtwzrd <shtwzrd@protonmail.com>
;;; Copyright © 2020 Jakub K?dzio?ka <kuba@kadziolka.net>
;;; Copyright © 2020 Alex Griffin <a@ajgrf.com>
+;;; Copyright © 2021 Oleg Pykhalov <go.wigust@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -541,6 +542,8 @@ a `service-extension', as used by `set-xorg-configuration'."
(default slim))
(allow-empty-passwords? slim-configuration-allow-empty-passwords?
(default #t))
+ (gnupg? slim-configuration-gnupg?
+ (default #f))
(auto-login? slim-configuration-auto-login?
(default #f))
(default-user slim-configuration-default-user
@@ -570,7 +573,9 @@ a `service-extension', as used by `set-xorg-configuration'."
"slim"
#:login-uid? #t
#:allow-empty-passwords?
- (slim-configuration-allow-empty-passwords? config))))
+ (slim-configuration-allow-empty-passwords? config)
+ #:gnupg?
+ (slim-configuration-gnupg? config))))
(define (slim-shepherd-service config)
(let* ((xinitrc (xinitrc #:fallback-session
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index ad02586be8..75edd01908 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -27,6 +27,7 @@
#:use-module (srfi srfi-11)
#:use-module (srfi srfi-26)
#:use-module ((guix utils) #:select (%current-system))
+ #:use-module (gnu packages linux)
#:export (pam-service
pam-service-name
pam-service-account
@@ -208,7 +209,7 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
(control "required")
(module "pam_env.so"))))
(lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
- login-uid?)
+ login-uid? (gnupg? #f))
"Return a standard Unix-style PAM service for NAME. When
ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
true, allow root to run the command without authentication. When MOTD is
@@ -229,7 +230,12 @@ When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
(control "required")
(module "pam_unix.so")
(arguments '("nullok")))
- unix))))
+ unix))
+ (if gnupg?
+ (list (pam-entry
+ (control "required")
+ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ '())))
(password (list (pam-entry
(control "required")
(module "pam_unix.so")
@@ -247,6 +253,11 @@ When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
(control "required")
(module "pam_loginuid.so")))
'())
+ ,@(if gnupg?
+ (list (pam-entry
+ (control "required")
+ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ '())
,env ,unix))))))
(define (rootok-pam-service command)
--
2.30.2
M
M
Maxime Devos wrote on 24 Mar 2021 20:22
6ca83b55b46c4677a45fd0e026ac14880093ea7f.camel@telenet.be
Hi,

I'm not familiar with PAM, so I can't do much reviewing about that
(seems ok, though I'm no expert). Some nitpicks:

On Wed, 2021-03-24 at 19:52 +0300, Oleg Pykhalov wrote:
Toggle quote (11 lines)
> [...]
>
> diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
> index ad02586be8..75edd01908 100644
> --- a/gnu/system/pam.scm
> +++ b/gnu/system/pam.scm
> [...]
> (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
> - login-uid?)
> + login-uid? (gnupg? #f))

Nitpick: keyword variables have #f as default by default, so you could just write ...

(lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
Toggle quote (3 lines)
> - login-uid?)
> + login-uid? gnupg?)

... here. As a minimal example, you could run the following code in a Guile REPL:

Toggle quote (4 lines)
> ;; These both evaluate to (#f #f)!
> ((lambda* (#:key login-uid? gnupg?) (list login-uid? gnupg?)))
> ((lambda* (#:key login-uid? (gnupg? #f)) (list login-uid? gnupg?)))

Hmm, maybe (allow-root? #f) could be replaced with simply allow-root? here ...

Toggle quote (4 lines)
> "Return a standard Unix-style PAM service for NAME. When
> ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
> true, allow root to run the command without authentication. When MOTD is

It would be nice if this docstring documents GNUPG? as well.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYFuRgxccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7rOyAQCo50xkY2E6ENco+q9TZJLxAOM0
pV3ooKhv4oTbYrMJeAD/Y5UO9qb4USiPaGv9X25KaRk5khhE6/RDAvnvnWkc/gs=
=SrzE
-----END PGP SIGNATURE-----


O
O
Oleg Pykhalov wrote on 24 Mar 2021 20:48
(name . Maxime Devos)(address . maximedevos@telenet.be)(address . 47364@debbugs.gnu.org)
87ft0ks58u.fsf@gmail.com
Hi,

Thank you for the review!

Maxime Devos <maximedevos@telenet.be> writes:

Toggle quote (3 lines)
> I'm not familiar with PAM, so I can't do much reviewing about that
> (seems ok, though I'm no expert).

I'm :-) too, but it works for me.

[…]

I applied all your suggestions.
Toggle diff (24 lines)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 75edd01908..128b2bb0fe 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -208,14 +208,16 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
(env (pam-entry ; to honor /etc/environment.
(control "required")
(module "pam_env.so"))))
- (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
- login-uid? (gnupg? #f))
+ (lambda* (name #:key allow-empty-passwords? allow-root? motd
+ login-uid? gnupg?)
"Return a standard Unix-style PAM service for NAME. When
ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
true, allow root to run the command without authentication. When MOTD is
true, it should be a file-like object used as the message-of-the-day.
When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
-/proc/self/loginuid, which the libc 'getlogin' function relies on."
+/proc/self/loginuid, which the libc 'getlogin' function relies on. When
+GNUPG? is true, require the 'pam_gnupg.so' module; that module hands over
+login password to 'gpg-agent'."
;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
(pam-service
(name name)
Plus in Git commit message “Don't pass "#f" to "allow-root?" argument,
because "lambda*" already does this by default.”.
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAmBbl3EUHGdvLndpZ3Vz
dEBnbWFpbC5jb20ACgkQFn+OpQAa+pzFLxAAydMjfLaAsfO7uvoWl/f51/qCY2R9
JjxB9TbixUbc85a1r7n24nbG9viPOxn7ssuwh5meU5oRkHhjODSxn6tmSXAxkzH4
vcD4XYOG8qJd8m1aMzxHmryVhuubqHbj6OvtpvVRc7+jN2uf4Fr2A0i8kepYut6H
rfzEj6AYrCmvrDjFiiBGfFz8buZSZjm5vUFbiF4ZA446lFDoDiKWvx8R8ZTIcI+k
ye6V790Aq3DJyp3xnuA788Rlnrvx+jN4jGgK8udqiTR2hPFMuz6IC7GJGZR1B1pj
xynB/Ti3vlHyOBuSigL9WlVcjI6X8YC7FYKhkJ5HFt3Vt/uz7IqJHjRiazUVfouc
MPBgXLqlR8933kfiFucdF/dd4pQ9ik5UGnr/b2l9C8T08A/VFUEh+jskLsvvlvI6
iYzVw3lm5hY6bylCCzCNtEIrHzjq1R9mgQSebvcIQ6aI3TJI1otMgNwCUeaTbTwB
Pw9z0XG3SZw3prveEItUjeqizOkXpfJwzdMpLHRbt/xq9GBn9pAr58hoGUfakogu
e4mHmup5m/uSY+RV0whkzZxcnWY7AUXrf9l2nv7iyA3KWs+AEFvh/sOTbI2s11Vh
dKzlFJE/5dCFH1O6MXkm533ZKNMr/MHm/+/+kg/F+f50oIZ503uu5jRWecZRZeLo
3HNZ7rvp4grWyrk=
=nkjx
-----END PGP SIGNATURE-----

M
M
Maxime Devos wrote on 24 Mar 2021 21:14
(name . Oleg Pykhalov)(address . go.wigust@gmail.com)(address . 47364@debbugs.gnu.org)
45158737893d2ef4b3a8d8e5dd04523aecb8e552.camel@telenet.be
On Wed, 2021-03-24 at 22:48 +0300, Oleg Pykhalov wrote:
Toggle quote (4 lines)
> +/proc/self/loginuid, which the libc 'getlogin' function relies on. When
> +GNUPG? is true, require the 'pam_gnupg.so' module; that module hands over
> +login password to 'gpg-agent'."

Linguistic nitpick:
There seems to be an article missing before "login password".
Maybe add "the".

Also, ideally speaking, there would be a system test in "gnu/tests/" for
this new functionality.

Otherwise no comments, seems good to me to go into the repo
though maybe someone else wants to comment as well.

Greetings,
Maxime
-----BEGIN PGP SIGNATURE-----

iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYFudtxccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7vAAAQDv/tWBol6/FmZwL9jpcO9i3nNH
MiOKg7limFFCwX4pkAEA7CrmIXRxjsogoN/flro+D5Fou+Gcnxl2ow9FPGo/IAo=
=WUWC
-----END PGP SIGNATURE-----


O
O
Oleg Pykhalov wrote on 17 Aug 2021 00:13
Re: bug#47364: [PATCH 0/2] Add pam-gnupg and PAM rules for SLiM
(address . 47364-done@debbugs.gnu.org)
87tujphwbi.fsf@gmail.com
Oleg Pykhalov <go.wigust@gmail.com> writes:

Toggle quote (13 lines)
> This patch series adds pam-gnupg package and PAM rules for SLiM display
> manager.
>
> Oleg Pykhalov (2):
> gnu: Add pam-gnupg.
> services: slim: Add pam-gnupg support.
>
> doc/guix.texi | 8 ++++++++
> gnu/packages/linux.scm | 37 ++++++++++++++++++++++++++++++++++++-
> gnu/services/xorg.scm | 7 ++++++-
> gnu/system/pam.scm | 15 +++++++++++++--
> 4 files changed, 63 insertions(+), 4 deletions(-)

Apologies for a big pause.

Finally tested properly with my heavy configuration. Works great. ;-)

Pushed to master.
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAmEa4yEUHGdvLndpZ3Vz
dEBnbWFpbC5jb20ACgkQFn+OpQAa+py6DRAAmaYynFf0OvEwaRe6Tdx7EKYEXqsU
uEEoV88aKF85t/BtRwjDG+eI4vcs6uQJJHHRzzF/mqrIQRho5U2H7jgB/vuDKl17
+4tanKz0OpIXe1WvhaXv2/Hscwq20fhRj1zMNRWihxK6UDHkeAigRajuEbkct19x
2z7uCB6zD6V4gcINsfzMkCDISBBjUJzzDcNTVNZUSi4QIQbuUVo5FsKck5FSpn9U
rQc+G9M2N0AfZFXEBt9rgOwC1WTNPQoS+Juyq9IV8CNpCAdOQn/OMGGvOfFAXxUm
Zlkc923hHtZe7MmoTQjfMOlKXYfFvVZ7JEhq3do5+D94+1l4JX4Blo4lpPJhpg/U
gAlIZg1CXflteL1CsxGzTxETYYvtjHdVLNTAzJ2I6Nl+r/uLqkKPC6JUMfIweuoe
koP7SghvPLbXDTNvtVwW1Jkr8t3VWcJq9jXGed7YmUE66wrCHVbbLUTyRVzMPvKD
ok2L5V1oNrb4ag5AK3mGfzf46DYUyaAlCGnI2U81CAaMWIoCPirkhD+UXpcSzCm1
GiQwerPWd8IHC7iiS46oCbusaj0jE/QNDxrOdy90qmythX7kp88ZdvCTMJupWg/T
+uYBzU/rz4WkRVZHZl/2zaWsjO0FmUUNKaLLrWgK639pv4gPHD5v7bhxZNXVqcaT
AF0c6otjkYrR1is=
=SHEs
-----END PGP SIGNATURE-----

Closed
?