[PATCH 0/2] Add pam-gnupg and PAM rules for SLiM

  • Done
  • quality assurance status badge
Details
2 participants
  • Oleg Pykhalov
  • Maxime Devos
Owner
unassigned
Submitted by
Oleg Pykhalov
Severity
normal
O
O
Oleg Pykhalov wrote on 24 Mar 2021 17:49
(address . guix-patches@gnu.org)(name . Oleg Pykhalov)(address . go.wigust@gmail.com)
20210324164938.27674-1-go.wigust@gmail.com
This patch series adds pam-gnupg package and PAM rules for SLiM display
manager.

Oleg Pykhalov (2):
gnu: Add pam-gnupg.
services: slim: Add pam-gnupg support.

doc/guix.texi | 8 ++++++++
gnu/packages/linux.scm | 37 ++++++++++++++++++++++++++++++++++++-
gnu/services/xorg.scm | 7 ++++++-
gnu/system/pam.scm | 15 +++++++++++++--
4 files changed, 63 insertions(+), 4 deletions(-)

--
2.30.2
O
O
Oleg Pykhalov wrote on 24 Mar 2021 17:52
[PATCH 1/2] gnu: Add pam-gnupg.
(address . 47364@debbugs.gnu.org)(name . Oleg Pykhalov)(address . go.wigust@gmail.com)
20210324165233.28428-1-go.wigust@gmail.com
* gnu/packages/linux.scm (pam-gnupg): New variable.
---
gnu/packages/linux.scm | 37 ++++++++++++++++++++++++++++++++++++-
1 file changed, 36 insertions(+), 1 deletion(-)

Toggle diff (64 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 0eaf014b5c..fff4a1789e 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -38,7 +38,7 @@
;;; Copyright © 2019 Pierre Langlois <pierre.langlois@gmx.com>
;;; Copyright © 2019, 2020 Brice Waegeneire <brice@waegenei.re>
;;; Copyright © 2019 Kei Kebreau <kkebreau@posteo.net>
-;;; Copyright © 2020 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2020, 2021 Oleg Pykhalov <go.wigust@gmail.com>
;;; Copyright © 2020 Pierre Neidhardt <mail@ambrevar.xyz>
;;; Copyright © 2020 Chris Marusich <cmmarusich@gmail.com>
;;; Copyright © 2020 Vincent Legoll <vincent.legoll@gmail.com>
@@ -99,6 +99,7 @@
#:use-module (gnu packages gcc)
#:use-module (gnu packages gettext)
#:use-module (gnu packages glib)
+ #:use-module (gnu packages gnupg)
#:use-module (gnu packages golang)
#:use-module (gnu packages gperf)
#:use-module (gnu packages gstreamer)
@@ -1482,6 +1483,40 @@ at login. Local and dynamic reconfiguration are its key features.")
(description "This package provides a PAM interface using @code{ctypes}.")
(license license:expat)))
+(define-public pam-gnupg
+ (package
+ (name "pam-gnupg")
+ (version "0.3")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/cruegge/pam-gnupg")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1bf91gi6zmfzzmczxm7pajxdlgnikasvg5xsd3j0a368rcr7lf9l"))))
+ (build-system gnu-build-system)
+ (inputs
+ `(("gnupg" ,gnupg)
+ ("linux-pam" ,linux-pam)))
+ (native-inputs
+ `(("autoconf" ,autoconf)
+ ("automake" ,automake)
+ ("libtool" ,libtool)))
+ (arguments
+ `(#:tests? #f ;no tests suite
+ #:configure-flags
+ (list (string-append "--with-moduledir="
+ (assoc-ref %outputs "out") "/lib/security"))))
+
+ (home-page "https://github.com/cruegge/pam-gnupg")
+ (synopsis "Unlock GnuPG keys on login")
+ (description "This package provides a PAM module that hands over your
+login password to @code{gpg-agent}. This can be useful if you are using a
+GnuPG-based password manager like @code{pass}.")
+ (license license:gpl3+)))
+
;;;
;;; Miscellaneous.
--
2.30.2
O
O
Oleg Pykhalov wrote on 24 Mar 2021 17:52
[PATCH 2/2] services: slim: Add pam-gnupg support.
(address . 47364@debbugs.gnu.org)(name . Oleg Pykhalov)(address . go.wigust@gmail.com)
20210324165233.28428-2-go.wigust@gmail.com
* gnu/system/pam.scm (unix-pam-service): Add account and session PAM entries
for pam-gnupg.
* doc/guix.texi (X Window): Document this.
* gnu/services/xorg.scm (<slim-configuration>)[gnupg?]: New record field.
(slim-pam-service): Pass "#:gnupg?" argument to "unix-pam-service".
---
doc/guix.texi | 8 ++++++++
gnu/services/xorg.scm | 7 ++++++-
gnu/system/pam.scm | 15 +++++++++++++--
3 files changed, 27 insertions(+), 3 deletions(-)

Toggle diff (100 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 94ecd2c247..f549930c63 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17765,6 +17765,14 @@ Data type representing the configuration of @code{slim-service-type}.
@item @code{allow-empty-passwords?} (default: @code{#t})
Whether to allow logins with empty passwords.
+@item @code{gnupg?} (default: @code{#f})
+If enabled, @code{pam-gnupg} will attempt to automatically unlock the
+user's GPG keys with the login password via @code{gpg-agent}. The
+keygrips of all keys to be unlocked should be written to
+@file{~/.pam-gnupg}, and can be queried with @code{gpg -K
+--with-keygrip}. Presetting passphrases must be enabled by adding
+@code{allow-preset-passphrase} in @file{~/.gnupg/gpg-agent.conf}.
+
@item @code{auto-login?} (default: @code{#f})
@itemx @code{default-user} (default: @code{""})
When @code{auto-login?} is false, SLiM presents a log-in screen.
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index 60611dc77d..65b138b4f4 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -8,6 +8,7 @@
;;; Copyright © 2020 shtwzrd <shtwzrd@protonmail.com>
;;; Copyright © 2020 Jakub K?dzio?ka <kuba@kadziolka.net>
;;; Copyright © 2020 Alex Griffin <a@ajgrf.com>
+;;; Copyright © 2021 Oleg Pykhalov <go.wigust@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -541,6 +542,8 @@ a `service-extension', as used by `set-xorg-configuration'."
(default slim))
(allow-empty-passwords? slim-configuration-allow-empty-passwords?
(default #t))
+ (gnupg? slim-configuration-gnupg?
+ (default #f))
(auto-login? slim-configuration-auto-login?
(default #f))
(default-user slim-configuration-default-user
@@ -570,7 +573,9 @@ a `service-extension', as used by `set-xorg-configuration'."
"slim"
#:login-uid? #t
#:allow-empty-passwords?
- (slim-configuration-allow-empty-passwords? config))))
+ (slim-configuration-allow-empty-passwords? config)
+ #:gnupg?
+ (slim-configuration-gnupg? config))))
(define (slim-shepherd-service config)
(let* ((xinitrc (xinitrc #:fallback-session
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index ad02586be8..75edd01908 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -27,6 +27,7 @@
#:use-module (srfi srfi-11)
#:use-module (srfi srfi-26)
#:use-module ((guix utils) #:select (%current-system))
+ #:use-module (gnu packages linux)
#:export (pam-service
pam-service-name
pam-service-account
@@ -208,7 +209,7 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
(control "required")
(module "pam_env.so"))))
(lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
- login-uid?)
+ login-uid? (gnupg? #f))
"Return a standard Unix-style PAM service for NAME. When
ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
true, allow root to run the command without authentication. When MOTD is
@@ -229,7 +230,12 @@ When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
(control "required")
(module "pam_unix.so")
(arguments '("nullok")))
- unix))))
+ unix))
+ (if gnupg?
+ (list (pam-entry
+ (control "required")
+ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ '())))
(password (list (pam-entry
(control "required")
(module "pam_unix.so")
@@ -247,6 +253,11 @@ When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
(control "required")
(module "pam_loginuid.so")))
'())
+ ,@(if gnupg?
+ (list (pam-entry
+ (control "required")
+ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ '())
,env ,unix))))))
(define (rootok-pam-service command)
--
2.30.2
M
M
Maxime Devos wrote on 24 Mar 2021 20:22
6ca83b55b46c4677a45fd0e026ac14880093ea7f.camel@telenet.be
Hi,

I'm not familiar with PAM, so I can't do much reviewing about that
(seems ok, though I'm no expert). Some nitpicks:

On Wed, 2021-03-24 at 19:52 +0300, Oleg Pykhalov wrote:
Toggle quote (11 lines)
> [...]
>
> diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
> index ad02586be8..75edd01908 100644
> --- a/gnu/system/pam.scm
> +++ b/gnu/system/pam.scm
> [...]
> (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
> - login-uid?)
> + login-uid? (gnupg? #f))

Nitpick: keyword variables have #f as default by default, so you could just write ...

(lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
Toggle quote (3 lines)
> - login-uid?)
> + login-uid? gnupg?)

... here. As a minimal example, you could run the following code in a Guile REPL:

Toggle quote (4 lines)
> ;; These both evaluate to (#f #f)!
> ((lambda* (#:key login-uid? gnupg?) (list login-uid? gnupg?)))
> ((lambda* (#:key login-uid? (gnupg? #f)) (list login-uid? gnupg?)))

Hmm, maybe (allow-root? #f) could be replaced with simply allow-root? here ...

Toggle quote (4 lines)
> "Return a standard Unix-style PAM service for NAME. When
> ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
> true, allow root to run the command without authentication. When MOTD is

It would be nice if this docstring documents GNUPG? as well.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYFuRgxccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7rOyAQCo50xkY2E6ENco+q9TZJLxAOM0
pV3ooKhv4oTbYrMJeAD/Y5UO9qb4USiPaGv9X25KaRk5khhE6/RDAvnvnWkc/gs=
=SrzE
-----END PGP SIGNATURE-----


O
O
Oleg Pykhalov wrote on 24 Mar 2021 20:48
(name . Maxime Devos)(address . maximedevos@telenet.be)(address . 47364@debbugs.gnu.org)
87ft0ks58u.fsf@gmail.com
Hi,

Thank you for the review!

Maxime Devos <maximedevos@telenet.be> writes:

Toggle quote (3 lines)
> I'm not familiar with PAM, so I can't do much reviewing about that
> (seems ok, though I'm no expert).

I'm :-) too, but it works for me.

[…]

I applied all your suggestions.
Toggle diff (24 lines)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index 75edd01908..128b2bb0fe 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -208,14 +208,16 @@ dumped in /etc/pam.d/NAME, where NAME is the name of SERVICE."
(env (pam-entry ; to honor /etc/environment.
(control "required")
(module "pam_env.so"))))
- (lambda* (name #:key allow-empty-passwords? (allow-root? #f) motd
- login-uid? (gnupg? #f))
+ (lambda* (name #:key allow-empty-passwords? allow-root? motd
+ login-uid? gnupg?)
"Return a standard Unix-style PAM service for NAME. When
ALLOW-EMPTY-PASSWORDS? is true, allow empty passwords. When ALLOW-ROOT? is
true, allow root to run the command without authentication. When MOTD is
true, it should be a file-like object used as the message-of-the-day.
When LOGIN-UID? is true, require the 'pam_loginuid' module; that module sets
-/proc/self/loginuid, which the libc 'getlogin' function relies on."
+/proc/self/loginuid, which the libc 'getlogin' function relies on. When
+GNUPG? is true, require the 'pam_gnupg.so' module; that module hands over
+login password to 'gpg-agent'."
;; See <http://www.linux-pam.org/Linux-PAM-html/sag-configuration-example.html>.
(pam-service
(name name)
Plus in Git commit message “Don't pass "#f" to "allow-root?" argument,
because "lambda*" already does this by default.”.
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAmBbl3EUHGdvLndpZ3Vz
dEBnbWFpbC5jb20ACgkQFn+OpQAa+pzFLxAAydMjfLaAsfO7uvoWl/f51/qCY2R9
JjxB9TbixUbc85a1r7n24nbG9viPOxn7ssuwh5meU5oRkHhjODSxn6tmSXAxkzH4
vcD4XYOG8qJd8m1aMzxHmryVhuubqHbj6OvtpvVRc7+jN2uf4Fr2A0i8kepYut6H
rfzEj6AYrCmvrDjFiiBGfFz8buZSZjm5vUFbiF4ZA446lFDoDiKWvx8R8ZTIcI+k
ye6V790Aq3DJyp3xnuA788Rlnrvx+jN4jGgK8udqiTR2hPFMuz6IC7GJGZR1B1pj
xynB/Ti3vlHyOBuSigL9WlVcjI6X8YC7FYKhkJ5HFt3Vt/uz7IqJHjRiazUVfouc
MPBgXLqlR8933kfiFucdF/dd4pQ9ik5UGnr/b2l9C8T08A/VFUEh+jskLsvvlvI6
iYzVw3lm5hY6bylCCzCNtEIrHzjq1R9mgQSebvcIQ6aI3TJI1otMgNwCUeaTbTwB
Pw9z0XG3SZw3prveEItUjeqizOkXpfJwzdMpLHRbt/xq9GBn9pAr58hoGUfakogu
e4mHmup5m/uSY+RV0whkzZxcnWY7AUXrf9l2nv7iyA3KWs+AEFvh/sOTbI2s11Vh
dKzlFJE/5dCFH1O6MXkm533ZKNMr/MHm/+/+kg/F+f50oIZ503uu5jRWecZRZeLo
3HNZ7rvp4grWyrk=
=nkjx
-----END PGP SIGNATURE-----

M
M
Maxime Devos wrote on 24 Mar 2021 21:14
(name . Oleg Pykhalov)(address . go.wigust@gmail.com)(address . 47364@debbugs.gnu.org)
45158737893d2ef4b3a8d8e5dd04523aecb8e552.camel@telenet.be
On Wed, 2021-03-24 at 22:48 +0300, Oleg Pykhalov wrote:
Toggle quote (4 lines)
> +/proc/self/loginuid, which the libc 'getlogin' function relies on. When
> +GNUPG? is true, require the 'pam_gnupg.so' module; that module hands over
> +login password to 'gpg-agent'."

Linguistic nitpick:
There seems to be an article missing before "login password".
Maybe add "the".

Also, ideally speaking, there would be a system test in "gnu/tests/" for
this new functionality.

Otherwise no comments, seems good to me to go into the repo
though maybe someone else wants to comment as well.

Greetings,
Maxime
-----BEGIN PGP SIGNATURE-----

iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYFudtxccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7vAAAQDv/tWBol6/FmZwL9jpcO9i3nNH
MiOKg7limFFCwX4pkAEA7CrmIXRxjsogoN/flro+D5Fou+Gcnxl2ow9FPGo/IAo=
=WUWC
-----END PGP SIGNATURE-----


O
O
Oleg Pykhalov wrote on 17 Aug 2021 00:13
Re: bug#47364: [PATCH 0/2] Add pam-gnupg and PAM rules for SLiM
(address . 47364-done@debbugs.gnu.org)
87tujphwbi.fsf@gmail.com
Oleg Pykhalov <go.wigust@gmail.com> writes:

Toggle quote (13 lines)
> This patch series adds pam-gnupg package and PAM rules for SLiM display
> manager.
>
> Oleg Pykhalov (2):
> gnu: Add pam-gnupg.
> services: slim: Add pam-gnupg support.
>
> doc/guix.texi | 8 ++++++++
> gnu/packages/linux.scm | 37 ++++++++++++++++++++++++++++++++++++-
> gnu/services/xorg.scm | 7 ++++++-
> gnu/system/pam.scm | 15 +++++++++++++--
> 4 files changed, 63 insertions(+), 4 deletions(-)

Apologies for a big pause.

Finally tested properly with my heavy configuration. Works great. ;-)

Pushed to master.
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAmEa4yEUHGdvLndpZ3Vz
dEBnbWFpbC5jb20ACgkQFn+OpQAa+py6DRAAmaYynFf0OvEwaRe6Tdx7EKYEXqsU
uEEoV88aKF85t/BtRwjDG+eI4vcs6uQJJHHRzzF/mqrIQRho5U2H7jgB/vuDKl17
+4tanKz0OpIXe1WvhaXv2/Hscwq20fhRj1zMNRWihxK6UDHkeAigRajuEbkct19x
2z7uCB6zD6V4gcINsfzMkCDISBBjUJzzDcNTVNZUSi4QIQbuUVo5FsKck5FSpn9U
rQc+G9M2N0AfZFXEBt9rgOwC1WTNPQoS+Juyq9IV8CNpCAdOQn/OMGGvOfFAXxUm
Zlkc923hHtZe7MmoTQjfMOlKXYfFvVZ7JEhq3do5+D94+1l4JX4Blo4lpPJhpg/U
gAlIZg1CXflteL1CsxGzTxETYYvtjHdVLNTAzJ2I6Nl+r/uLqkKPC6JUMfIweuoe
koP7SghvPLbXDTNvtVwW1Jkr8t3VWcJq9jXGed7YmUE66wrCHVbbLUTyRVzMPvKD
ok2L5V1oNrb4ag5AK3mGfzf46DYUyaAlCGnI2U81CAaMWIoCPirkhD+UXpcSzCm1
GiQwerPWd8IHC7iiS46oCbusaj0jE/QNDxrOdy90qmythX7kp88ZdvCTMJupWg/T
+uYBzU/rz4WkRVZHZl/2zaWsjO0FmUUNKaLLrWgK639pv4gPHD5v7bhxZNXVqcaT
AF0c6otjkYrR1is=
=SHEs
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 47364@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47364
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch