pam-gnupg

  • Done
  • quality assurance status badge
Details
2 participants
  • Tobias Geerinckx-Rice
  • Nicolas Graves
Owner
unassigned
Submitted by
Nicolas Graves
Severity
normal
N
N
Nicolas Graves wrote on 12 Nov 2021 08:45
(address . guix-patches@gnu.org)
87czn53ijd.fsf@ngraves.fr
Hi !

I'm still discovering / experimenting with guix thanks to the videos of
David Wilson. Sorry if it's not the appropriate place to discuss this.

I'm trying to add pam-gnupg without having a graphical login manager.
I figured out it should really be as simple as the few lines I added in
the attached patch, since the feature has already been implemented for a
few graphical login managers.

It has been done here : https://issues.guix.gnu.org/47364

So I'm trying to test the patch, have downloaded guix source code, added
it in a new branch, updated my channels, used guix shell for setting the
environment, but now I get the following error when I try to pull to
test my version :

guix pull: erreur : Erreur Git : cannot locate remote-tracking branch
'origin/keyring'

The patch is straightforward, might not need much testing, but if
needed, I would be glad to received some smart advice :)

Thanks in advance, thanks for the outstanding work on Guix !

Nicolas
From d8d3d8d7614d443dea805b46589f9b16f8558de2 Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Fri, 12 Nov 2021 00:39:13 +0100
Subject: [PATCH] Adding gnupg to pam-login-service.

---
gnu/services/base.scm | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

Toggle diff (27 lines)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 50865055fe..887213c52e 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -743,7 +743,9 @@ (define-record-type* <login-configuration>
;; Allow empty passwords by default so that first-time users can log in when
;; the 'root' account has just been created.
(allow-empty-passwords? login-configuration-allow-empty-passwords?
- (default #t))) ;Boolean
+ (default #t)) ;Boolean
+ (gnupg? login-configuration-gnupg?
+ (default #f))) ;Boolean
(define (login-pam-service config)
"Return the list of PAM service needed for CONF."
@@ -753,7 +755,8 @@ (define (login-pam-service config)
#:allow-empty-passwords?
(login-configuration-allow-empty-passwords? config)
#:motd
- (login-configuration-motd config))))
+ (login-configuration-motd config)
+ #:gnupg? (login-configuration-gnupg? config))))
(define login-service-type
(service-type (name 'login)
--
2.33.1
T
T
Tobias Geerinckx-Rice wrote on 12 Nov 2021 13:51
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 51785@debbugs.gnu.org)
35313aaf61a42f0c333cab6b300e6bc0@tobias.gr
Nicolas,

On 2021-11-12 8:45, Nicolas Graves via Guix-patches via wrote:
Toggle quote (10 lines)
> So I'm trying to test the patch, have downloaded guix source code,
> added
> it in a new branch, updated my channels, used guix shell for setting
> the
> environment, but now I get the following error when I try to pull to
> test my version :
>
> guix pull: erreur : Erreur Git : cannot locate remote-tracking branch
> 'origin/keyring'

Guix authentication code expects a local 'keyring' branch, similar to
how you currently have a local 'master' branch tracking the upstream
'master' branch (which by default is called 'origin/master').

If you haven't changed the default 'origin' name you should be able to
simply

$ git checkout origin/keyring # creates local tracking branch as side
effect
$ git checkout master # to 'switch back'

and be on your merry way. Replace 'origin/' if you have.

(This is from memory; apologies for possible typos/thinkos.)

Kind regards,

T G-R

Sent from a Web browser. Excuse or enjoy my brevity.
N
N
Nicolas Graves wrote on 13 Nov 2021 21:11
pam-gnupg
(address . 51785@debbugs.gnu.org)
87tugfdax1.fsf@ngraves.fr
Thanks for your answers Josselin and Tobias,

(For the record, I just pinned all the commits from other channels in my
channels.scm and pulled guix with guix pull --allow-downgrades
--disable-authentication)

I finally managed to get the pam module to work but it eventually raised
more questions than expected.

Basically now the module starts well, but my shepherd service gpg-agent
doesn't (I guess because pam starts it, and that shepherd can't take
over). It's fine for the purpose I was installing pam-gnupg for (having
direct access to password-store passwords after login), but hinders the
rest of related activities (e.g. signing commits).

Above this question, I was wondering about the order of pam-modules
startup. A look at the manual pages and the examples for modules show a
clear hierarchy for at least a few modules (pam_unix > pam_loginuid >
pam_elogind > pam_gnupg for instance), which is not respected in guix's
implementation (pam_elogind > pam_loginuid > pam_gnupg > pam_unix).

Although it seems to work, is it normal / purposeful / without
consequences ?

If no, as a solution, maybe implementing a hierarchy might help. For
instance, something like :
1) Base modules (pam_unix, pam_env, pam_loginuid)
2) Modules added elsewhere with pam-root-service (pam_elogind, graphical
login managers modules)
3) Other modules (pam_gnupg, pam_motd...)

The last question I have is about the configuration of pam_gnupg. On the
official repo (https://github.com/cruegge/pam-gnupg),it seems that
there is a recommended configuration (e.g. setting the priority as
optional), which is once again not respected in the actual
configuration. I did add the few lines to address this (but is there a
reason why that is not the case ?)

I'm willing to help make these changes if useful and on the right track,
but I don't have much experience with guile.
Cheers,

Nicolas
From dce83f5aeb2e7468a3d457f3d59c8851ac11a897 Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Sat, 13 Nov 2021 13:11:54 +0100
Subject: [PATCH 1/3] [PATCH] gnu : add pam-gnupg to login service

---
gnu/services/base.scm | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

Toggle diff (35 lines)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 50865055fe..b95fd9a4ff 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -16,6 +16,7 @@
;;; Copyright © 2021 qblade <qblade@protonmail.com>
;;; Copyright © 2021 Hui Lu <luhuins@163.com>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021 Nicolas Graves <ngraves@ngraves.fr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -743,7 +744,9 @@ (define-record-type* <login-configuration>
;; Allow empty passwords by default so that first-time users can log in when
;; the 'root' account has just been created.
(allow-empty-passwords? login-configuration-allow-empty-passwords?
- (default #t))) ;Boolean
+ (default #t)) ;Boolean
+ (gnupg? login-configuration-gnupg?
+ (default #f))) ;Boolean
(define (login-pam-service config)
"Return the list of PAM service needed for CONF."
@@ -753,7 +756,8 @@ (define (login-pam-service config)
#:allow-empty-passwords?
(login-configuration-allow-empty-passwords? config)
#:motd
- (login-configuration-motd config))))
+ (login-configuration-motd config)
+ #:gnupg? (login-configuration-gnupg? config))))
(define login-service-type
(service-type (name 'login)
--
2.33.1
From 525d70b93b6c6b78a3ced92f72e264b4be1ed3de Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Sat, 13 Nov 2021 20:09:02 +0100
Subject: [PATCH 2/3] Trying to fix pam-gnupg configuration.

---
gnu/system/pam.scm | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

Toggle diff (34 lines)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index a31daada59..d6d02e59f5 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -235,8 +235,9 @@ (module "pam_unix.so")
unix))
(if gnupg?
(list (pam-entry
- (control "required")
- (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ (control "optional")
+ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))
+ (arguments '("store-only"))))
'())))
(password (list (pam-entry
(control "required")
@@ -255,12 +256,13 @@ (module "pam_motd.so")
(control "required")
(module "pam_loginuid.so")))
'())
+ ,env ,unix
,@(if gnupg?
(list (pam-entry
- (control "required")
+ (control "optional")
(module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
'())
- ,env ,unix))))))
+ ))))))
(define (rootok-pam-service command)
"Return a PAM service for COMMAND such that 'root' does not need to
--
2.33.1
From 9bb9620620d4e132d0d422bda7a57d2c0dfee28c Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Sat, 13 Nov 2021 21:48:16 +0100
Subject: [PATCH 3/3] Moving parts of pam configuration for better compliance.

---
gnu/system/pam.scm | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index d6d02e59f5..0f0b09e347 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -244,19 +244,19 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))
(module "pam_unix.so")
;; Store SHA-512 encrypted passwords in /etc/shadow.
(arguments '("sha512" "shadow")))))
- (session `(,@(if motd
+ (session `(,env ,unix
+ ,@(if login-uid?
+ (list (pam-entry ;to fill in /proc/self/loginuid
+ (control "required")
+ (module "pam_loginuid.so")))
+ '())
+ ,@(if motd
(list (pam-entry
(control "optional")
(module "pam_motd.so")
(arguments
(list #~(string-append "motd=" #$motd)))))
'())
- ,@(if login-uid?
- (list (pam-entry ;to fill in /proc/self/loginuid
- (control "required")
- (module "pam_loginuid.so")))
- '())
- ,env ,unix
,@(if gnupg?
(list (pam-entry
(control "optional")
--
2.33.1
N
N
Nicolas Graves wrote on 14 Apr 2024 21:37
control message for bug #51785
(address . control@debbugs.gnu.org)
87h6g3hh26.fsf@ngraves.fr
close 51785
quit
?
Your comment

This issue is archived.

To comment on this conversation send an email to 51785@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 51785
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch