pam-gnupg

  • Done
  • quality assurance status badge
Details
2 participants
  • Tobias Geerinckx-Rice
  • Nicolas Graves
Owner
unassigned
Submitted by
Nicolas Graves
Severity
normal
N
N
Nicolas Graves wrote on 12 Nov 2021 08:45
(address . guix-patches@gnu.org)
87czn53ijd.fsf@ngraves.fr
Hi !

I'm still discovering / experimenting with guix thanks to the videos of
David Wilson. Sorry if it's not the appropriate place to discuss this.

I'm trying to add pam-gnupg without having a graphical login manager.
I figured out it should really be as simple as the few lines I added in
the attached patch, since the feature has already been implemented for a
few graphical login managers.

It has been done here : https://issues.guix.gnu.org/47364

So I'm trying to test the patch, have downloaded guix source code, added
it in a new branch, updated my channels, used guix shell for setting the
environment, but now I get the following error when I try to pull to
test my version :

guix pull: erreur : Erreur Git : cannot locate remote-tracking branch
'origin/keyring'

The patch is straightforward, might not need much testing, but if
needed, I would be glad to received some smart advice :)

Thanks in advance, thanks for the outstanding work on Guix !

Nicolas
From d8d3d8d7614d443dea805b46589f9b16f8558de2 Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Fri, 12 Nov 2021 00:39:13 +0100
Subject: [PATCH] Adding gnupg to pam-login-service.

---
gnu/services/base.scm | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

Toggle diff (27 lines)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 50865055fe..887213c52e 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -743,7 +743,9 @@ (define-record-type* <login-configuration>
;; Allow empty passwords by default so that first-time users can log in when
;; the 'root' account has just been created.
(allow-empty-passwords? login-configuration-allow-empty-passwords?
- (default #t))) ;Boolean
+ (default #t)) ;Boolean
+ (gnupg? login-configuration-gnupg?
+ (default #f))) ;Boolean
(define (login-pam-service config)
"Return the list of PAM service needed for CONF."
@@ -753,7 +755,8 @@ (define (login-pam-service config)
#:allow-empty-passwords?
(login-configuration-allow-empty-passwords? config)
#:motd
- (login-configuration-motd config))))
+ (login-configuration-motd config)
+ #:gnupg? (login-configuration-gnupg? config))))
(define login-service-type
(service-type (name 'login)
--
2.33.1
T
T
Tobias Geerinckx-Rice wrote on 12 Nov 2021 13:51
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 51785@debbugs.gnu.org)
35313aaf61a42f0c333cab6b300e6bc0@tobias.gr
Nicolas,

On 2021-11-12 8:45, Nicolas Graves via Guix-patches via wrote:
Toggle quote (10 lines)
> So I'm trying to test the patch, have downloaded guix source code,
> added
> it in a new branch, updated my channels, used guix shell for setting
> the
> environment, but now I get the following error when I try to pull to
> test my version :
>
> guix pull: erreur : Erreur Git : cannot locate remote-tracking branch
> 'origin/keyring'

Guix authentication code expects a local 'keyring' branch, similar to
how you currently have a local 'master' branch tracking the upstream
'master' branch (which by default is called 'origin/master').

If you haven't changed the default 'origin' name you should be able to
simply

$ git checkout origin/keyring # creates local tracking branch as side
effect
$ git checkout master # to 'switch back'

and be on your merry way. Replace 'origin/' if you have.

(This is from memory; apologies for possible typos/thinkos.)

Kind regards,

T G-R

Sent from a Web browser. Excuse or enjoy my brevity.
N
N
Nicolas Graves wrote on 13 Nov 2021 21:11
pam-gnupg
(address . 51785@debbugs.gnu.org)
87tugfdax1.fsf@ngraves.fr
Thanks for your answers Josselin and Tobias,

(For the record, I just pinned all the commits from other channels in my
channels.scm and pulled guix with guix pull --allow-downgrades
--disable-authentication)

I finally managed to get the pam module to work but it eventually raised
more questions than expected.

Basically now the module starts well, but my shepherd service gpg-agent
doesn't (I guess because pam starts it, and that shepherd can't take
over). It's fine for the purpose I was installing pam-gnupg for (having
direct access to password-store passwords after login), but hinders the
rest of related activities (e.g. signing commits).

Above this question, I was wondering about the order of pam-modules
startup. A look at the manual pages and the examples for modules show a
clear hierarchy for at least a few modules (pam_unix > pam_loginuid >
pam_elogind > pam_gnupg for instance), which is not respected in guix's
implementation (pam_elogind > pam_loginuid > pam_gnupg > pam_unix).

Although it seems to work, is it normal / purposeful / without
consequences ?

If no, as a solution, maybe implementing a hierarchy might help. For
instance, something like :
1) Base modules (pam_unix, pam_env, pam_loginuid)
2) Modules added elsewhere with pam-root-service (pam_elogind, graphical
login managers modules)
3) Other modules (pam_gnupg, pam_motd...)

The last question I have is about the configuration of pam_gnupg. On the
official repo (https://github.com/cruegge/pam-gnupg),it seems that
there is a recommended configuration (e.g. setting the priority as
optional), which is once again not respected in the actual
configuration. I did add the few lines to address this (but is there a
reason why that is not the case ?)

I'm willing to help make these changes if useful and on the right track,
but I don't have much experience with guile.
Cheers,

Nicolas
From dce83f5aeb2e7468a3d457f3d59c8851ac11a897 Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Sat, 13 Nov 2021 13:11:54 +0100
Subject: [PATCH 1/3] [PATCH] gnu : add pam-gnupg to login service

---
gnu/services/base.scm | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

Toggle diff (35 lines)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 50865055fe..b95fd9a4ff 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -16,6 +16,7 @@
;;; Copyright © 2021 qblade <qblade@protonmail.com>
;;; Copyright © 2021 Hui Lu <luhuins@163.com>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2021 Nicolas Graves <ngraves@ngraves.fr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -743,7 +744,9 @@ (define-record-type* <login-configuration>
;; Allow empty passwords by default so that first-time users can log in when
;; the 'root' account has just been created.
(allow-empty-passwords? login-configuration-allow-empty-passwords?
- (default #t))) ;Boolean
+ (default #t)) ;Boolean
+ (gnupg? login-configuration-gnupg?
+ (default #f))) ;Boolean
(define (login-pam-service config)
"Return the list of PAM service needed for CONF."
@@ -753,7 +756,8 @@ (define (login-pam-service config)
#:allow-empty-passwords?
(login-configuration-allow-empty-passwords? config)
#:motd
- (login-configuration-motd config))))
+ (login-configuration-motd config)
+ #:gnupg? (login-configuration-gnupg? config))))
(define login-service-type
(service-type (name 'login)
--
2.33.1
From 525d70b93b6c6b78a3ced92f72e264b4be1ed3de Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Sat, 13 Nov 2021 20:09:02 +0100
Subject: [PATCH 2/3] Trying to fix pam-gnupg configuration.

---
gnu/system/pam.scm | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

Toggle diff (34 lines)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index a31daada59..d6d02e59f5 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -235,8 +235,9 @@ (module "pam_unix.so")
unix))
(if gnupg?
(list (pam-entry
- (control "required")
- (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ (control "optional")
+ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))
+ (arguments '("store-only"))))
'())))
(password (list (pam-entry
(control "required")
@@ -255,12 +256,13 @@ (module "pam_motd.so")
(control "required")
(module "pam_loginuid.so")))
'())
+ ,env ,unix
,@(if gnupg?
(list (pam-entry
- (control "required")
+ (control "optional")
(module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
'())
- ,env ,unix))))))
+ ))))))
(define (rootok-pam-service command)
"Return a PAM service for COMMAND such that 'root' does not need to
--
2.33.1
From 9bb9620620d4e132d0d422bda7a57d2c0dfee28c Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves@ngraves.fr>
Date: Sat, 13 Nov 2021 21:48:16 +0100
Subject: [PATCH 3/3] Moving parts of pam configuration for better compliance.

---
gnu/system/pam.scm | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index d6d02e59f5..0f0b09e347 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -244,19 +244,19 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))
(module "pam_unix.so")
;; Store SHA-512 encrypted passwords in /etc/shadow.
(arguments '("sha512" "shadow")))))
- (session `(,@(if motd
+ (session `(,env ,unix
+ ,@(if login-uid?
+ (list (pam-entry ;to fill in /proc/self/loginuid
+ (control "required")
+ (module "pam_loginuid.so")))
+ '())
+ ,@(if motd
(list (pam-entry
(control "optional")
(module "pam_motd.so")
(arguments
(list #~(string-append "motd=" #$motd)))))
'())
- ,@(if login-uid?
- (list (pam-entry ;to fill in /proc/self/loginuid
- (control "required")
- (module "pam_loginuid.so")))
- '())
- ,env ,unix
,@(if gnupg?
(list (pam-entry
(control "optional")
--
2.33.1
N
N
Nicolas Graves wrote on 14 Apr 21:37 +0200
control message for bug #51785
(address . control@debbugs.gnu.org)
87h6g3hh26.fsf@ngraves.fr
close 51785
quit
?