From debbugs-submit-bounces@debbugs.gnu.org Sat Nov 13 17:49:22 2021 Received: (at 51785) by debbugs.gnu.org; 13 Nov 2021 22:49:22 +0000 Received: from localhost ([127.0.0.1]:48366 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mm1pn-0005j0-D6 for submit@debbugs.gnu.org; Sat, 13 Nov 2021 17:49:22 -0500 Received: from 13.mo584.mail-out.ovh.net ([178.33.251.8]:58319) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mm0Ct-00032B-N5 for 51785@debbugs.gnu.org; Sat, 13 Nov 2021 16:05:05 -0500 Received: from player797.ha.ovh.net (unknown [10.108.1.112]) by mo584.mail-out.ovh.net (Postfix) with ESMTP id 260CD22340 for <51785@debbugs.gnu.org>; Sat, 13 Nov 2021 21:05:02 +0000 (UTC) Received: from ngraves.fr (201.238.0.109.rev.sfr.net [109.0.238.201]) (Authenticated sender: ngraves@ngraves.fr) by player797.ha.ovh.net (Postfix) with ESMTPSA id 7F790202A2EE3; Sat, 13 Nov 2021 21:04:59 +0000 (UTC) Authentication-Results: garm.ovh; auth=pass (GARM-100R003fc396292-6c68-4678-83e0-e38d309f6faa, 65E45D71A6384DFBD99378824CE1DC8C6FBF2CD1) smtp.auth=ngraves@ngraves.fr X-OVh-ClientIp: 109.0.238.201 User-agent: mu4e 1.6.9; emacs 28.0.50 From: Nicolas Graves To: 51785@debbugs.gnu.org Subject: pam-gnupg Date: Sat, 13 Nov 2021 21:11:58 +0100 Message-ID: <87tugfdax1.fsf@ngraves.fr> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Ovh-Tracer-Id: 2917488137135645207 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvuddrvdehgddugeehucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpegfhffvufffkfggtgesmhdtreertdertdenucfhrhhomheppfhitgholhgrshcuifhrrghvvghsuceonhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrqeenucggtffrrghtthgvrhhnpefhheffleffhfeugfeltdelieeuhfeutdevgeefjeefudeileehgfevheefudehueenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppedtrddtrddtrddtpddutdelrddtrddvfeekrddvtddunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhpohhuthdphhgvlhhopehplhgrhigvrhejleejrdhhrgdrohhvhhdrnhgvthdpihhnvghtpedtrddtrddtrddtpdhmrghilhhfrhhomhepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrpdhrtghpthhtohephedujeekheesuggvsggsuhhgshdrghhnuhdrohhrgh X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 51785 X-Mailman-Approved-At: Sat, 13 Nov 2021 17:49:19 -0500 Cc: Josselin Poiret , Tobias Geerinckx-Rice X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Thanks for your answers Josselin and Tobias, (For the record, I just pinned all the commits from other channels in my channels.scm and pulled guix with guix pull --allow-downgrades --disable-authentication) I finally managed to get the pam module to work but it eventually raised more questions than expected. Basically now the module starts well, but my shepherd service gpg-agent doesn't (I guess because pam starts it, and that shepherd can't take over). It's fine for the purpose I was installing pam-gnupg for (having direct access to password-store passwords after login), but hinders the rest of related activities (e.g. signing commits). Above this question, I was wondering about the order of pam-modules startup. A look at the manual pages and the examples for modules show a clear hierarchy for at least a few modules (pam_unix > pam_loginuid > pam_elogind > pam_gnupg for instance), which is not respected in guix's implementation (pam_elogind > pam_loginuid > pam_gnupg > pam_unix). Although it seems to work, is it normal / purposeful / without consequences ? If no, as a solution, maybe implementing a hierarchy might help. For instance, something like : 1) Base modules (pam_unix, pam_env, pam_loginuid) 2) Modules added elsewhere with pam-root-service (pam_elogind, graphical login managers modules) 3) Other modules (pam_gnupg, pam_motd...) The last question I have is about the configuration of pam_gnupg. On the official repo (https://github.com/cruegge/pam-gnupg), it seems that there is a recommended configuration (e.g. setting the priority as optional), which is once again not respected in the actual configuration. I did add the few lines to address this (but is there a reason why that is not the case ?) I'm willing to help make these changes if useful and on the right track, but I don't have much experience with guile. Cheers, Nicolas --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-PATCH-gnu-add-pam-gnupg-to-login-service.patch Content-Transfer-Encoding: quoted-printable Content-Description: pam-gnupg-1 From dce83f5aeb2e7468a3d457f3d59c8851ac11a897 Mon Sep 17 00:00:00 2001 From: Nicolas Graves Date: Sat, 13 Nov 2021 13:11:54 +0100 Subject: [PATCH 1/3] [PATCH] gnu : add pam-gnupg to login service --- gnu/services/base.scm | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 50865055fe..b95fd9a4ff 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -16,6 +16,7 @@ ;;; Copyright =C2=A9 2021 qblade ;;; Copyright =C2=A9 2021 Hui Lu ;;; Copyright =C2=A9 2021 Maxim Cournoyer +;;; Copyright =C2=A9 2021 Nicolas Graves ;;; ;;; This file is part of GNU Guix. ;;; @@ -743,7 +744,9 @@ (define-record-type* ;; Allow empty passwords by default so that first-time users can log in = when ;; the 'root' account has just been created. (allow-empty-passwords? login-configuration-allow-empty-passwords? - (default #t))) ;Boolean + (default #t)) ;Boolean + (gnupg? login-configuration-gnupg? + (default #f))) ;Boolean =20 (define (login-pam-service config) "Return the list of PAM service needed for CONF." @@ -753,7 +756,8 @@ (define (login-pam-service config) #:allow-empty-passwords? (login-configuration-allow-empty-passwords? conf= ig) #:motd - (login-configuration-motd config)))) + (login-configuration-motd config) + #:gnupg? (login-configuration-gnupg? config)))) =20 (define login-service-type (service-type (name 'login) --=20 2.33.1 --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0002-Trying-to-fix-pam-gnupg-configuration.patch Content-Description: pam-gnupg-2 From 525d70b93b6c6b78a3ced92f72e264b4be1ed3de Mon Sep 17 00:00:00 2001 From: Nicolas Graves Date: Sat, 13 Nov 2021 20:09:02 +0100 Subject: [PATCH 2/3] Trying to fix pam-gnupg configuration. --- gnu/system/pam.scm | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index a31daada59..d6d02e59f5 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -235,8 +235,9 @@ (module "pam_unix.so") unix)) (if gnupg? (list (pam-entry - (control "required") - (module (file-append pam-gnupg "/lib/security/pam_gnupg.so")))) + (control "optional") + (module (file-append pam-gnupg "/lib/security/pam_gnupg.so")) + (arguments '("store-only")))) '()))) (password (list (pam-entry (control "required") @@ -255,12 +256,13 @@ (module "pam_motd.so") (control "required") (module "pam_loginuid.so"))) '()) + ,env ,unix ,@(if gnupg? (list (pam-entry - (control "required") + (control "optional") (module (file-append pam-gnupg "/lib/security/pam_gnupg.so")))) '()) - ,env ,unix)))))) + )))))) (define (rootok-pam-service command) "Return a PAM service for COMMAND such that 'root' does not need to -- 2.33.1 --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0003-Moving-parts-of-pam-configuration-for-better-complia.patch Content-Description: pam-gnupg-3 From 9bb9620620d4e132d0d422bda7a57d2c0dfee28c Mon Sep 17 00:00:00 2001 From: Nicolas Graves Date: Sat, 13 Nov 2021 21:48:16 +0100 Subject: [PATCH 3/3] Moving parts of pam configuration for better compliance. --- gnu/system/pam.scm | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm index d6d02e59f5..0f0b09e347 100644 --- a/gnu/system/pam.scm +++ b/gnu/system/pam.scm @@ -244,19 +244,19 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so")) (module "pam_unix.so") ;; Store SHA-512 encrypted passwords in /etc/shadow. (arguments '("sha512" "shadow"))))) - (session `(,@(if motd + (session `(,env ,unix + ,@(if login-uid? + (list (pam-entry ;to fill in /proc/self/loginuid + (control "required") + (module "pam_loginuid.so"))) + '()) + ,@(if motd (list (pam-entry (control "optional") (module "pam_motd.so") (arguments (list #~(string-append "motd=" #$motd))))) '()) - ,@(if login-uid? - (list (pam-entry ;to fill in /proc/self/loginuid - (control "required") - (module "pam_loginuid.so"))) - '()) - ,env ,unix ,@(if gnupg? (list (pam-entry (control "optional") -- 2.33.1 --=-=-=--