[Nix-dev] Subject: [PATCH] Integrate PAM, Gnome Keyring, and Slim
Peter Eriksen
peter at eriksen.ch
Sat Dec 22 23:11:23 CET 2012
We do this by adding a parameter, unlockGnomeKeyring, to
makePAMService, which is set by the slim display manager,
when it adds itself as a service to security.pam.services.
---
OBS: This patch is untested, and unfinished. It needs at least
a way for slim to not depend on gnome-keyring.
I am trying to make gnome keyring unlock the default keyring
upon login.
Are there any suggestions, or other people interested in
getting this to work?
modules/security/pam.nix | 9 +++++++++
modules/services/x11/display-managers/slim.nix | 5 ++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index d3dd4ef..68d72c8 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -59,6 +59,9 @@ let
allowNullPassword ? false
, # The limits, as per limits.conf(5).
limits ? config.security.pam.loginLimits
+ , # If set, Gnome Keyring will be started on login with Slim
+ # See https://live.gnome.org/GnomeKeyring/Pam/Manual
+ unlockGnomeKeyring ? false
}:
{ source = pkgs.writeText "${name}.pam"
@@ -88,6 +91,8 @@ let
auth [default=die success=done]
${pam_ccreds}/lib/security/pam_ccreds.so action=validate
use_first_pass
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so
action=store use_first_pass
''}
+ ${optionalString unlockGnomeKeyring
+ "auth optional
${pkgs.gnome.gnome_keyring}/lib/security/pam_gnome_keyring.so"}
auth required pam_deny.so
# Password management.
@@ -98,6 +103,8 @@ let
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so
use_first_pass"}
${optionalString config.services.samba.syncPasswordsByPam
"password optional
${pkgs.samba}/lib/security/pam_smbpass.so nullok
use_authtok try_first_pass"}
+ ${optionalString unlockGnomeKeyring
+ "password optional
${pkgs.gnome.gnome_keyring}/lib/security/pam_gnome_keyring.so"}
# Session management.
session required pam_unix.so
@@ -111,6 +118,8 @@ let
"session optional pam_xauth.so
xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
${optionalString (limits != [])
"session required ${pkgs.pam}/lib/security/pam_limits.so
conf=${makeLimitsConf limits}"}
+ ${optionalString unlockGnomeKeyring
+ "session optional
${pkgs.gnome.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start"}
'';
target = "pam.d/${name}";
};
diff --git a/modules/services/x11/display-managers/slim.nix
b/modules/services/x11/display-managers/slim.nix
index 97c5f1d..b259acd 100644
--- a/modules/services/x11/display-managers/slim.nix
+++ b/modules/services/x11/display-managers/slim.nix
@@ -115,7 +115,10 @@ in
# Allow null passwords so that the user can login as root on the
# installation CD.
- security.pam.services = [ { name = "slim"; allowNullPassword = true;
} ];
+ security.pam.services = [ { name = "slim";
+ allowNullPassword = true;
+ unlockGnomeKeyring = true;
+ } ];
};
--
1.8.0.1
More information about the nix-dev
mailing list