nixos/gdm: Fix fingerprint auth rules

We introduced the gdm-fingerprint.pam in 9d41fe6fcc.

We used the [upstream Arch config] as a template, which contains an extended control field that jumps over **one** immediately-following `auth` rule unless `pam_gdm.so` succeeds.

But we decided to not include `pam_gnome_keyring.so` so there was no rule to skip over, resulting in a broken control flow and the PAM module failing with “PAM bad jump in stack”, breaking the fingerprint authentication in GDM.

Let’s actually add `pam_gnome_keyring.so`, like the Arch config does. Because we are creating the PAM file using the `text` option, `security.pam.services.gdm-fingerprint.enableGnomeKeyring` does not do anything so we need to do it manually.

For the case where gnome-keyring is not enabled, we could add a no-op rule like `optional pam_permit.so` after `pam_gdm.so` so that the branching always has something to jump over but it will be simpler to just make the both conditional. There are no further `auth` rules that could benefit from `pam_gdm.so` doing something so it should be fine.

Unlike in Arch, we are not going to invoke `pam_gnome_keyring.so` in a `session` rule since that is already done by the included `login` module.

[upstream Arch config]: 81ee658c11/data/pam-arch/gdm-fingerprint.pam
This commit is contained in:
Jan Tojnar 2024-07-03 15:56:12 +02:00
parent 1cf4155498
commit af0cdb44a0

View File

@ -6,6 +6,7 @@ let
cfg = config.services.xserver.displayManager;
gdm = pkgs.gnome.gdm;
pamCfg = config.security.pam.services;
settingsFormat = pkgs.formats.ini { };
configFile = settingsFormat.generate "custom.conf" cfg.gdm.settings;
@ -331,7 +332,10 @@ in
auth requisite pam_faillock.so preauth
auth required ${pkgs.fprintd}/lib/security/pam_fprintd.so
auth required pam_env.so
${lib.optionalString pamCfg.login.enableGnomeKeyring ''
auth [success=ok default=1] ${pkgs.gnome.gdm}/lib/security/pam_gdm.so
auth optional ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
''}
account include login