From 9a4f9e84c4ba79f39c7f5ab4b4d1a099a7496d52 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 24 Feb 2025 15:13:08 +0100 Subject: [PATCH] pam_systemd_home: tweak order in authentication stack Let's move pam_systemd_home before pam_unix in the authentication hook. Since a while we are exposing shadow entries for homed log entries via NSS. This means that pam_unix now potentially has enough data for authenticating a user on its own, without letting pam_systemd_home do that. This is superficially OK, but also means that authentication will always go via password, even if pkcs11/fido2 is registered. Let's move this around, but be careful about it: let's list the precise errors which we think are enough to terminating further PAM processing, so that pam_unix comes into control in all cases where it's not clear that pam_systemd_home owns the user record. This previously wasn't visible to me, because on Fedora until authselect 1.5.1 (released earleir this year) the NSS shadow stuff was not enabled. This does the same also for the "account" stack, except that the order there already was as we want it. Finally, shorten the account stack, by just requiring pam_unix.so and dropping pam_permit.so, because it doesn't really serve much purpose (and Fedora doesn't use it by default either.) --- factory/etc/pam.d/system-auth | 7 +++---- man/pam_systemd.xml | 7 +++---- man/pam_systemd_home.xml | 7 +++---- src/login/systemd-user.in | 5 ++--- src/run/systemd-run0.in | 2 +- test/units/TEST-46-HOMED.sh | 7 +++---- 6 files changed, 15 insertions(+), 20 deletions(-) diff --git a/factory/etc/pam.d/system-auth b/factory/etc/pam.d/system-auth index cb4e5703616..60e657eb4b0 100644 --- a/factory/etc/pam.d/system-auth +++ b/factory/etc/pam.d/system-auth @@ -3,14 +3,13 @@ # You really want to adjust this to your local distribution. If you use this # unmodified you are not building systems safely and securely. +-auth [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so auth sufficient pam_unix.so --auth sufficient pam_systemd_home.so auth required pam_deny.so account required pam_nologin.so --account sufficient pam_systemd_home.so -account sufficient pam_unix.so -account required pam_permit.so +-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so +account required pam_unix.so -password sufficient pam_systemd_home.so password sufficient pam_unix.so sha512 shadow try_first_pass diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml index f240cc755a9..c488e5bec4b 100644 --- a/man/pam_systemd.xml +++ b/man/pam_systemd.xml @@ -476,14 +476,13 @@ pam_set_data(handle, "systemd.runtime_max_sec", (void *)"3600", cleanup); systemd-logind.service: #%PAM-1.0 +-auth [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so auth sufficient pam_unix.so --auth sufficient pam_systemd_home.so auth required pam_deny.so account required pam_nologin.so --account sufficient pam_systemd_home.so -account sufficient pam_unix.so -account required pam_permit.so +-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so +account required pam_unix.so -password sufficient pam_systemd_home.so password sufficient pam_unix.so sha512 shadow try_first_pass diff --git a/man/pam_systemd_home.xml b/man/pam_systemd_home.xml index ed117cfed22..066a0386555 100644 --- a/man/pam_systemd_home.xml +++ b/man/pam_systemd_home.xml @@ -195,14 +195,13 @@ lennart@zeta$ cp -av /etc/skel ~/Areas/versuch1 systemd-homed.service to log in: #%PAM-1.0 + -auth [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so auth sufficient pam_unix.so --auth sufficient pam_systemd_home.so auth required pam_deny.so account required pam_nologin.so --account sufficient pam_systemd_home.so -account sufficient pam_unix.so -account required pam_permit.so +-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so +account required pam_unix.so -password sufficient pam_systemd_home.so password sufficient pam_unix.so sha512 shadow try_first_pass diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in index 8a3c9e0165f..ce227445017 100644 --- a/src/login/systemd-user.in +++ b/src/login/systemd-user.in @@ -4,10 +4,9 @@ # Used by systemd --user instances. {% if ENABLE_HOMED %} --account sufficient pam_systemd_home.so +-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so {% endif %} -account sufficient pam_unix.so no_pass_expiry -account required pam_permit.so +account required pam_unix.so no_pass_expiry {% if HAVE_SELINUX %} session required pam_selinux.so close diff --git a/src/run/systemd-run0.in b/src/run/systemd-run0.in index 11f830b7b08..c628ef237d7 100644 --- a/src/run/systemd-run0.in +++ b/src/run/systemd-run0.in @@ -4,7 +4,7 @@ # Used by run0 sessions {% if ENABLE_HOMED %} --account sufficient pam_systemd_home.so +-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so {% endif %} account required pam_unix.so diff --git a/test/units/TEST-46-HOMED.sh b/test/units/TEST-46-HOMED.sh index 5d9799211e1..78bfefa48d7 100755 --- a/test/units/TEST-46-HOMED.sh +++ b/test/units/TEST-46-HOMED.sh @@ -576,12 +576,11 @@ if command -v ssh &>/dev/null && command -v sshd &>/dev/null && ! [[ -v ASAN_OPT if [[ -f "$dir/pam.d/sshd" ]]; then mv "$dir/pam.d/sshd" "$dir/pam.d/sshd.bak" cat >"$dir/pam.d/sshd" <