From a6280bde181c72811ab5dd0eb525f112ac72099f Mon Sep 17 00:00:00 2001 From: Aleix Pol Date: Thu, 24 Jun 2021 17:08:10 +0200 Subject: [PATCH] pam: Do not use tally2 if faillock is present From pam 1.4.0 release notes: Deprecated pam_tally and pam_tally2: these modules are no longer built by default and will be removed in the next release, use pam_faillock instead. https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0 Fixes #1313 --- cmake/FindPAM.cmake | 1 + services/CMakeLists.txt | 6 +++++- services/sddm-autologin-tally2.pam | 13 +++++++++++++ services/sddm-autologin.pam | 2 +- 4 files changed, 20 insertions(+), 2 deletions(-) create mode 100755 services/sddm-autologin-tally2.pam diff --git a/cmake/FindPAM.cmake b/cmake/FindPAM.cmake index f209c0b46..a64680bea 100644 --- a/cmake/FindPAM.cmake +++ b/cmake/FindPAM.cmake @@ -13,6 +13,7 @@ endif (PAM_INCLUDE_DIR AND PAM_LIBRARY) find_path(PAM_INCLUDE_DIR NAMES security/pam_appl.h pam/pam_appl.h) find_library(PAM_LIBRARY pam) find_library(DL_LIBRARY dl) +find_library(HAVE_PAM_FAILLOCK NAME pam_faillock.so PATH_SUFFIXES security) if (PAM_INCLUDE_DIR AND PAM_LIBRARY) set(PAM_FOUND TRUE) diff --git a/services/CMakeLists.txt b/services/CMakeLists.txt index fbf760895..6e4fa0f93 100644 --- a/services/CMakeLists.txt +++ b/services/CMakeLists.txt @@ -10,6 +10,10 @@ else() endif() configure_file("${CMAKE_CURRENT_SOURCE_DIR}/sddm-greeter.pam.in" "${CMAKE_CURRENT_BINARY_DIR}/sddm-greeter.pam") +if(HAVE_PAM_FAILLOCK) + install(FILES sddm-autologin.pam DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/pam.d RENAME sddm-autologin) +else() + install(FILES sddm-autologin-tally2.pam DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/pam.d RENAME sddm-autologin) +endif() install(FILES sddm.pam DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/pam.d RENAME sddm) -install(FILES sddm-autologin.pam DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/pam.d RENAME sddm-autologin) install(FILES "${CMAKE_CURRENT_BINARY_DIR}/sddm-greeter.pam" DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/pam.d RENAME sddm-greeter) diff --git a/services/sddm-autologin-tally2.pam b/services/sddm-autologin-tally2.pam new file mode 100755 index 000000000..99729bc9b --- /dev/null +++ b/services/sddm-autologin-tally2.pam @@ -0,0 +1,13 @@ +#%PAM-1.0 +auth required pam_env.so +auth required pam_tally2.so file=/var/log/tallylog onerr=succeed +auth required pam_shells.so +auth required pam_nologin.so +auth required pam_permit.so +-auth optional pam_gnome_keyring.so +-auth optional pam_kwallet5.so +account include system-local-login +password include system-local-login +session include system-local-login +-session optional pam_gnome_keyring.so auto_start +-session optional pam_kwallet5.so auto_start diff --git a/services/sddm-autologin.pam b/services/sddm-autologin.pam index 99729bc9b..b42991e38 100755 --- a/services/sddm-autologin.pam +++ b/services/sddm-autologin.pam @@ -1,6 +1,6 @@ #%PAM-1.0 auth required pam_env.so -auth required pam_tally2.so file=/var/log/tallylog onerr=succeed +auth required pam_faillock.so preauth auth required pam_shells.so auth required pam_nologin.so auth required pam_permit.so