SDDM: updated PAM configs allow root login

author: Eric Hameleers <alien@slackware.com> 2020-05-26 13:25:55 +0200
committer: Eric Hameleers <alien@slackware.com> 2020-05-26 13:25:55 +0200
commit: 3c5eca74e04fad95927a07e13eec0744f407584d (patch)
tree: 4361c2ee886009ce369363cea0d3d54949f4eae8
parent: 7db7710238ce4440d28d09ec56eea8122c77a37f (diff)
download: ktown-3c5eca74e04fad95927a07e13eec0744f407584d.tar.gz
ktown-3c5eca74e04fad95927a07e13eec0744f407584d.tar.xz
3 files changed, 50 insertions, 31 deletions
diff --git a/kde/post-install/sddm-qt5/pam.d/sddm b/kde/post-install/sddm-qt5/pam.d/sddm
index bb435ce..f0b2345 100644
--- a/kde/post-install/sddm-qt5/pam.d/sddm
+++ b/kde/post-install/sddm-qt5/pam.d/sddm
@@ -1,16 +1,25 @@
 #%PAM-1.0
 
-auth		substack	login
--auth		optional	pam_gnome_keyring.so
--auth		optional	pam_kwallet5.so
+auth       substack     system-auth
 
-account		include		login
+# Uncomment this line to restrict login to users with a UID greater
+# than 999 (in other words, don't allow login for root):
+#auth       required     pam_succeed_if.so        uid >= 1000 quiet
 
-password	substack	login
--password	optional	pam_gnome_keyring.so use_authtok
--password	optional	pam_kwallet5.so use_authtok
+-auth      optional     pam_gnome_keyring.so
+-auth      optional     pam_kwallet5.so
+auth       include      postlogin
 
-session		optional	pam_keyinit.so force revoke
-session		substack	login
--session	optional	pam_gnome_keyring.so auto_start
--session	optional	pam_kwallet5.so auto_start
+account    include      system-auth
+
+password   substack     system-auth
+-password  optional     pam_gnome_keyring.so     use_authtok
+-password  optional     pam_kwallet5.so          use_authtok
+
+session    optional     pam_keyinit.so           force revoke
+session    substack     system-auth
+session    required     pam_loginuid.so
+session    optional     pam_ck_connector.so      nox11
+-session   optional     pam_gnome_keyring.so     auto_start
+-session   optional     pam_kwallet5.so          auto_start
+session    include      postlogin
diff --git a/kde/post-install/sddm-qt5/pam.d/sddm-autologin b/kde/post-install/sddm-qt5/pam.d/sddm-autologin
index fe410bb..fd926ef 100644
--- a/kde/post-install/sddm-qt5/pam.d/sddm-autologin
+++ b/kde/post-install/sddm-qt5/pam.d/sddm-autologin
@@ -1,14 +1,24 @@
 #%PAM-1.0
-auth		required	pam_env.so
-auth		include		system-auth
-auth		include		postlogin
--auth		optional	pam_gnome_keyring.so
--auth		optional	pam_kwallet5.so
-account		include		system-auth
-password	include		system-auth
-session		include		system-auth
-session		required	pam_loginuid.so
-session		optional	pam_ck_connector.so nox11
-session		include		postlogin
--session	optional	pam_gnome_keyring.so auto_start
--session	optional	pam_kwallet5.so auto_start
+auth       requisite    pam_nologin.so
+auth       required     pam_env.so
+auth       required     pam_shells.so
+
+# Uncomment this line to restrict autologin to users with a UID greater
+# than 999 (in other words, don't allow autologin for root):
+#auth       required     pam_succeed_if.so        uid >= 1000 quiet
+
+auth       required     pam_permit.so
+-auth      optional     pam_gnome_keyring.so
+-auth      optional     pam_kwallet5.so
+
+account    include      system-auth
+
+password   include      system-auth
+
+session    substack     system-auth
+session    required     pam_loginuid.so
+session    optional     pam_ck_connector.so      nox11
+-session   optional     pam_gnome_keyring.so     auto_start
+-session   optional     pam_kwallet5.so          auto_start
+session    include      postlogin
+
diff --git a/kde/post-install/sddm-qt5/pam.d/sddm-greeter b/kde/post-install/sddm-qt5/pam.d/sddm-greeter
index 7c77b68..c7bd8a3 100644
--- a/kde/post-install/sddm-qt5/pam.d/sddm-greeter
+++ b/kde/post-install/sddm-qt5/pam.d/sddm-greeter
@@ -1,18 +1,18 @@
 #%PAM-1.0
 
 # Load environment from /etc/environment and ~/.pam_environment
-auth		required pam_env.so
+auth       required     pam_env.so
 
 # Always let the greeter start without authentication
-auth		required pam_permit.so
+auth       required     pam_permit.so
 
 # No action required for account management
-account		required pam_permit.so
+account    required     pam_permit.so
 
 # Can't change password
-password	required pam_deny.so
+password   required     pam_deny.so
 
 # Setup session
-session		required pam_unix.so
-session		optional pam_systemd.so
-session		optional pam_elogind.so
+session    required     pam_unix.so
+-session   optional     pam_systemd.so
+-session   optional     pam_elogind.so
author	Eric Hameleers <alien@slackware.com>	2020-05-26 13:25:55 +0200
committer	Eric Hameleers <alien@slackware.com>	2020-05-26 13:25:55 +0200
commit	3c5eca74e04fad95927a07e13eec0744f407584d (patch)
tree	4361c2ee886009ce369363cea0d3d54949f4eae8
parent	7db7710238ce4440d28d09ec56eea8122c77a37f (diff)
download	ktown-3c5eca74e04fad95927a07e13eec0744f407584d.tar.gz ktown-3c5eca74e04fad95927a07e13eec0744f407584d.tar.xz