Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pam: add support for pam_gnupg #97726

Merged
merged 1 commit into from Oct 26, 2020
Merged

pam: add support for pam_gnupg #97726

merged 1 commit into from Oct 26, 2020

Conversation

@NickHu
Copy link
Contributor

@NickHu NickHu commented Sep 11, 2020

Motivation for this change

Adds support for pam-gnupg to the pam
module. This PR depends on #78143.

How I'm using this

In configuration.nix:

  security = {
    pam = {
      services =
        let defaults = {
              gnupg = {
                enable = true;
                noAutostart = true;
                storeOnly = true;
              };
            };
        in {
          login = defaults;
          i3lock = defaults;
          i3lock-color = defaults;
        };
    };
  };

(The interface for the pam module is pretty rough, but at least this PR
doesn't make things worse).

In home.nix:

    home.file.".pam-gnupg".text = ''
      <keygrips go here>
    '';
    services.gpg-agent = {
      enable = true;
      enableSshSupport = true;
      extraConfig = ''
        allow-preset-passphrase
      '';
      maxCacheTtl = 168000; # preset passphrase from pam-gnupg expires after max-cache-ttl
      maxCacheTtlSsh = 168000;
    };
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@doronbehar
Copy link
Contributor

@doronbehar doronbehar commented Sep 23, 2020

  security = {
    pam = {
      services =
        let defaults = {
              gnupg = {
                enable = true;
                noAutostart = true;
                storeOnly = true;
              };
            };
        in {
          login = defaults;
          i3lock = defaults;
          i3lock-color = defaults;
        };
    };
  };

Why do you need to copy the defaults to each of login, i3lock, and i3lock-color? What's the effect of this?

@zowoq zowoq removed their request for review Sep 23, 2020
@NickHu
Copy link
Contributor Author

@NickHu NickHu commented Sep 23, 2020

It adds the corresponding lines to /etc/pam.d/{login,i3lock,i3lock-color}:

# Authentication management.
...
auth optional /nix/store/qs5in5w7b0naw831qbwh9gn6x33iqwpi-pam_gnupg-0.1/lib/security/pam_gnupg.so store-only
...
# Session management.
...
session optional /nix/store/qs5in5w7b0naw831qbwh9gn6x33iqwpi-pam_gnupg-0.1/lib/security/pam_gnupg.so no-autostart

(actually, it seems on my system i3lock-color is a symlink to i3lock); the pam module itself is quite confusing, which is what I meant by the interface is quite rough…

It absolutely needs to go into /etc/pam.d/login, because the whole point is your login password gets forwarded to gpg-agent. It's in /etc/pam.d/i3lock for a similar reason; the idea being that when i3lock starts it can flush your password from gpg-agent, and when you unlock it can forward your password again.

nixos/modules/security/pam.nix Outdated Show resolved Hide resolved
nixos/modules/security/pam.nix Outdated Show resolved Hide resolved
@NickHu NickHu requested a review from doronbehar Oct 12, 2020
@doronbehar
Copy link
Contributor

@doronbehar doronbehar commented Oct 13, 2020

Hmm, I couldn't get this work for me :/. I used your configuration except the i3login stuff and manually edited my ~/.gpg-agent.conf:

pinentry-program /home/doron/.bin/pinentry

allow-loopback-pinentry

enable-ssh-support
# no-allow-external-cache
max-cache-ttl = 168000
allow-preset-passphrase

default-cache-ttl 7200

I "enable" gpg-agent via:

    programs.gnupg = {
      agent = {
        enable = true;
        enableBrowserSocket = true;
        enableExtraSocket = true;
        pinentryFlavor = null;
        enableSSHSupport = false;
      };
      dirmngr.enable = true;
    };

I'm using Gnome & GDM.

@NickHu
Copy link
Contributor Author

@NickHu NickHu commented Oct 13, 2020

Can you confirm that you have something like:

❯ cat /etc/pam.d/login | grep gnupg                                                                                    
auth optional /nix/store/qs5in5w7b0naw831qbwh9gn6x33iqwpi-pam_gnupg-0.1/lib/security/pam_gnupg.so store-only
session optional /nix/store/qs5in5w7b0naw831qbwh9gn6x33iqwpi-pam_gnupg-0.1/lib/security/pam_gnupg.so no-autostart

Also, have you made sure that your login password and your GPG password are the same?

@doronbehar
Copy link
Contributor

@doronbehar doronbehar commented Oct 14, 2020

Can you confirm that you have something like:

Yes.

Also, have you made sure that your login password and your GPG password are the same?

That wasn't the case when I wrote my previous comment, but even now that it is, it's not working. What I expect to work is the gpg-agent to have a "password cached" (Using gpg --decrypt after login, I expect it to not ask me for a password (considering also the modifications to gpg-agent.conf). I also couldn't find any mentions of pam_gnupg.so in journalctl --boot | grep pam:

Oct 14 12:17:53 ZENIX systemd[1126]: pam_unix(systemd-user:session): session opened for user gdm by (uid=0)
Oct 14 12:18:15 ZENIX gdm-password][1731]: gkr-pam: unable to locate daemon control file
Oct 14 12:18:15 ZENIX gdm-password][1731]: gkr-pam: stashed password to try later in open session
Oct 14 12:18:15 ZENIX gdm-password][1731]: pam_unix(gdm-password:session): session opened for user doron by (uid=0)
Oct 14 12:18:15 ZENIX systemd[1737]: pam_unix(systemd-user:session): session opened for user doron by (uid=0)
Oct 14 12:18:15 ZENIX gdm-password][1731]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring

Gnome keyring is failing there is due to the fact my login gnome keyring store uses my old login password.

@NickHu
Copy link
Contributor Author

@NickHu NickHu commented Oct 14, 2020

Did you also add your keygrip to ~/.pam_gnupg?

@doronbehar
Copy link
Contributor

@doronbehar doronbehar commented Oct 14, 2020

I thought it's ~/.pam-gnupg - as in your home.nix. Switching to it didn't help, I also added the defaults to systemd-user as well as it seems maybe gdm is using it? Don't know.

Here is the output of gpg -K --with-grip:

/home/doron/.gnupg/pubring.kbx
------------------------------
sec   dsa3072 2019-02-09 [SC]
      988D757E0D84771930E7047EBB1D362238FABF47
      Keygrip = 482908DDD3EAA1CDFD23DDE619D5DA390CF9DD3F
uid           [ unknown] Doron Behar (Password encryptions) <me@doronbehar.com>
ssb   elg3072 2019-02-09 [E]
      Keygrip = A85E4FC6C29CD42DB9DACBB14871FBABAAC9BC95

And:

$ cat ~/.pam_gnupg
A85E4FC6C29CD42DB9DACBB14871FBABAAC9BC95

@doronbehar
Copy link
Contributor

@doronbehar doronbehar commented Oct 14, 2020

I chose the subkey because when I gpg --decrypt:

┌────────────────────────────────────────────────────────────────┐
│ Please enter the passphrase to unlock the OpenPGP secret key:  │
│ "Doron Behar (Password encryptions) <me@doronbehar.com>"       │
│ 3072-bit ELG key, ID 16EB537E47DAEB9D,                         │
│ created 2019-02-09 (main key ID BB1D362238FABF47).             │
│                                                                │
│                                                                │
│ Passphrase: __________________________________________________ │
│                                                                │
│         <OK>                                    <Cancel>       │
└────────────────────────────────────────────────────────────────┘

@NickHu
Copy link
Contributor Author

@NickHu NickHu commented Oct 14, 2020

Sorry, I meant ~/.pam-gnupg; I don't get anything in the journal about this pam module either, but it's definitely working for me.

Do you have $GNUPGHOME set, i.e. is your GPG stuff somewhere other than ~/.gnupg? If so, you'll need to set it in ~/.pam_environment like it says here

You mentioned ~/.gpg-agent.conf but for me (and by default) this file is located at ~/.gnupg/gpg-agent.conf

@doronbehar
Copy link
Contributor

@doronbehar doronbehar commented Oct 14, 2020

You mentioned ~/.gpg-agent.conf but for me (and by default) this file is located at ~/.gnupg/gpg-agent.conf

That's my mistake. I am using ~/.gnupg/gpg-agent.conf.

Do you have $GNUPGHOME set, i.e. is your GPG stuff somewhere other than ~/.gnupg? If so, you'll need to set it in ~/.pam_environment like it says here

No. Regular ~/.gnupg.

Sorry, I meant ~/.pam-gnupg; I don't get anything in the journal about this pam module either, but it's definitely working for me.

Using ~/.pam-gnupg now. Tried the subkey and the main key keygrips both. Tried using noAutoStart = false;, and storeOnly = false; and it didn't help. I suspect it's an issue with gdm..

That's as far as I can help. Sorry.

@nixos-discourse
Copy link

@nixos-discourse nixos-discourse commented Oct 14, 2020

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/338

@NickHu
Copy link
Contributor Author

@NickHu NickHu commented Oct 26, 2020

I'm just going to merge this seeing as it works for me. It faithfully implements the instructions here, and I'm not sure what more you could ask for in a NixOS module. We could always reopen this if it's not working for someone else. For what it's worth, I'm using lightDM in its default configuration.

@NickHu NickHu merged commit 921287e into NixOS:master Oct 26, 2020
19 checks passed
@doronbehar
Copy link
Contributor

@doronbehar doronbehar commented Oct 26, 2020

BTW a few days ago I noticed my gpg agent doesn't cache passwords at all, something GNome related... So probably it was my fault back then it didn't work.

@jlesquembre
Copy link
Contributor

@jlesquembre jlesquembre commented Feb 8, 2021

@NickHu thanks for this PR, for me works :)

@doronbehar to make it work with gdm, use pam.serivices.gdm, looks like login is not enough, you can take a look to my dotfiles:
https://github.com/jlesquembre/dotfiles/blob/faece9e9b65c947ca9c676f2d60b9906281661f2/modules/common-configuration.nix#L364-L379
Not sure if relevant, but notice that I manage the gpg-agent with NixOS, not home-manager (although I use home-manager for the .gnupg files: https://github.com/jlesquembre/dotfiles/blob/faece9e9b65c947ca9c676f2d60b9906281661f2/home-manager/common.nix#L201-L215 )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants