Merge pull request #15735 from poettering/pam-snippet-update

Slightly update our shipped and suggested PAM snippets, so that pam_systemd_home.so is more likely to just work
systemd · May 6, 2020 · 96249bf · 96249bf
2 parents a06df2a + 4ad5bf7
commit 96249bf
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 18 deletions.
diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml
@@ -308,19 +308,24 @@ pam_set_data(handle, "systemd.runtime_max_sec", (void *)"3600", cleanup);
     <filename>systemd-logind.service</filename>:</para>
 
     <programlisting>#%PAM-1.0
-auth     sufficient pam_unix.so
-auth     required   pam_deny.so
-
-account  required   pam_nologin.so
-account  sufficient pam_unix.so
-account  required   pam_permit.so
-
-password sufficient pam_unix.so sha512 shadow try_first_pass try_authtok
-password required   pam_deny.so
-
--session optional   pam_loginuid.so
--session optional   pam_systemd.so
-session  required   pam_unix.so</programlisting>
+auth      sufficient pam_unix.so
+-auth     sufficient pam_systemd_home.so
+auth      required   pam_deny.so
+
+account   required   pam_nologin.so
+-account  sufficient pam_systemd_home.so
+account   sufficient pam_unix.so
+account   required   pam_permit.so
+
+-password sufficient pam_systemd_home.so
+password  sufficient pam_unix.so sha512 shadow try_first_pass try_authtok
+password  required   pam_deny.so
+
+-session  optional   pam_keyinit.so revoke
+-session  optional   pam_loginuid.so
+-session  optional   pam_systemd_home.so
+<command>-session  optional   pam_systemd.so</command>
+session   required   pam_unix.so</programlisting>
   </refsect1>
 
   <refsect1>

diff --git a/man/pam_systemd_home.xml b/man/pam_systemd_home.xml
@@ -116,21 +116,21 @@
 
     <programlisting>#%PAM-1.0
 auth      sufficient pam_unix.so
--auth     sufficient pam_systemd_home.so
+<command>-auth     sufficient pam_systemd_home.so</command>
 auth      required   pam_deny.so
 
 account   required   pam_nologin.so
--account  sufficient pam_systemd_home.so
+<command>-account  sufficient pam_systemd_home.so</command>
 account   sufficient pam_unix.so
 account   required   pam_permit.so
 
--password sufficient pam_systemd_home.so
+<command>-password sufficient pam_systemd_home.so</command>
 password  sufficient pam_unix.so sha512 shadow try_first_pass try_authtok
 password  required   pam_deny.so
 
 -session  optional   pam_keyinit.so revoke
 -session  optional   pam_loginuid.so
--session  optional   pam_systemd_home.so
+<command>-session  optional   pam_systemd_home.so</command>
 -session  optional   pam_systemd.so
 session   required   pam_unix.so</programlisting>
   </refsect1>

diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4
@@ -2,11 +2,19 @@
 #
 # Used by systemd --user instances.
 
-account required pam_unix.so
+m4_ifdef(`ENABLE_HOMED',
+-account sufficient pam_systemd_home.so
+)m4_dnl
+account sufficient pam_unix.so
+account required pam_permit.so
+
 m4_ifdef(`HAVE_SELINUX',
 session required pam_selinux.so close
 session required pam_selinux.so nottys open
 )m4_dnl
 session required pam_loginuid.so
 session optional pam_keyinit.so force revoke
+m4_ifdef(`ENABLE_HOMED',
+-session optional pam_systemd_home.so
+)m4_dnl
 session optional pam_systemd.so