Open bennofs opened 8 years ago
This problem just came up while I was looking into implementing auto-login for lightdm, where I needed to copy relevant pam services from sddm.
I would like to support this proposal.
Some open questions:
submodule
/include
or makePAMmodule
with modifications?These questions affect a possible implementation. Ideally, the choice of DM, DE and specific PAM modules should be completely decoupled. E.g. if a I wanted to use secret-tool
on the Linux console (Alt+F?) to access my GNOME keyring passwords, this should still work without having to use GDM.
Ping @bennofs @FRidh
Are there any updates to this issue, please?
Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:
Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:
1. Search for maintainers and people that previously touched the related code and @ mention them in a comment. 2. Ask on the [NixOS Discourse](https://discourse.nixos.org/). 3. Ask on the #nixos channel on [irc.freenode.net](https://freenode.net).
Still important to me
2 years later and it's still important to me as well..
Problem
The current state of PAM configuration in NixOS requires a lot of duplication. Each display manager module contains its own
<name of display manager>
pam service for controlling login, which is a lot of duplication. For example,pam.services.lightdm
is the same aspam.services.sddm
.Because of that, if you want to change the PAM configuration for login, you have to do so depending on which display manager is enabled, which is inconvenient for our users. Setting the rules for how to login should not depend on which particular display manager is used.
Ideas for solution
I propose that we try to factor out the common PAM configuration options, and provide a "default" common-auth (name up to debate) pam service or similar that can then be
include
'd by other PAM services, such as graphical or nongraphical display managers. This is also the solution that other distributions, such as Debian, have adopted.Comments?
I have posted this as an issue instead of a PR because I have not put much thought into how to separate the PAM services yet. For example, should we have a
common-auth-autologin
service as well? What are your thoughts for which common PAM services we need? I volunteer to implement this after the details are fleshed out.