bennofs
commented
8 years ago This problem just came up while I was looking into implementing auto-login for lightdm, where I needed to copy relevant pam services from sddm.
Open bennofs opened 8 years ago
bennofs
commented
8 years ago This problem just came up while I was looking into implementing auto-login for lightdm, where I needed to copy relevant pam services from sddm.
outergod
commented
7 years ago I would like to support this proposal.
Some open questions:
submodule/include or makePAMmodule with modifications?These questions affect a possible implementation. Ideally, the choice of DM, DE and specific PAM modules should be completely decoupled. E.g. if a I wanted to use secret-tool on the Linux console (Alt+F?) to access my GNOME keyring passwords, this should still work without having to use GDM.
outergod
commented
7 years ago Ping @bennofs @FRidh
mmahut
commented
4 years ago Are there any updates to this issue, please?
stale[bot]
commented
4 years ago Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:
hacker1024
commented
2 years ago Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:
1. Search for maintainers and people that previously touched the related code and @ mention them in a comment. 2. Ask on the [NixOS Discourse](https://discourse.nixos.org/). 3. Ask on the #nixos channel on [irc.freenode.net](https://freenode.net).
Still important to me
InfoSec812
commented
4 months ago 2 years later and it's still important to me as well..
Problem
The current state of PAM configuration in NixOS requires a lot of duplication. Each display manager module contains its own
<name of display manager>pam service for controlling login, which is a lot of duplication. For example,pam.services.lightdmis the same aspam.services.sddm.Because of that, if you want to change the PAM configuration for login, you have to do so depending on which display manager is enabled, which is inconvenient for our users. Setting the rules for how to login should not depend on which particular display manager is used.
Ideas for solution
I propose that we try to factor out the common PAM configuration options, and provide a "default" common-auth (name up to debate) pam service or similar that can then be
include'd by other PAM services, such as graphical or nongraphical display managers. This is also the solution that other distributions, such as Debian, have adopted.Comments?
I have posted this as an issue instead of a PR because I have not put much thought into how to separate the PAM services yet. For example, should we have a
common-auth-autologinservice as well? What are your thoughts for which common PAM services we need? I volunteer to implement this after the details are fleshed out.