pam_systemd_home: tweak order in authentication stack

Let's move pam_systemd_home before pam_unix in the authentication hook. Since a while we are exposing shadow entries for homed log entries via NSS. This means that pam_unix now potentially has enough data for authenticating a user on its own, without letting pam_systemd_home do that. This is superficially OK, but also means that authentication will always go via password, even if pkcs11/fido2 is registered. Let's move this around, but be careful about it: let's list the precise errors which we think are enough to terminating further PAM processing, so that pam_unix comes into control in all cases where it's not clear that pam_systemd_home owns the user record. This previously wasn't visible to me, because on Fedora until authselect 1.5.1 (released earleir this year) the NSS shadow stuff was not enabled. This does the same also for the "account" stack, except that the order there already was as we want it. Finally, shorten the account stack, by just requiring pam_unix.so and dropping pam_permit.so, because it doesn't really serve much purpose (and Fedora doesn't use it by default either.)
2025-08-08 01:49:54 +03:00 · 2025-02-24 15:13:08 +01:00
parent 5856e869bb
commit 9a4f9e84c4
6 changed files with 15 additions and 20 deletions
--- a/factory/etc/pam.d/system-auth
+++ b/factory/etc/pam.d/system-auth
@ -3,14 +3,13 @@
 # You really want to adjust this to your local distribution. If you use this
 # unmodified you are not building systems safely and securely.

+-auth     [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so
 auth      sufficient pam_unix.so
-auth     sufficient pam_systemd_home.so
 auth      required   pam_deny.so

 account   required   pam_nologin.so
-account  sufficient pam_systemd_home.so
-account   sufficient pam_unix.so
-account   required   pam_permit.so
+-account  [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
+account   required   pam_unix.so

 -password sufficient pam_systemd_home.so
 password  sufficient pam_unix.so sha512 shadow try_first_pass
--- a/man/pam_systemd.xml
+++ b/man/pam_systemd.xml
@ -476,14 +476,13 @@ pam_set_data(handle, "systemd.runtime_max_sec", (void *)"3600", cleanup);
    <filename>systemd-logind.service</filename>:</para>

    <programlisting>#%PAM-1.0
+-auth     [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so
 auth      sufficient pam_unix.so
-auth     sufficient pam_systemd_home.so
 auth      required   pam_deny.so

 account   required   pam_nologin.so
-account  sufficient pam_systemd_home.so
-account   sufficient pam_unix.so
-account   required   pam_permit.so
+-account  [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
+account   required   pam_unix.so

 -password sufficient pam_systemd_home.so
 password  sufficient pam_unix.so sha512 shadow try_first_pass
--- a/man/pam_systemd_home.xml
+++ b/man/pam_systemd_home.xml
@ -195,14 +195,13 @@ lennart@zeta$ cp -av /etc/skel ~/Areas/versuch1</programlisting>
    <filename>systemd-homed.service</filename> to log in:</para>

    <programlisting>#%PAM-1.0
+    <command>-auth     [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so</command>
 auth      sufficient pam_unix.so
-<command>-auth     sufficient pam_systemd_home.so</command>
 auth      required   pam_deny.so

 account   required   pam_nologin.so
-<command>-account  sufficient pam_systemd_home.so</command>
-account   sufficient pam_unix.so
-account   required   pam_permit.so
+<command>-account  [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so</command>
+account   required   pam_unix.so

 <command>-password sufficient pam_systemd_home.so</command>
 password  sufficient pam_unix.so sha512 shadow try_first_pass
--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
@ -4,10 +4,9 @@
 # Used by systemd --user instances.

 {% if ENABLE_HOMED %}
-account sufficient pam_systemd_home.so
+-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
 {% endif %}
-account  sufficient pam_unix.so no_pass_expiry
-account  required   pam_permit.so
+account  required   pam_unix.so no_pass_expiry

 {% if HAVE_SELINUX %}
 session  required   pam_selinux.so close
--- a/src/run/systemd-run0.in
+++ b/src/run/systemd-run0.in
@ -4,7 +4,7 @@
 # Used by run0 sessions

 {% if ENABLE_HOMED %}
-account sufficient pam_systemd_home.so
+-account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
 {% endif %}
 account  required   pam_unix.so

--- a/test/units/TEST-46-HOMED.sh
+++ b/test/units/TEST-46-HOMED.sh
@ -576,12 +576,11 @@ if command -v ssh &>/dev/null && command -v sshd &>/dev/null && ! [[ -v ASAN_OPT
        if [[ -f "$dir/pam.d/sshd" ]]; then
            mv "$dir/pam.d/sshd" "$dir/pam.d/sshd.bak"
            cat >"$dir/pam.d/sshd" <<EOF
+auth [success=done authtok_err=bad perm_denied=bad maxtries=bad default=ignore] pam_systemd_home.so
 auth    sufficient pam_unix.so nullok
-auth    sufficient pam_systemd_home.so debug
 auth    required   pam_deny.so
-account sufficient pam_systemd_home.so debug
-account sufficient pam_unix.so
-account required   pam_permit.so
+account [success=done authtok_expired=bad new_authtok_reqd=bad maxtries=bad acct_expired=bad default=ignore] pam_systemd_home.so
+account required   pam_unix.so
 session optional   pam_systemd_home.so debug
 session optional   pam_systemd.so
 session required   pam_unix.so