mirror of
https://github.com/systemd/systemd.git
synced 2025-03-28 02:50:16 +03:00
9a4f9e84c4
Let's move pam_systemd_home before pam_unix in the authentication hook. Since a while we are exposing shadow entries for homed log entries via NSS. This means that pam_unix now potentially has enough data for authenticating a user on its own, without letting pam_systemd_home do that. This is superficially OK, but also means that authentication will always go via password, even if pkcs11/fido2 is registered. Let's move this around, but be careful about it: let's list the precise errors which we think are enough to terminating further PAM processing, so that pam_unix comes into control in all cases where it's not clear that pam_systemd_home owns the user record. This previously wasn't visible to me, because on Fedora until authselect 1.5.1 (released earleir this year) the NSS shadow stuff was not enabled. This does the same also for the "account" stack, except that the order there already was as we want it. Finally, shorten the account stack, by just requiring pam_unix.so and dropping pam_permit.so, because it doesn't really serve much purpose (and Fedora doesn't use it by default either.)