GNU bug report logs -
#51785
pam-gnupg
Previous Next
Reported by: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Fri, 12 Nov 2021 09:17:01 UTC
Severity: normal
Done: Nicolas Graves <ngraves <at> ngraves.fr>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 51785 in the body.
You can then email your comments to 51785 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#51785; Package
guix-patches.
(Fri, 12 Nov 2021 09:17:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Nicolas Graves <ngraves <at> ngraves.fr>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Fri, 12 Nov 2021 09:17:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi !
I'm still discovering / experimenting with guix thanks to the videos of
David Wilson. Sorry if it's not the appropriate place to discuss this.
I'm trying to add pam-gnupg without having a graphical login manager.
I figured out it should really be as simple as the few lines I added in
the attached patch, since the feature has already been implemented for a
few graphical login managers.
It has been done here : https://issues.guix.gnu.org/47364
So I'm trying to test the patch, have downloaded guix source code, added
it in a new branch, updated my channels, used guix shell for setting the
environment, but now I get the following error when I try to pull to
test my version :
guix pull: erreur : Erreur Git : cannot locate remote-tracking branch
'origin/keyring'
The patch is straightforward, might not need much testing, but if
needed, I would be glad to received some smart advice :)
Thanks in advance, thanks for the outstanding work on Guix !
Nicolas
[0001-Adding-gnupg-to-pam-login-service.patch (text/x-patch, attachment)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#51785; Package
guix-patches.
(Fri, 12 Nov 2021 12:53:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 51785 <at> debbugs.gnu.org (full text, mbox):
Nicolas,
On 2021-11-12 8:45, Nicolas Graves via Guix-patches via wrote:
> So I'm trying to test the patch, have downloaded guix source code,
> added
> it in a new branch, updated my channels, used guix shell for setting
> the
> environment, but now I get the following error when I try to pull to
> test my version :
>
> guix pull: erreur : Erreur Git : cannot locate remote-tracking branch
> 'origin/keyring'
Guix authentication code expects a local 'keyring' branch, similar to
how you currently have a local 'master' branch tracking the upstream
'master' branch (which by default is called 'origin/master').
If you haven't changed the default 'origin' name you should be able to
simply
$ git checkout origin/keyring # creates local tracking branch as side
effect
$ git checkout master # to 'switch back'
and be on your merry way. Replace 'origin/' if you have.
(This is from memory; apologies for possible typos/thinkos.)
Kind regards,
T G-R
Sent from a Web browser. Excuse or enjoy my brevity.
Information forwarded
to
guix-patches <at> gnu.org:
bug#51785; Package
guix-patches.
(Sat, 13 Nov 2021 22:50:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 51785 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Thanks for your answers Josselin and Tobias,
(For the record, I just pinned all the commits from other channels in my
channels.scm and pulled guix with guix pull --allow-downgrades
--disable-authentication)
I finally managed to get the pam module to work but it eventually raised
more questions than expected.
Basically now the module starts well, but my shepherd service gpg-agent
doesn't (I guess because pam starts it, and that shepherd can't take
over). It's fine for the purpose I was installing pam-gnupg for (having
direct access to password-store passwords after login), but hinders the
rest of related activities (e.g. signing commits).
Above this question, I was wondering about the order of pam-modules
startup. A look at the manual pages and the examples for modules show a
clear hierarchy for at least a few modules (pam_unix > pam_loginuid >
pam_elogind > pam_gnupg for instance), which is not respected in guix's
implementation (pam_elogind > pam_loginuid > pam_gnupg > pam_unix).
Although it seems to work, is it normal / purposeful / without
consequences ?
If no, as a solution, maybe implementing a hierarchy might help. For
instance, something like :
1) Base modules (pam_unix, pam_env, pam_loginuid)
2) Modules added elsewhere with pam-root-service (pam_elogind, graphical
login managers modules)
3) Other modules (pam_gnupg, pam_motd...)
The last question I have is about the configuration of pam_gnupg. On the
official repo (https://github.com/cruegge/pam-gnupg), it seems that
there is a recommended configuration (e.g. setting the priority as
optional), which is once again not respected in the actual
configuration. I did add the few lines to address this (but is there a
reason why that is not the case ?)
I'm willing to help make these changes if useful and on the right track,
but I don't have much experience with guile.
Cheers,
Nicolas
[0001-PATCH-gnu-add-pam-gnupg-to-login-service.patch (text/x-patch, inline)]
From dce83f5aeb2e7468a3d457f3d59c8851ac11a897 Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Sat, 13 Nov 2021 13:11:54 +0100
Subject: [PATCH 1/3] [PATCH] gnu : add pam-gnupg to login service
---
gnu/services/base.scm | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 50865055fe..b95fd9a4ff 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -16,6 +16,7 @@
;;; Copyright © 2021 qblade <qblade <at> protonmail.com>
;;; Copyright © 2021 Hui Lu <luhuins <at> 163.com>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
+;;; Copyright © 2021 Nicolas Graves <ngraves <at> ngraves.fr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -743,7 +744,9 @@ (define-record-type* <login-configuration>
;; Allow empty passwords by default so that first-time users can log in when
;; the 'root' account has just been created.
(allow-empty-passwords? login-configuration-allow-empty-passwords?
- (default #t))) ;Boolean
+ (default #t)) ;Boolean
+ (gnupg? login-configuration-gnupg?
+ (default #f))) ;Boolean
(define (login-pam-service config)
"Return the list of PAM service needed for CONF."
@@ -753,7 +756,8 @@ (define (login-pam-service config)
#:allow-empty-passwords?
(login-configuration-allow-empty-passwords? config)
#:motd
- (login-configuration-motd config))))
+ (login-configuration-motd config)
+ #:gnupg? (login-configuration-gnupg? config))))
(define login-service-type
(service-type (name 'login)
--
2.33.1
[0002-Trying-to-fix-pam-gnupg-configuration.patch (text/x-patch, inline)]
From 525d70b93b6c6b78a3ced92f72e264b4be1ed3de Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Sat, 13 Nov 2021 20:09:02 +0100
Subject: [PATCH 2/3] Trying to fix pam-gnupg configuration.
---
gnu/system/pam.scm | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index a31daada59..d6d02e59f5 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -235,8 +235,9 @@ (module "pam_unix.so")
unix))
(if gnupg?
(list (pam-entry
- (control "required")
- (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
+ (control "optional")
+ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))
+ (arguments '("store-only"))))
'())))
(password (list (pam-entry
(control "required")
@@ -255,12 +256,13 @@ (module "pam_motd.so")
(control "required")
(module "pam_loginuid.so")))
'())
+ ,env ,unix
,@(if gnupg?
(list (pam-entry
- (control "required")
+ (control "optional")
(module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))))
'())
- ,env ,unix))))))
+ ))))))
(define (rootok-pam-service command)
"Return a PAM service for COMMAND such that 'root' does not need to
--
2.33.1
[0003-Moving-parts-of-pam-configuration-for-better-complia.patch (text/x-patch, inline)]
From 9bb9620620d4e132d0d422bda7a57d2c0dfee28c Mon Sep 17 00:00:00 2001
From: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Sat, 13 Nov 2021 21:48:16 +0100
Subject: [PATCH 3/3] Moving parts of pam configuration for better compliance.
---
gnu/system/pam.scm | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/gnu/system/pam.scm b/gnu/system/pam.scm
index d6d02e59f5..0f0b09e347 100644
--- a/gnu/system/pam.scm
+++ b/gnu/system/pam.scm
@@ -244,19 +244,19 @@ (module (file-append pam-gnupg "/lib/security/pam_gnupg.so"))
(module "pam_unix.so")
;; Store SHA-512 encrypted passwords in /etc/shadow.
(arguments '("sha512" "shadow")))))
- (session `(,@(if motd
+ (session `(,env ,unix
+ ,@(if login-uid?
+ (list (pam-entry ;to fill in /proc/self/loginuid
+ (control "required")
+ (module "pam_loginuid.so")))
+ '())
+ ,@(if motd
(list (pam-entry
(control "optional")
(module "pam_motd.so")
(arguments
(list #~(string-append "motd=" #$motd)))))
'())
- ,@(if login-uid?
- (list (pam-entry ;to fill in /proc/self/loginuid
- (control "required")
- (module "pam_loginuid.so")))
- '())
- ,env ,unix
,@(if gnupg?
(list (pam-entry
(control "optional")
--
2.33.1
bug closed, send any further explanations to
51785 <at> debbugs.gnu.org and Nicolas Graves <ngraves <at> ngraves.fr>
Request was from
Nicolas Graves <ngraves <at> ngraves.fr>
to
control <at> debbugs.gnu.org.
(Sun, 14 Apr 2024 19:38:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 13 May 2024 11:24:13 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.