From 08bc7aeec676b43642942bdc8d86a462cfcc8c13 Mon Sep 17 00:00:00 2001 From: Ivailo Monev Date: Fri, 1 Apr 2022 16:12:41 +0300 Subject: [PATCH] generic: preparations to ditch KDM Signed-off-by: Ivailo Monev --- ConfigureChecks.cmake | 15 ++------------- README.pam | 43 +++++++++++++++++-------------------------- config-unix.h.cmake | 7 ++----- kcheckpass/kcheckpass.c | 2 +- kdm/README | 3 +-- kdm/config.def | 2 +- kscreensaver.pamd | 2 -- 7 files changed, 24 insertions(+), 50 deletions(-) delete mode 100644 kscreensaver.pamd diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake index 95ba56ac..212307ee 100644 --- a/ConfigureChecks.cmake +++ b/ConfigureChecks.cmake @@ -12,19 +12,8 @@ include(CheckSymbolExists) include(CheckLibraryExists) if (PAM_FOUND) - set(KDE4_COMMON_PAM_SERVICE "kde" CACHE STRING "The PAM service to use unless overridden for a particular app.") - - macro(define_pam_service APP) - string(TOUPPER ${APP}_PAM_SERVICE var) - set(cvar KDE4_${var}) - set(${cvar} "${KDE4_COMMON_PAM_SERVICE}" CACHE STRING "The PAM service for ${APP}.") - mark_as_advanced(${cvar}) - set(${var} "\"${${cvar}}\"") - endmacro(define_pam_service) - - define_pam_service(KDM) - define_pam_service(kscreensaver) - + set(KDE4_PAM_SERVICE "kde" CACHE STRING "The PAM service") + mark_as_advanced(KDE4_PAM_SERVICE) endif (PAM_FOUND) find_program(some_x_program NAMES iceauth xrdb xterm) diff --git a/README.pam b/README.pam index 3d8008f5..ebc60ef8 100644 --- a/README.pam +++ b/README.pam @@ -1,6 +1,6 @@ KDE can be configured to support the PAM ("Pluggable Authentication -Modules") system for password checking by the display manager kdm and -by the screen saver kscreensaver (for unlocking the display). +Modules") system for password checking by the screen saver kscreensaver (for +unlocking the display). PAM is a flexible application-transparent configurable user-authentication system found on FreeBSD, Solaris, and Linux (and maybe other unixes). @@ -15,7 +15,7 @@ Known Solaris Issues: For compiling PAM support on Solaris, PAM_MESSAGE_CONST must NOT be defined. This should now be handled automatically by the -configure script. +build system. Using PAM @@ -25,16 +25,13 @@ By default, PAM is automatically used, if it is found. Use -DWITH_PAM=FALSE to disable it. If PAM is found, KDE usually uses the PAM service "kde". You may -override it for all KDE programs by using -DKDE4_COMMON_PAM_SERVICE= -and/or individually by using -D_PAM_SERVICE=, where is -one of KDM and kscreensaver (both use kcheckpass). +override it for all KDE programs by using -DKDE4_PAM_SERVICE=. -Two files are provided but not installed - kde.pamd and kscreensaver.pamd. -The usual location to put these files is /etc/pam.d/. You may want to edit -the definitions in them to meet your needs, on BSD host for example you may -have to substitue "pam_unix.so" with "pam_bsdauth.so". If the services are -misconfigured, you will NOT be able to login via KDM and/or unlock a locked -screen! +One file is provided but not installed - kde.pamd. The usual location to put +that file is /etc/pam.d/. You may want to edit the definitions in them to meet +your needs, on BSD host for example you may have to substitue "pam_unix.so" +with "pam_bsdauth.so". If the services are misconfigured, you will NOT be able +to unlock a locked screen! To verify the configuration you can invoke kcheckpass directly and examine its exit status. If it is not 0 when correct password is entered (if @@ -44,30 +41,24 @@ Authorization failure reason should be logged to /var/log/auth.log. If there is ever any doubt about which PAM service a program was compiled with, it can be determined by examining the PAM-generated -entries in the system log associated with kdm logins or kscreensaver +entries in the system log associated with kcheckpass for authentication failures. PAM configuration files have four types of entries for each service: -type used by kdm used by kscreensaver ----- ----------- -------------------- -auth x x -account x -password x -session x +type used by kcheckpass +---- ------------------ +auth x +account x +password x +session x There may be more than one entry of each type. Check existing PAM configuration files and PAM documentation on your system for guidance as to what entries to make. If you call a PAM service that is not configured, the default action of PAM is likely to be denial of service. -Note: kdm implements PAM "session" support, which is not implemented in -certain PAM-aware xdm's that it may be replacing (e.g., the Red Hat -Linux 5.x xdm did not implement it). This may be configured to carry out -actions when a user opens or closes an kdm session, if a suitable PAM -module is available (e.g., mount and unmount user-specific filesystems). - -Note 2: Screensavers typically only authenticate a user to allow him/her +Note: Screensavers typically only authenticate a user to allow him/her to continue working. They may also renew tokens etc., where supported. See the Linux PAM Administrators guide, which is part of the PAM distribution, for more details. diff --git a/config-unix.h.cmake b/config-unix.h.cmake index 5900a0f2..c721db41 100644 --- a/config-unix.h.cmake +++ b/config-unix.h.cmake @@ -4,11 +4,8 @@ /* Define if your PAM expects a conversation function with const pam_message (Solaris) */ #cmakedefine PAM_MESSAGE_CONST 1 -/* The PAM service to be used by kdm */ -#cmakedefine KDM_PAM_SERVICE ${KDM_PAM_SERVICE} - -/* The PAM service to be used by kscreensaver */ -#cmakedefine KSCREENSAVER_PAM_SERVICE ${KSCREENSAVER_PAM_SERVICE} +/* The PAM service to be used by kcheckpass */ +#cmakedefine KDE4_PAM_SERVICE "${KDE4_PAM_SERVICE}" /* Defines if your system has the getspnam function */ #cmakedefine HAVE_GETSPNAM 1 diff --git a/kcheckpass/kcheckpass.c b/kcheckpass/kcheckpass.c index e58e711c..23b8c4c0 100644 --- a/kcheckpass/kcheckpass.c +++ b/kcheckpass/kcheckpass.c @@ -314,7 +314,7 @@ int main(int argc, char **argv) { #if defined(HAVE_PAM) - const char *caller = KSCREENSAVER_PAM_SERVICE; + const char *caller = KDE4_PAM_SERVICE; #endif const char *username = 0; #ifdef ACCEPT_ENV diff --git a/kdm/README b/kdm/README index f8daafe5..635f791c 100644 --- a/kdm/README +++ b/kdm/README @@ -9,8 +9,7 @@ Semi-official home page: http://developer.kde.org/~ossi/sw/kdm.html cmake options that affect KDM ----------------------------- --DKDE4_COMMON_PAM_SERVICE:STRING=service --DKDE4_KDM_PAM_SERVICE:STRING=service +-DKDE4_PAM_SERVICE:STRING=service Set the PAM service used by all of kdebase resp. specifically by KDM. Whether PAM should be used in the first place is auto-detected. diff --git a/kdm/config.def b/kdm/config.def index 2ddd5ed6..bd4f2c62 100644 --- a/kdm/config.def +++ b/kdm/config.def @@ -781,7 +781,7 @@ Description: Key: PAMService If: defined(USE_PAM) Type: string -Default: KDM_PAM_SERVICE +Default: KDE4_PAM_SERVICE User: core Instance: - Comment: - diff --git a/kscreensaver.pamd b/kscreensaver.pamd deleted file mode 100644 index b90065e8..00000000 --- a/kscreensaver.pamd +++ /dev/null @@ -1,2 +0,0 @@ -#%PAM-1.0 -auth required pam_unix.so shadow nullok -- 2.11.0