kde-plasma/kscreenlocker: first cut of new PAM configuration

As with all of the masked KDE ebuilds, there is ** no warranty **. I've not yet runtime tested this. Don't use this yet on a machine where you rely on kscreenlocker behaving correctly for security. See https://community.kde.org/Plasma/Plasma_6.0_Release_notes#New_required_PAM_configuration and https://invent.kde.org/plasma/kscreenlocker/-/merge_requests/163. Signed-off-by: Sam James <sam@gentoo.org>
author: Sam James <sam@gentoo.org> 2023-12-20 15:44:43 +0000
committer: Sam James <sam@gentoo.org> 2023-12-20 15:47:15 +0000
commit: 15b01074eef56e2c5e46739cd8ba12fea8d7fbcc (patch)
tree: 62b84e73bb5da5d66e1c87ebf6d96623901e0dbe /kde-plasma
parent: 238859fa64a7cfa53b7d24046cfc0b5e044d2730 (diff)
download: kde-15b01074eef56e2c5e46739cd8ba12fea8d7fbcc.tar.gz
kde-15b01074eef56e2c5e46739cd8ba12fea8d7fbcc.tar.bz2
kde-15b01074eef56e2c5e46739cd8ba12fea8d7fbcc.zip
4 files changed, 39 insertions, 2 deletions
diff --git a/kde-plasma/kscreenlocker/files/kscreenlocker-fingerprint.pam b/kde-plasma/kscreenlocker/files/kscreenlocker-fingerprint.pam
new file mode 100644
index 00000000000..38267de65e3
--- /dev/null
+++ b/kde-plasma/kscreenlocker/files/kscreenlocker-fingerprint.pam
@@ -0,0 +1,13 @@
+#%PAM-1.0
+
+auth        required    pam_shells.so
+auth        required    pam_nologin.so
+auth        required    pam_faillock.so preauth
+auth        required    pam_fprintd.so
+auth        required    pam_env.so
+
+account     include     system-local-login
+
+password    include     system-local-login
+
+session     include     system-local-login
diff --git a/kde-plasma/kscreenlocker/files/kscreenlocker-password.pam b/kde-plasma/kscreenlocker/files/kscreenlocker-password.pam
new file mode 100644
index 00000000000..ce9e84d5884
--- /dev/null
+++ b/kde-plasma/kscreenlocker/files/kscreenlocker-password.pam
@@ -0,0 +1,9 @@
+#%PAM-1.0
+
+auth     include  system-local-login
+
+account  include  system-local-login
+
+password include  system-local-login
+
+session  include  system-local-login
diff --git a/kde-plasma/kscreenlocker/files/kscreenlocker-smartcard.pam b/kde-plasma/kscreenlocker/files/kscreenlocker-smartcard.pam
new file mode 100644
index 00000000000..f887c782343
--- /dev/null
+++ b/kde-plasma/kscreenlocker/files/kscreenlocker-smartcard.pam
@@ -0,0 +1,13 @@
+#%PAM-1.0
+
+auth        required    pam_shells.so
+auth        required    pam_nologin.so
+auth        required    pam_faillock.so preauth
+auth        required    pam_pkcs11.so wait_for_card card_only
+auth        required    pam_env.so
+
+account     include     system-local-login
+
+password    include     system-local-login
+
+session     include     system-local-login
diff --git a/kde-plasma/kscreenlocker/kscreenlocker-9999.ebuild b/kde-plasma/kscreenlocker/kscreenlocker-9999.ebuild
index da6f0f9036f..29c7cf2f72d 100644
--- a/kde-plasma/kscreenlocker/kscreenlocker-9999.ebuild
+++ b/kde-plasma/kscreenlocker/kscreenlocker-9999.ebuild
@@ -74,6 +74,8 @@ src_test() {
 src_install() {
 	ecm_src_install
 
-	newpamd "${FILESDIR}/kde.pam" kde
-	newpamd "${FILESDIR}/kde-np.pam" kde-np
+	local config
+	for config in kscreenlocker-{fingerprint,password,smartcard} ; do
+		newpamd "${FILESDIR}/${config}.pam" ${config}
+	done
 }
author	Sam James <sam@gentoo.org>	2023-12-20 15:44:43 +0000
committer	Sam James <sam@gentoo.org>	2023-12-20 15:47:15 +0000
commit	15b01074eef56e2c5e46739cd8ba12fea8d7fbcc (patch)
tree	62b84e73bb5da5d66e1c87ebf6d96623901e0dbe /kde-plasma
parent	238859fa64a7cfa53b7d24046cfc0b5e044d2730 (diff)
download	kde-15b01074eef56e2c5e46739cd8ba12fea8d7fbcc.tar.gz kde-15b01074eef56e2c5e46739cd8ba12fea8d7fbcc.tar.bz2 kde-15b01074eef56e2c5e46739cd8ba12fea8d7fbcc.zip