gardesk/gardm / e5bd2c0

Browse files

Refactor PAM authentication to use pam crate

Switch from pam-client to pam crate for simpler API. Use
PasswordConv for non-interactive authentication and add
debug logging throughout the auth flow.

Simplify PAM config to use pam_unix.so directly instead of
Fedora-specific includes and SELinux modules.
Authored by mfwolffe <wolffemf@dukes.jmu.edu>
SHA
e5bd2c0b6f09b28d677c391e566d8668295cc72d
Parents
1144a95
Tree
0e9322b

3 changed files

StatusFile+-
M etc/pam.d/gardm 12 18
M gardmd/Cargo.toml 1 1
M gardmd/src/auth.rs 22 13
etc/pam.d/gardmmodified
@@ -1,23 +1,17 @@
11
 #%PAM-1.0
2
-# PAM configuration for gardm display manager
3
-# Based on SDDM's Fedora configuration
2
+# gardm display manager PAM configuration
43
5
-# SELinux permit (Fedora-specific)
6
-auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
7
-auth        substack      password-auth
8
--auth       optional      pam_gnome_keyring.so
9
-auth        include       postlogin
4
+# Authentication
5
+auth        required      pam_unix.so
106
11
-account     required      pam_nologin.so
12
-account     include       password-auth
7
+# Account management
8
+account     required      pam_unix.so
139
14
-password    include       password-auth
10
+# Password management
11
+password    required      pam_unix.so
1512
16
-session     required      pam_selinux.so close
17
-session     required      pam_loginuid.so
18
-session     required      pam_selinux.so open
19
-session     optional      pam_keyinit.so force revoke
20
-session     required      pam_namespace.so
21
-session     include       password-auth
22
--session    optional      pam_gnome_keyring.so auto_start
23
-session     include       postlogin
13
+# Session management - pam_systemd creates /run/user/<uid>/ and registers session
14
+# Note: pam_loginuid is intentionally omitted - it can only be set once per process
15
+# and gardmd runs as a persistent daemon
16
+-session    optional      pam_systemd.so
17
+session     required      pam_unix.so
gardmd/Cargo.tomlmodified
@@ -20,7 +20,7 @@ serde = { workspace = true }
2020
 serde_json = { workspace = true }
2121
 toml = { workspace = true }
2222
 nix = { workspace = true }
23
-pam-client = { workspace = true }
23
+pam = "0.8"
2424
 x11rb = { workspace = true }
2525
 clap = { workspace = true }
2626
 libc = "0.2"
gardmd/src/auth.rsmodified
@@ -3,8 +3,8 @@
33
 //! Implements a state machine for PAM-based authentication with
44
 //! proper conversation handling for the greeter.
55
6
-use anyhow::{Context, Result};
7
-use pam_client::{Context as PamContext, Flag};
6
+use anyhow::{anyhow, Result};
7
+use pam::Client;
88
99
 /// Service name for PAM configuration
1010
 const PAM_SERVICE: &str = "gardm";
@@ -146,23 +146,32 @@ impl AuthSession {
146146
147147
 /// Perform PAM authentication (blocking)
148148
 fn pam_authenticate(username: &str, password: &str) -> Result<()> {
149
-    use pam_client::conv_mock::Conversation;
149
+    tracing::debug!(%username, password_len = password.len(), "Starting PAM authentication");
150150
151
-    // Create conversation handler that provides the password
152
-    let conv = Conversation::with_credentials(username, password);
151
+    // Create client with PasswordConv (non-interactive, uses provided password)
152
+    let mut client = Client::with_password(PAM_SERVICE)
153
+        .map_err(|e| anyhow!("Failed to create PAM client: {:?}", e))?;
153154
154
-    // Create PAM context
155
-    let mut ctx = PamContext::new(PAM_SERVICE, Some(username), conv)
156
-        .context("Failed to create PAM context")?;
155
+    // Set the credentials
156
+    client
157
+        .conversation_mut()
158
+        .set_credentials(username, password);
159
+
160
+    tracing::debug!("PAM client created, calling authenticate");
157161
158162
     // Authenticate
159
-    ctx.authenticate(Flag::NONE)
160
-        .context("PAM authentication failed")?;
163
+    client
164
+        .authenticate()
165
+        .map_err(|e| anyhow!("PAM authentication failed: {:?}", e))?;
166
+
167
+    tracing::debug!("PAM authenticate succeeded, opening session");
161168
162
-    // Validate account (check expiry, etc.)
163
-    ctx.acct_mgmt(Flag::NONE)
164
-        .context("Account validation failed")?;
169
+    // Open session (also does account validation)
170
+    client
171
+        .open_session()
172
+        .map_err(|e| anyhow!("Failed to open PAM session: {:?}", e))?;
165173
174
+    tracing::debug!("PAM session opened successfully");
166175
     Ok(())
167176
 }
168177