gardesk/gardm / e5bd2c0

Browse files

Refactor PAM authentication to use pam crate

Switch from pam-client to pam crate for simpler API. Use
PasswordConv for non-interactive authentication and add
debug logging throughout the auth flow.

Simplify PAM config to use pam_unix.so directly instead of
Fedora-specific includes and SELinux modules.
Authored by mfwolffe <wolffemf@dukes.jmu.edu>
SHA
e5bd2c0b6f09b28d677c391e566d8668295cc72d
Parents
1144a95
Tree
0e9322b

3 changed files

StatusFile+-
M etc/pam.d/gardm 12 18
M gardmd/Cargo.toml 1 1
M gardmd/src/auth.rs 22 13
etc/pam.d/gardmmodified
@@ -1,23 +1,17 @@
1
 #%PAM-1.0
1
 #%PAM-1.0
2
-# PAM configuration for gardm display manager
2
+# gardm display manager PAM configuration
3
-# Based on SDDM's Fedora configuration
4
 
3
 
5
-# SELinux permit (Fedora-specific)
4
+# Authentication
6
-auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
5
+auth        required      pam_unix.so
7
-auth        substack      password-auth
8
--auth       optional      pam_gnome_keyring.so
9
-auth        include       postlogin
10
 
6
 
11
-account     required      pam_nologin.so
7
+# Account management
12
-account     include       password-auth
8
+account     required      pam_unix.so
13
 
9
 
14
-password    include       password-auth
10
+# Password management
11
+password    required      pam_unix.so
15
 
12
 
16
-session     required      pam_selinux.so close
13
+# Session management - pam_systemd creates /run/user/<uid>/ and registers session
17
-session     required      pam_loginuid.so
14
+# Note: pam_loginuid is intentionally omitted - it can only be set once per process
18
-session     required      pam_selinux.so open
15
+# and gardmd runs as a persistent daemon
19
-session     optional      pam_keyinit.so force revoke
16
+-session    optional      pam_systemd.so
20
-session     required      pam_namespace.so
17
+session     required      pam_unix.so
21
-session     include       password-auth
22
--session    optional      pam_gnome_keyring.so auto_start
23
-session     include       postlogin
gardmd/Cargo.tomlmodified
@@ -20,7 +20,7 @@ serde = { workspace = true }
20
 serde_json = { workspace = true }
20
 serde_json = { workspace = true }
21
 toml = { workspace = true }
21
 toml = { workspace = true }
22
 nix = { workspace = true }
22
 nix = { workspace = true }
23
-pam-client = { workspace = true }
23
+pam = "0.8"
24
 x11rb = { workspace = true }
24
 x11rb = { workspace = true }
25
 clap = { workspace = true }
25
 clap = { workspace = true }
26
 libc = "0.2"
26
 libc = "0.2"
gardmd/src/auth.rsmodified
@@ -3,8 +3,8 @@ 
3
 //! Implements a state machine for PAM-based authentication with
3
 //! Implements a state machine for PAM-based authentication with
4
 //! proper conversation handling for the greeter.
4
 //! proper conversation handling for the greeter.
5
 
5
 
6
-use anyhow::{Context, Result};
6
+use anyhow::{anyhow, Result};
7
-use pam_client::{Context as PamContext, Flag};
7
+use pam::Client;
8
 
8
 
9
 /// Service name for PAM configuration
9
 /// Service name for PAM configuration
10
 const PAM_SERVICE: &str = "gardm";
10
 const PAM_SERVICE: &str = "gardm";
@@ -146,23 +146,32 @@ impl AuthSession {
146
 
146
 
147
 /// Perform PAM authentication (blocking)
147
 /// Perform PAM authentication (blocking)
148
 fn pam_authenticate(username: &str, password: &str) -> Result<()> {
148
 fn pam_authenticate(username: &str, password: &str) -> Result<()> {
149
-    use pam_client::conv_mock::Conversation;
149
+    tracing::debug!(%username, password_len = password.len(), "Starting PAM authentication");
150
 
150
 
151
-    // Create conversation handler that provides the password
151
+    // Create client with PasswordConv (non-interactive, uses provided password)
152
-    let conv = Conversation::with_credentials(username, password);
152
+    let mut client = Client::with_password(PAM_SERVICE)
153
+        .map_err(|e| anyhow!("Failed to create PAM client: {:?}", e))?;
153
 
154
 
154
-    // Create PAM context
155
+    // Set the credentials
155
-    let mut ctx = PamContext::new(PAM_SERVICE, Some(username), conv)
156
+    client
156
-        .context("Failed to create PAM context")?;
157
+        .conversation_mut()
158
+        .set_credentials(username, password);
159
+
160
+    tracing::debug!("PAM client created, calling authenticate");
157
 
161
 
158
     // Authenticate
162
     // Authenticate
159
-    ctx.authenticate(Flag::NONE)
163
+    client
160
-        .context("PAM authentication failed")?;
164
+        .authenticate()
165
+        .map_err(|e| anyhow!("PAM authentication failed: {:?}", e))?;
166
+
167
+    tracing::debug!("PAM authenticate succeeded, opening session");
161
 
168
 
162
-    // Validate account (check expiry, etc.)
169
+    // Open session (also does account validation)
163
-    ctx.acct_mgmt(Flag::NONE)
170
+    client
164
-        .context("Account validation failed")?;
171
+        .open_session()
172
+        .map_err(|e| anyhow!("Failed to open PAM session: {:?}", e))?;
165
 
173
 
174
+    tracing::debug!("PAM session opened successfully");
166
     Ok(())
175
     Ok(())
167
 }
176
 }
168
 
177