Skip to content

feat: run multiple pam sessions at once

Janet Blackquill requested to merge jblackquill/kscreenlocker:work/jblackquill/multiauth into master

This allows simultaneous use of e.g. password and fingerprint auth.

BUG: 475024 FIXED-IN: 6.0

pam configuration for testing

Normally your distro ships the pam configuration your kscreenlocker uses, but we're requiring new ones now. So this is how you get the configurations for testing purposes:

Simple method: steal from GNOME

sudo ln -s /etc/pam.d/gdm-fingerprint /etc/pam.d/kde-fingerprint

sudo ln -s /etc/pam.d/gdm-smartcard /etc/pam.d/kde-smartcard

sudo mv /etc/pam.d/kde /etc/pam.d/kde-disabled (when undoing this MR you're going to want to put that file back where it was)

sudo ln -s /etc/pam.d/gdm-password /etc/pam.d/kde

Less simple method for redhat and redhat-adjacent (fedora, opensuse, etc) systems

/etc/pam.d/kde

auth        substack      password-auth
auth        include       postlogin

account     required      pam_nologin.so
account     include       password-auth

password    include       password-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       password-auth
session     include       postlogin

/etc/pam.d/kde-fingerprint

auth        substack      fingerprint-auth
auth        include       postlogin

account     required      pam_nologin.so
account     include       fingerprint-auth

password    include       fingerprint-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       fingerprint-auth
session     include       postlogin

/etc/pam.d/kde-smartcard

auth        substack      smartcard-auth
auth        include       postlogin

account     required      pam_nologin.so
account     include       smartcard-auth

password    include       smartcard-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       smartcard-auth
session     include       postlogin

Testers with other vendors may need to consult their system vendors on how to configure their pam

Edited by Nate Graham

Merge request reports