Merge pull request #324347 from jtojnar/gdm-fingerprint-fix

nixos/gdm: Fix fingerprint auth rules
author: Masum Reza <50095635+JohnRTitor@users.noreply.github.com> 2024-07-04 10:54:46 +0530
committer: GitHub <noreply@github.com> 2024-07-04 10:54:46 +0530
commit: 24ced046593cdb8e428d08c1d9ede2c0c9bb3d6d (patch)
tree: 44151ff0d06c5967dc1a1e0815693839f697310f
parent: 2c59823e593a0fde5747bde431586ac467f6c47e (diff)
parent: af0cdb44a0016f8b7572483a39f5a80fb518721d (diff)
2 files changed, 9 insertions, 14 deletions
diff --git a/nixos/modules/services/desktops/gnome/gnome-keyring.nix b/nixos/modules/services/desktops/gnome/gnome-keyring.nix
index 96089d718c170..550c6ba8eff54 100644
--- a/nixos/modules/services/desktops/gnome/gnome-keyring.nix
+++ b/nixos/modules/services/desktops/gnome/gnome-keyring.nix
@@ -35,18 +35,7 @@ in
 
     xdg.portal.extraPortals = [ pkgs.gnome-keyring ];
 
-    security.pam.services = lib.mkMerge [
-      {
-        login.enableGnomeKeyring = true;
-      }
-      (lib.mkIf config.services.xserver.displayManager.gdm.enable {
-        gdm-password.enableGnomeKeyring = true;
-        gdm-autologin.enableGnomeKeyring = true;
-      })
-      (lib.mkIf (config.services.xserver.displayManager.gdm.enable && config.services.fprintd.enable) {
-        gdm-fingerprint.enableGnomeKeyring = true;
-      })
-    ];
+    security.pam.services.login.enableGnomeKeyring = true;
 
     security.wrappers.gnome-keyring-daemon = {
       owner = "root";
diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix
index 82cc80417fa14..1a39b365db5f3 100644
--- a/nixos/modules/services/x11/display-managers/gdm.nix
+++ b/nixos/modules/services/x11/display-managers/gdm.nix
@@ -6,6 +6,7 @@ let
 
   cfg = config.services.xserver.displayManager;
   gdm = pkgs.gnome.gdm;
+  pamCfg = config.security.pam.services;
   settingsFormat = pkgs.formats.ini { };
   configFile = settingsFormat.generate "custom.conf" cfg.gdm.settings;
 
@@ -321,15 +322,20 @@ in
         session   include       login
       '';
 
+      # This would block password prompt when included by gdm-password.
+      # GDM will instead run gdm-fingerprint in parallel.
       login.fprintAuth = mkIf config.services.fprintd.enable false;
+
       gdm-fingerprint.text = mkIf config.services.fprintd.enable ''
         auth       required                    pam_shells.so
         auth       requisite                   pam_nologin.so
         auth       requisite                   pam_faillock.so      preauth
         auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
-        auth       optional                    pam_permit.so
         auth       required                    pam_env.so
-        auth       [success=ok default=1]      ${pkgs.gnome.gdm}/lib/security/pam_gdm.so
+        ${lib.optionalString pamCfg.login.enableGnomeKeyring ''
+          auth       [success=ok default=1]      ${pkgs.gnome.gdm}/lib/security/pam_gdm.so
+          auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
+        ''}
 
         account    include                     login
author	Masum Reza <50095635+JohnRTitor@users.noreply.github.com>	2024-07-04 10:54:46 +0530
committer	GitHub <noreply@github.com>	2024-07-04 10:54:46 +0530
commit	24ced046593cdb8e428d08c1d9ede2c0c9bb3d6d (patch)
tree	44151ff0d06c5967dc1a1e0815693839f697310f
parent	2c59823e593a0fde5747bde431586ac467f6c47e (diff)
parent	af0cdb44a0016f8b7572483a39f5a80fb518721d (diff)