-
-
Notifications
You must be signed in to change notification settings - Fork 18.5k
RFC: Unified PAM settings for different display managers #17044
Copy link
Copy link
Open
Labels
0.kind: enhancementAdd something new or improve an existing system.Add something new or improve an existing system.2.status: stalehttps://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.mdhttps://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md6.topic: nixosIssues or PRs affecting NixOS modules, or package usability issues specific to NixOSIssues or PRs affecting NixOS modules, or package usability issues specific to NixOS9.needs: reporter feedbackThis issue needs the person who filed it to respondThis issue needs the person who filed it to respond
Description
Metadata
Metadata
Assignees
Labels
0.kind: enhancementAdd something new or improve an existing system.Add something new or improve an existing system.2.status: stalehttps://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.mdhttps://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md6.topic: nixosIssues or PRs affecting NixOS modules, or package usability issues specific to NixOSIssues or PRs affecting NixOS modules, or package usability issues specific to NixOS9.needs: reporter feedbackThis issue needs the person who filed it to respondThis issue needs the person who filed it to respond
Fields
Give feedbackNo fields configured for issues without a type.
Problem
The current state of PAM configuration in NixOS requires a lot of duplication. Each display manager module contains its own
<name of display manager>pam service for controlling login, which is a lot of duplication. For example,pam.services.lightdmis the same aspam.services.sddm.Because of that, if you want to change the PAM configuration for login, you have to do so depending on which display manager is enabled, which is inconvenient for our users. Setting the rules for how to login should not depend on which particular display manager is used.
Ideas for solution
I propose that we try to factor out the common PAM configuration options, and provide a "default" common-auth (name up to debate) pam service or similar that can then be
include'd by other PAM services, such as graphical or nongraphical display managers. This is also the solution that other distributions, such as Debian, have adopted.Comments?
I have posted this as an issue instead of a PR because I have not put much thought into how to separate the PAM services yet. For example, should we have a
common-auth-autologinservice as well? What are your thoughts for which common PAM services we need? I volunteer to implement this after the details are fleshed out.