[neon/kde/kscreenlocker/Neon/unstable] debian/pam.d: sync pam files to ubuntu
Carlos De Maine
null at kde.org
Wed Jan 14 22:15:54 GMT 2026
Git commit a92dba9c0b3f25ed6c50db7a36b56d2ac7a25719 by Carlos De Maine.
Committed on 14/01/2026 at 22:15.
Pushed by carlosdem into branch 'Neon/unstable'.
sync pam files to ubuntu
M +10 -11 debian/pam.d/kde
M +11 -10 debian/pam.d/kde-fingerprint
M +7 -3 debian/pam.d/kde-smartcard
https://invent.kde.org/neon/kde/kscreenlocker/-/commit/a92dba9c0b3f25ed6c50db7a36b56d2ac7a25719
diff --git a/debian/pam.d/kde b/debian/pam.d/kde
index 4ac40ed..224920f 100644
--- a/debian/pam.d/kde
+++ b/debian/pam.d/kde
@@ -1,13 +1,14 @@
#%PAM-1.0
+# Taken from gdm3’s gdm-password
auth requisite pam_nologin.so
-auth required pam_succeed_if.so user != root quiet_success
+auth required pam_succeed_if.so user != root quiet_success
@include common-auth
-auth optional pam_kwallet5.so
+auth optional pam_kwallet5.so
@include common-account
-# SELinux needs to be the first session rule. This ensures that any
-# lingering context has been cleared. Without this it is possible that a
-# module could execute code in the wrong domain.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
@@ -15,13 +16,11 @@ session required pam_loginuid.so
# pam_selinux.so changes the SELinux context of the used TTY and configures
# SELinux in order to transition to the user context with the next execve()
# call.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_env.so readenv=1
-session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-session
-# SELinux needs to intervene at login time to ensure that the process starts
-# in the proper default security context. Only sessions which are intended
-# to run in the user's context should be run after this.
+session optional pam_kwallet5.so auto_start
@include common-password
diff --git a/debian/pam.d/kde-fingerprint b/debian/pam.d/kde-fingerprint
index 07e73c5..178c157 100644
--- a/debian/pam.d/kde-fingerprint
+++ b/debian/pam.d/kde-fingerprint
@@ -1,25 +1,26 @@
#%PAM-1.0
+# Taken from gdm3’s gdm-fingerprint
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
auth required pam_fprintd.so
-auth optional pam_kwallet5.so
+auth optional pam_kwallet5.so
@include common-account
-# SELinux needs to be the first session rule. This ensures that any
-# lingering context has been cleared. Without this it is possible that a
-# module could execute code in the wrong domain.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
-# SELinux needs to intervene at login time to ensure that the process starts
-# in the proper default security context. Only sessions which are intended
-# to run in the user's context should be run after this.
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
# pam_selinux.so changes the SELinux context of the used TTY and configures
# SELinux in order to transition to the user context with the next execve()
# call.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_env.so readenv=1
-session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-session
session optional pam_kwallet5.so auto_start
password required pam_fprintd.so
diff --git a/debian/pam.d/kde-smartcard b/debian/pam.d/kde-smartcard
index 3b0de68..62d8cd8 100644
--- a/debian/pam.d/kde-smartcard
+++ b/debian/pam.d/kde-smartcard
@@ -1,9 +1,12 @@
#%PAM-1.0
+# Adapted from gdm3’s gdm-smartcard-sssd-or-password
auth [success=ok user_unknown=ignore default=bad] pam_succeed_if.so user != root quiet_success
-auth required pam_sss.so allow_missing_name try_cert_auth
-#auth sufficient pam_pkcs11.so nullok debug try_first_pass
+#auth [success=2 default=ignore] pam_sss.so allow_missing_name try_cert_auth
+auth required pam_sss.so allow_missing_name try_cert_auth
+#auth substack common-auth
auth requisite pam_nologin.so
auth optional pam_kwallet5.so
+
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
@@ -20,6 +23,7 @@ session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_env.so readenv=1
-session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-session
session optional pam_kwallet5.so auto_start
+ at include common-password
More information about the Neon-commits
mailing list