[neon/kde/kscreenlocker/Neon/release] debian/pam.d: sync pam files to ubuntu

Carlos De Maine null at kde.org
Wed Jan 14 22:16:32 GMT 2026 

Git commit 8292029b2ded6e8e147e2500a6eb20fd41a1d5a5 by Carlos De Maine.
Committed on 14/01/2026 at 22:16.
Pushed by carlosdem into branch 'Neon/release'.

sync pam files to ubuntu

(cherry picked from commit a92dba9c0b3f25ed6c50db7a36b56d2ac7a25719)

Co-authored-by: Carlos De Maine <carlosd.kde at gmail.com>

M  +10   -11   debian/pam.d/kde
M  +11   -10   debian/pam.d/kde-fingerprint
M  +7    -3    debian/pam.d/kde-smartcard

https://invent.kde.org/neon/kde/kscreenlocker/-/commit/8292029b2ded6e8e147e2500a6eb20fd41a1d5a5

diff --git a/debian/pam.d/kde b/debian/pam.d/kde
index 4ac40ed..224920f 100644
--- a/debian/pam.d/kde
+++ b/debian/pam.d/kde
@@ -1,13 +1,14 @@
 #%PAM-1.0
+# Taken from gdm3’s gdm-password
 auth    requisite       pam_nologin.so
-auth    required        pam_succeed_if.so user != root quiet_success
+auth	required	pam_succeed_if.so user != root quiet_success
 @include common-auth
-auth   optional        pam_kwallet5.so
+auth    optional        pam_kwallet5.so
 @include common-account
-# SELinux needs to be the first session rule.  This ensures that any
-# lingering context has been cleared.  Without this it is possible that a
-# module could execute code in the wrong domain.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+# SELinux needs to be the first session rule. This ensures that any 
+# lingering context has been cleared. Without this it is possible 
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
 session required        pam_loginuid.so
 # SELinux needs to intervene at login time to ensure that the process
 # starts in the proper default security context. Only sessions which are
@@ -15,13 +16,11 @@ session required        pam_loginuid.so
 # pam_selinux.so changes the SELinux context of the used TTY and configures
 # SELinux in order to transition to the user context with the next execve()
 # call.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] 		pam_selinux.so open
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
 session optional        pam_keyinit.so force revoke
 session required        pam_limits.so
 session required        pam_env.so readenv=1
-session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+session required        pam_env.so readenv=1 envfile=/etc/default/locale
 @include common-session
-# SELinux needs to intervene at login time to ensure that the process starts
-# in the proper default security context.  Only sessions which are intended
-# to run in the user's context should be run after this.
+session optional        pam_kwallet5.so auto_start
 @include common-password
diff --git a/debian/pam.d/kde-fingerprint b/debian/pam.d/kde-fingerprint
index 07e73c5..178c157 100644
--- a/debian/pam.d/kde-fingerprint
+++ b/debian/pam.d/kde-fingerprint
@@ -1,25 +1,26 @@
 #%PAM-1.0
+# Taken from gdm3’s gdm-fingerprint
 auth    requisite       pam_nologin.so
 auth	required	pam_succeed_if.so user != root quiet_success
 auth	required	pam_fprintd.so
-auth   optional        pam_kwallet5.so
+auth    optional        pam_kwallet5.so
 @include common-account
-# SELinux needs to be the first session rule.  This ensures that any
-# lingering context has been cleared.  Without this it is possible that a
-# module could execute code in the wrong domain.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] 		pam_selinux.so close
+# SELinux needs to be the first session rule. This ensures that any 
+# lingering context has been cleared. Without this it is possible 
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
 session required        pam_loginuid.so
-# SELinux needs to intervene at login time to ensure that the process starts
-# in the proper default security context.  Only sessions which are intended
-# to run in the user's context should be run after this.
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
 # pam_selinux.so changes the SELinux context of the used TTY and configures
 # SELinux in order to transition to the user context with the next execve()
 # call.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] 		pam_selinux.so open
+session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
 session optional        pam_keyinit.so force revoke
 session required        pam_limits.so
 session required        pam_env.so readenv=1
-session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+session required        pam_env.so readenv=1 envfile=/etc/default/locale
 @include common-session
 session optional        pam_kwallet5.so auto_start
 password required       pam_fprintd.so
diff --git a/debian/pam.d/kde-smartcard b/debian/pam.d/kde-smartcard
index 3b0de68..62d8cd8 100644
--- a/debian/pam.d/kde-smartcard
+++ b/debian/pam.d/kde-smartcard
@@ -1,9 +1,12 @@
 #%PAM-1.0
+# Adapted from gdm3’s gdm-smartcard-sssd-or-password
 auth    [success=ok user_unknown=ignore default=bad] pam_succeed_if.so user != root quiet_success
-auth    required      pam_sss.so allow_missing_name try_cert_auth
-#auth    sufficient      pam_pkcs11.so nullok debug try_first_pass
+#auth    [success=2 default=ignore] pam_sss.so allow_missing_name try_cert_auth
+auth    required        pam_sss.so allow_missing_name try_cert_auth
+#auth    substack        common-auth
 auth    requisite       pam_nologin.so
 auth    optional        pam_kwallet5.so
+
 @include common-account
 # SELinux needs to be the first session rule. This ensures that any
 # lingering context has been cleared. Without this it is possible
@@ -20,6 +23,7 @@ session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_
 session optional        pam_keyinit.so force revoke
 session required        pam_limits.so
 session required        pam_env.so readenv=1
-session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
+session required        pam_env.so readenv=1 envfile=/etc/default/locale
 @include common-session
 session optional        pam_kwallet5.so auto_start
+ at include common-password

More information about the Neon-commits mailing list