rpms/gdm/devel gdm-2.15.5-security-tokens.patch, NONE, 1.1 gdm.spec, 1.167, 1.168
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Jul 12 05:04:00 UTC 2006
Author: rstrode
Update of /cvs/dist/rpms/gdm/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv24344
Modified Files:
gdm.spec
Added Files:
gdm-2.15.5-security-tokens.patch
Log Message:
- add initial support for smart card security tokens
gdm-2.15.5-security-tokens.patch:
config/Makefile.am | 4
config/gdm | 16
config/gdm-securitytokens | 10
config/gdm.conf.in | 7
configure.ac | 3
daemon/Makefile.am | 7
daemon/gdm.c | 99 ++++
daemon/gdm.h | 5
daemon/gdmconfig.c | 35 +
daemon/gdmconfig.h | 3
daemon/securitytoken.c | 579 ++++++++++++++++++++++++++++
daemon/securitytoken.h | 98 ++++
daemon/securitytokenmonitor.c | 817 +++++++++++++++++++++++++++++++++++++++
daemon/securitytokenmonitor.h | 81 +++
daemon/verify-pam.c | 5
utils/gdmsecuritytokenmonitor.c | 197 +++++++++
utils/securitytoken.c | 573 +++++++++++++++++++++++++++
utils/securitytoken.h | 97 ++++
utils/securitytokenmonitor.c | 819 ++++++++++++++++++++++++++++++++++++++++
utils/securitytokenmonitor.h | 82 ++++
20 files changed, 3526 insertions(+), 11 deletions(-)
--- NEW FILE gdm-2.15.5-security-tokens.patch ---
--- /dev/null 2006-07-12 00:29:29.434343750 +0200
+++ gdm-2.15.5/config/gdm-securitytokens 2006-07-12 01:01:58.000000000 +0200
@@ -0,0 +1,10 @@
+#%PAM-1.0
+auth required pam_env.so
+auth sufficient pam_pkcs11.so
+auth required pam_deny.so
+account required pam_nologin.so
+account include system-auth
+password include system-auth
+session include system-auth
+session required pam_loginuid.so
+session optional pam_console.so
--- gdm-2.15.5/config/gdm.security-tokens 2003-08-04 18:24:21.000000000 +0200
+++ gdm-2.15.5/config/gdm 2006-07-12 01:01:58.000000000 +0200
@@ -1,8 +1,10 @@
#%PAM-1.0
-auth required pam_env.so
-auth required pam_stack.so service=system-auth
-auth required pam_nologin.so
-account required pam_stack.so service=system-auth
-password required pam_stack.so service=system-auth
-session required pam_stack.so service=system-auth
-session optional pam_console.so
+auth required pam_env.so
+auth include system-auth
+account required pam_nologin.so
+account include system-auth
+password include system-auth
+session include system-auth
+session required pam_loginuid.so
+session optional pam_console.so
+
--- gdm-2.15.5/config/Makefile.am.security-tokens 2006-05-18 20:39:13.000000000 +0200
+++ gdm-2.15.5/config/Makefile.am 2006-07-12 01:01:58.000000000 +0200
@@ -26,6 +26,7 @@
Xsession.in \
gdm \
gdm-autologin \
+ gdm-securitytokens \
locale.alias \
Init.in \
PreSession.in \
@@ -237,6 +238,9 @@
if test $$system = Linux && test '!' -f $(DESTDIR)$(PAM_PREFIX)/pam.d/gdm-autologin; then \
$(INSTALL_DATA) gdm-autologin $(DESTDIR)$(PAM_PREFIX)/pam.d/gdm-autologin; \
fi; \
+ if test $$system = Linux && test '!' -f $(DESTDIR)$(PAM_PREFIX)/pam.d/gdm-securitytokens; then \
+ $(INSTALL_DATA) gdm-securitytokens $(DESTDIR)$(PAM_PREFIX)/pam.d/gdm-securitytokens; \
+ fi; \
if test $$system = SunOS; then \
echo "Please add PAM authentication for gdm and gdm-autologin in $(PAM_PREFIX)/pam.conf!"; \
fi; \
--- gdm-2.15.5/config/gdm.conf.in.security-tokens 2006-07-12 01:01:57.000000000 +0200
+++ gdm-2.15.5/config/gdm.conf.in 2006-07-12 01:01:58.000000000 +0200
@@ -193,6 +193,10 @@
# kills it. 10 seconds should be long enough for X, but Xgl may need 20 or 25.
GdmXserverTimeout=10
+# Whether or not to listen for smart card insertion/removal events
+SecurityTokensEnable=true
+SecurityTokensDriver=
+
[security]
# Allow root to login. It makes sense to turn this off for kiosk use, when
# you want to minimize the possibility of break in.
@@ -239,6 +243,9 @@
# Specifies the PAM Stack to use, "gdm" by default.
PamStack=gdm
+# Specifies the PAM Stack to use when smart cards are inserted
+SecurityTokensPamStack=gdm-securitytokens
+
# XDMCP is the protocol that allows remote login. If you want to log into GDM
# remotely (I'd never turn this on on open network, use ssh for such remote
# usage that). You can then run X with -query <thishost> to log in, or
--- /dev/null 2006-07-12 00:29:29.434343750 +0200
+++ gdm-2.15.5/utils/securitytokenmonitor.c 2006-07-12 01:01:58.000000000 +0200
@@ -0,0 +1,819 @@
+/* securitytokenmonitor.c - monitor for security token insertion and
+ * removal events
+ *
+ * Copyright (C) 2006 Ray Strode <rstrode at redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * TODO: - doing this per project is a bad idea i think.
+ * We should probably make this a system service
+ * and use dbus.
+ *
+ * - We hardcode a driver right now. We should probably
+ * look up the default list and go from there.
+ */
+#include "securitytokenmonitor.h"
+
+#define SC_SECURITY_TOKEN_ENABLE_INTERNAL_API
+#include "securitytoken.h"
+
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <glib.h>
+#include <glib/gi18n.h>
+
+#include <prerror.h>
+#include <nss.h>
+#include <pk11func.h>
+#include <secmod.h>
+#include <secerr.h>
+
+#include "marshal.h"
+
+#ifndef SC_SECURITY_TOKEN_MONITOR_ENABLE_TEST
+#include "misc.h"
+#endif
+
+#ifndef SC_SECURITY_TOKEN_MONITOR_DRIVER
+#define SC_SECURITY_TOKEN_MONITOR_DRIVER LIBDIR"/pkcs11/libcoolkeypk11.so"
+#endif
+
+#ifndef SC_SECURITY_TOKEN_MONITOR_NSS_DB
+#define SC_SECURITY_TOKEN_MONITOR_NSS_DB SYSCONFDIR"/pki/nssdb"
+#endif
+
+#ifndef SC_SECURITY_TOKEN_MONITOR_POLL_INTERVAL
+#define SC_SECURITY_TOKEN_MONITOR_POLL_INTERVAL 100 /* ms */
+#endif
+
+#ifndef sc_debug
+#ifdef gdm_debug
+#define sc_debug(fmt, args...) gdm_debug(fmt, ##args)
+#elif defined (SC_SECURITY_TOKEN_MONITOR_ENABLE_TEST)
+#define sc_debug(fmt, args...) g_printerr(fmt "\n", ##args)
+#else
+#define sc_debug(fmt, args...)
+#endif
+#endif
+
+typedef enum _ScSecurityTokenMonitorState ScSecurityTokenMonitorState;
+
+enum _ScSecurityTokenMonitorState {
+ SC_SECURITY_TOKEN_MONITOR_STATE_STOPPED = 0,
+ SC_SECURITY_TOKEN_MONITOR_STATE_STARTING,
+ SC_SECURITY_TOKEN_MONITOR_STATE_STARTED,
+ SC_SECURITY_TOKEN_MONITOR_STATE_STOPPING,
+};
+
+struct _ScSecurityTokenMonitorPrivate {
+ ScSecurityTokenMonitorState state;
+
+ gchar *module_path;
+ SECMODModule *module;
+ GHashTable *security_tokens;
+
+ guint32 nss_is_loaded : 1;
+ guint32 is_unstoppable : 1;
+
+ guint poll_timeout_id;
+};
+
+static void sc_security_token_monitor_finalize (GObject *object);
+static void sc_security_token_monitor_class_install_signals (ScSecurityTokenMonitorClass *service_class);
+static void sc_security_token_monitor_class_install_properties (ScSecurityTokenMonitorClass *service_class);
+static void sc_security_token_monitor_set_property (GObject *object,
+ guint prop_id,
+ const GValue *value,
+ GParamSpec *pspec);
+static void sc_security_token_monitor_get_property (GObject *object,
+ guint prop_id,
+ GValue *value,
+ GParamSpec *pspec);
+
+static void
+sc_security_token_monitor_set_module_path (ScSecurityTokenMonitor *monitor,
+ const gchar *module_path);
+
+
+static void sc_security_token_monitor_token_removed_handler (ScSecurityTokenMonitor *monitor,
+ ScSecurityToken *token);
+static void sc_security_token_monitor_token_inserted_handler (ScSecurityTokenMonitor *monitor_class,
+ ScSecurityToken *token);
+static gboolean sc_security_token_monitor_stop_now (ScSecurityTokenMonitor *monitor);
+
+static void sc_security_token_monitor_queue_stop (ScSecurityTokenMonitor *monitor);
+
[...3377 lines suppressed...]
+ GdmDisplay *d = li->data;
+
+ if (SERVER_IS_LOCAL (d)) {
+ gdm_debug ("notifying display '%s'", d->name);
+ gchar *pam_stack;
+ pam_stack = gdm_get_value_string (GDM_KEY_SECURITY_TOKENS_PAM_STACK);
+
+ if (ve_string_empty (pam_stack))
+ pam_stack = gdm_get_value_string (GDM_KEY_PAM_STACK);
+ gdm_set_value_string_per_display (d->name,
+ GDM_KEY_PAM_STACK,
+ pam_stack);
+ send_slave_command (d, GDM_NOTIFY_RESET);
+ } else {
+ gdm_debug ("display '%s' is not local", d->name);
+ }
+ }
+}
+
+static void
+gdm_handle_security_token_removal (ScSecurityTokenMonitor *monitor,
+ ScSecurityToken *token)
+{
+ GSList *li;
+
+ gdm_debug ("notifying local displays about token removal");
+ for (li = displays; li != NULL; li = li->next) {
+ GdmDisplay *d = li->data;
+
+ if (SERVER_IS_LOCAL (d)) {
+ gdm_debug ("notifying display '%s'", d->name);
+ gchar *pam_stack;
+ pam_stack = gdm_get_value_string (GDM_KEY_SECURITY_TOKENS_PAM_STACK);
+
+ if (ve_string_empty (pam_stack))
+ pam_stack = gdm_get_value_string (GDM_KEY_PAM_STACK);
+ gdm_set_value_string_per_display (d->name,
+ GDM_KEY_PAM_STACK,
+ pam_stack);
+ send_slave_command (d, GDM_NOTIFY_RESET);
+
+ } else {
+ gdm_debug ("display '%s' is not local", d->name);
+ }
+ }
+}
+
+static void
+gdm_watch_for_security_tokens (void)
+{
+ GError *error;
+ ScSecurityTokenMonitor *monitor;
+
+ gdm_debug ("watching for security token insertion and removal events");
+
+ monitor = sc_security_token_monitor_new (gdm_get_value_string (GDM_KEY_SECURITY_TOKENS_DRIVER));
+ g_signal_connect (monitor,
+ "security-token-inserted",
+ G_CALLBACK (gdm_handle_security_token_insertion), NULL);
+
+ g_signal_connect (monitor,
+ "security-token-removed",
+ G_CALLBACK (gdm_handle_security_token_removal), NULL);
+ error = NULL;
+ if (!sc_security_token_monitor_start (monitor,
+ &error)) {
+ if (error != NULL) {
+ syslog (LOG_ERR, "%s", error->message);
+ g_error_free (error);
+ } else {
+ syslog (LOG_ERR, "could not start security token monitor");
+
+ }
+ }
+}
/* EOF */
--- gdm-2.15.5/daemon/verify-pam.c.security-tokens 2006-07-12 01:01:58.000000000 +0200
+++ gdm-2.15.5/daemon/verify-pam.c 2006-07-12 01:01:58.000000000 +0200
@@ -55,6 +55,8 @@
#define log_to_audit_system(l,h,d,s) do { ; } while (0)
#endif
+gboolean gdm_should_use_security_tokens_pam_stack (void);
+
/* Evil, but this way these things are passed to the child session */
static pam_handle_t *pamh = NULL;
@@ -78,7 +80,6 @@
static adt_session_data_t *adt_ah = NULL; /* audit session handle */
-
/*
* audit_success_login - audit successful login
*
@@ -902,6 +903,8 @@
*/
pam_stack = gdm_get_value_string_per_display (display, GDM_KEY_PAM_STACK);
+ gdm_debug ("using pam stack '%s'", pam_stack);
+
if ( ! create_pamh (d, pam_stack, login, &pamc, display, &pamerr)) {
if (started_timer)
gdm_slave_greeter_ctl_no_ret (GDM_STOPTIMER, "");
--- gdm-2.15.5/daemon/gdmconfig.h.security-tokens 2006-05-20 00:07:17.000000000 +0200
+++ gdm-2.15.5/daemon/gdmconfig.h 2006-07-12 01:01:58.000000000 +0200
@@ -41,6 +41,9 @@
gboolean value);
void gdm_set_value_int (gchar *key,
gint value);
+void gdm_set_value_string_per_display (gchar *display,
+ gchar *key,
+ gchar *value);
void gdm_config_key_to_string_per_display
(gchar *file,
gchar *key,
--- /dev/null 2006-07-12 00:29:29.434343750 +0200
+++ gdm-2.15.5/daemon/securitytokenmonitor.h 2006-07-12 01:01:58.000000000 +0200
@@ -0,0 +1,81 @@
+/* securitytokenmonitor.h - monitor for security token insertion and
+ * removal events
+ *
+ * Copyright (C) 2006 Ray Strode
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ */
+#ifndef SC_SECURITY_TOKEN_MONITOR_H
+#define SC_SECURITY_TOKEN_MONITOR_H
+
+#define SC_SECURITY_TOKEN_ENABLE_INTERNAL_API
+#include "securitytoken.h"
+
+#include <glib.h>
+#include <glib-object.h>
+
+G_BEGIN_DECLS
+#define SC_TYPE_SECURITY_TOKEN_MONITOR (sc_security_token_monitor_get_type ())
+#define SC_SECURITY_TOKEN_MONITOR(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), SC_TYPE_SECURITY_TOKEN_MONITOR, ScSecurityTokenMonitor))
+#define SC_SECURITY_TOKEN_MONITOR_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), SC_TYPE_SECURITY_TOKEN_MONITOR, ScSecurityTokenMonitorClass))
+#define SC_IS_SECURITY_TOKEN_MONITOR(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), SC_TYPE_SECURITY_TOKEN_MONITOR))
+#define SC_IS_SECURITY_TOKEN_MONITOR_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), SC_TYPE_SECURITY_TOKEN_MONITOR))
+#define SC_SECURITY_TOKEN_MONITOR_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS((obj), SC_TYPE_SECURITY_TOKEN_MONITOR, ScSecurityTokenMonitorClass))
+#define SC_SECURITY_TOKEN_MONITOR_ERROR (sc_security_token_monitor_error_quark ())
+typedef struct _ScSecurityTokenMonitor ScSecurityTokenMonitor;
+typedef struct _ScSecurityTokenMonitorClass ScSecurityTokenMonitorClass;
+typedef struct _ScSecurityTokenMonitorPrivate ScSecurityTokenMonitorPrivate;
+typedef enum _ScSecurityTokenMonitorError ScSecurityTokenMonitorError;
+
+struct _ScSecurityTokenMonitor {
+ GObject parent;
+
+ /*< private > */
+ ScSecurityTokenMonitorPrivate *priv;
+};
+
+struct _ScSecurityTokenMonitorClass {
+ GObjectClass parent_class;
+
+ /* Signals */
+ void (*security_token_inserted) (ScSecurityTokenMonitor *monitor,
+ ScSecurityToken *token);
+ void (*security_token_removed) (ScSecurityTokenMonitor *monitor,
+ ScSecurityToken *token);
+ void (*error) (ScSecurityTokenMonitor *monitor,
+ GError *error);
+};
+
+enum _ScSecurityTokenMonitorError {
+ SC_SECURITY_TOKEN_MONITOR_ERROR_GENERIC = 0,
+ SC_SECURITY_TOKEN_MONITOR_ERROR_WITH_NSS,
+ SC_SECURITY_TOKEN_MONITOR_ERROR_LOADING_DRIVER,
+};
+
+GType sc_security_token_monitor_get_type (void) G_GNUC_CONST;
+GQuark sc_security_token_monitor_error_quark (void) G_GNUC_CONST;
+
+ScSecurityTokenMonitor *sc_security_token_monitor_new (const gchar *module);
+
+gboolean sc_security_token_monitor_start (ScSecurityTokenMonitor *monitor,
+ GError **error);
+
+void sc_security_token_monitor_stop (ScSecurityTokenMonitor *monitor);
+
+gchar *sc_security_token_monitor_get_module_path (ScSecurityTokenMonitor *monitor);
+
+G_END_DECLS
+#endif /* SC_SECURITY_TOKEN_MONITOR_H */
Index: gdm.spec
===================================================================
RCS file: /cvs/dist/rpms/gdm/devel/gdm.spec,v
retrieving revision 1.167
retrieving revision 1.168
diff -u -r1.167 -r1.168
--- gdm.spec 7 Jul 2006 21:28:35 -0000 1.167
+++ gdm.spec 12 Jul 2006 05:03:57 -0000 1.168
@@ -15,7 +15,7 @@
Summary: The GNOME Display Manager.
Name: gdm
Version: 2.15.5
-Release: 2
+Release: 3
Epoch: 1
License: LGPL/GPL
Group: User Interface/X
@@ -45,6 +45,7 @@
Patch18: gdm-2.15.5-process-all-ops.patch
Patch19: gdm-2.15.5-move-default-message.patch
Patch20: gdm-2.15.5-reset-pam.patch
+Patch21: gdm-2.15.5-security-tokens.patch
BuildRoot: %{_tmppath}/gdm-%{PACKAGE_VERSION}-root
@@ -119,10 +120,11 @@
%patch14 -p1 -b .call-dbus-launch
%patch15 -p1 -b .dont-call-xsm
%patch16 -p1 -b .add-gnome-cflags
-%patch17 -p1 -b .pam_stack
+#%patch17 -p1 -b .pam_stack
%patch18 -p1 -b .process-all-ops
%patch19 -p1 -b .move-default-message
%patch20 -p1 -b .reset-pam
+%patch21 -p1 -b .security-tokens
# fix the time format for ja
perl -pi -e "s|^msgstr \"%a %b %d, %H:%M\"|msgstr \"%m/%d \(%a\) %H:%M\"|; s|^msgstr \"%a %b %d, %I:%M %p\"|msgstr \"%m/%d \(%a\) %p %I:%M\"|" po/ja.po
@@ -294,6 +296,7 @@
%config %{_sysconfdir}/pam.d/gdm
%config %{_sysconfdir}/pam.d/gdmsetup
%config %{_sysconfdir}/pam.d/gdm-autologin
+%config %{_sysconfdir}/pam.d/gdm-securitytokens
%config %{_sysconfdir}/security/console.apps/gdmsetup
#%config %{_sysconfdir}/rc.d/init.d/*
%dir %{_sysconfdir}/gdm/Init
@@ -317,6 +320,9 @@
%attr(1770, root, gdm) %dir %{_localstatedir}/gdm
%changelog
+* Tue Jul 11 2006 Ray Strode <rstrode at redhat.com> 1:2.15.5-3
+- add initial support for smart card security tokens
+
* Fri Jul 7 2006 Ray Strode <rstrode at redhat.com> 1:2.15.5-2
- add patch to process all operations when more than one comes
in really quickly
More information about the fedora-cvs-commits
mailing list