Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom PAM rule for desktop login #939

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Custom PAM rule for desktop login #939

wants to merge 1 commit into from
+67 −59

Conversation

mbssrc
Copy link
Collaborator

@mbssrc mbssrc commented Dec 19, 2024
edited
Loading

Description of changes

This PR includes the following changes and fixes:

  • remove fingerprint authentication from greetd as user home needs decryption
  • re-ordering PAM modules on gtklock to unlock with either password or fingerprint, not requiring both
  • add custom rule to require users to be in group video, preventing
    admin login on GUI. Still works for AGX/NX with createHome option.
  • remove older 'desktop' group in favor of 'video'
  • fix user creation script to disallow creating user duplicates
  • fix user creation script to allow '-' characters in name
  • move ollama persistent directory to service, removing failing ollama
    user/group setting, adding guard for launcher
  • move XDG parameters from gui-vm to labc config

This should also fix SRCSP-5891. The user is now not asked for fingerprint
during login, which won't work as the home folder must be decrypted with key derived from users password.

Does not address multiple error messages when entering wrong password on lock-screen.

Checklist for things done

  • Summary of the proposed changes in the PR description
  • More detailed description in the commit message(s)
  • Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • PR linked to architecture documentation and requirement(s) (ticket id)
  • Test procedure described (or includes tests). Select one or more:
    • Tested on Lenovo X1 x86_64
    • Tested on Jetson Orin NX or AGX aarch64
    • Tested on Polarfire riscv64
  • Author has run make-checks and it passes
  • All automatic Github Action checks pass - see actions
  • Author has added reviewers and removed PR draft status
  • Change requires full re-installation
  • Change can be updated with nixos-rebuild ... switch

Tested on x1 and agx.

Instructions for Testing

  • List all targets that this applies to: x1, agx, nx?
  • List the test steps to verify:
    • Remove existing user, reboot and try to create ghaf as user
    • Create user, login with wrong password, observe only 1 error message
    • Login, create fingerprint for user, and lock screen.
      • Enter + fprint unlocks
      • wrong password + fprint unlocks
      • correct password unlocks
    • Reboot (gui-vm) and observe user is not asked for fingerprint
    • Verify ollama app works and no errors in journal anymore
    • (optional) test login/lock on agx as ghaf user

@mbssrc mbssrc temporarily deployed to internal-build-workflow December 19, 2024 13:27 — with GitHub Actions Inactive
@mbssrc mbssrc marked this pull request as draft December 19, 2024 13:44
@mbssrc mbssrc temporarily deployed to internal-build-workflow December 21, 2024 14:01 — with GitHub Actions Inactive
@mbssrc mbssrc temporarily deployed to internal-build-workflow December 21, 2024 14:18 — with GitHub Actions Inactive
@mbssrc mbssrc marked this pull request as ready for review December 21, 2024 15:19
@mbssrc mbssrc added the Needs Testing CI Team to pre-verify label Jan 6, 2025
@milva-unikie
Copy link

Tested on Lenovo-X1 (nixos-rebuild switch)

Issues:

  • Cameras do not work. Integrated camera should work in business-vm and usb camera in chrome-vm.

Working:

  • Verified all steps in Testing instructions, no issues
  • Test-automation passes

Tested on Orin-AGX and Orin-NX

  • Login and lock work for both
  • Test-automation passes for both

@milva-unikie milva-unikie added Tested on Orin AGX This PR has been tested on NVIDIA Jetson AGX Orin Tested on Orin NX This PR has been tested on NVIDIA Jetson NX Orin bug on Lenovo X1 Carbon Issues found on Lenovo X1 Carbon while checking this PR and removed Needs Testing CI Team to pre-verify labels Jan 7, 2025
@mbssrc
fix(login): add custom PAM rules for desktop login
b3b1363 
  - remove fprint auth from greetd as user home needs decryption
  - add custom rule to require users to be in group 'video', preventing
    admin login on GUI
  - remove older 'desktop' group in favor of 'video'
  - fix user creation script to disallow creating user duplicates
  - fix user creation script to allow '-' characters in name
  - move ollama persistent directory to service, removing failing ollama
    user/group setting
  - move XDG parameters from gui-vm to labc config

Signed-off-by: Manuel Bluhm <[email protected]>
@mbssrc mbssrc temporarily deployed to internal-build-workflow January 7, 2025 14:29 — with GitHub Actions Inactive
@mbssrc
Copy link
Collaborator Author

mbssrc commented Jan 7, 2025

Tested on Lenovo-X1 (nixos-rebuild switch)

Issues:

* Cameras do not work. Integrated camera should work in business-vm and usb camera in chrome-vm.

Fixed with b3b1363.

@mbssrc mbssrc added Needs Testing CI Team to pre-verify and removed bug on Lenovo X1 Carbon Issues found on Lenovo X1 Carbon while checking this PR labels Jan 7, 2025
@milva-unikie milva-unikie mentioned this pull request Jan 8, 2025
Merged
@milva-unikie
Copy link

Cameras work!

Camera tests in test-automation will need a small change, pr for that is open tiiuae/ci-test-automation#205

@milva-unikie milva-unikie added Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon and removed Needs Testing CI Team to pre-verify labels Jan 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brianmcgillion brianmcgillion brianmcgillion approved these changes

Assignees
No one assigned
Labels
Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon Tested on Orin AGX This PR has been tested on NVIDIA Jetson AGX Orin Tested on Orin NX This PR has been tested on NVIDIA Jetson NX Orin
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mbssrc @milva-unikie @brianmcgillion