[systemd-devel] openvpn + auth-user-pass + password agents
Hi, Has anyone got patches to add password agent support to openvpn? I don't see any patches in Fedora at least. I've got a user whose reporting that they cannot enable this option in their openvpn setup. From what I cant tell from a brief inspection it's just a matter of hacking the get_console_input() method, although this is used to get both username and password on occasions which the password agent stuff doesn't really support. It would seem like a relatively trivial thing to support (optionally asking for username) so it seems odd to me that it's left out of the spec when it could so simply have been included even if it wouldn't have been used for the current use cases. Can someone explain: a) If username should be added and support added to openvpn to use this mechanism for password auth and certificate password input. b) If username should not be added and this is just totally insane generally - and if so, why. FWIW, it seems that stdin is used for a few things in openvpn: 1. OK confirmation (it seems that any input from the user would do) 2. A response from a challenge. 3. A username+password combo. 4. A pkcs11 pin (or the word 'cancel' which is lame but could probably be done more gracefully with agents). These do all seem to fall within what could be argued as valid uses for the password agent system, albeit they are extending it somewhat. Thoughts on how best to solve this problem greatly appreciated. Col -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/ ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] openvpn + auth-user-pass + password agents
Le mardi 27 novembre 2012 à 09:50 +, Colin Guthrie a écrit : Hi, Has anyone got patches to add password agent support to openvpn? I don't see any patches in Fedora at least. I did them and they are upstream nowadays :) -- Frederic Crozat fcro...@suse.com SUSE ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] openvpn + auth-user-pass + password agents
'Twas brillig, and Frederic Crozat at 27/11/12 10:00 did gyre and gimble: Le mardi 27 novembre 2012 à 09:50 +, Colin Guthrie a écrit : Hi, Has anyone got patches to add password agent support to openvpn? I don't see any patches in Fedora at least. I did them and they are upstream nowadays :) You are a hero! Here is the commit if anyone is following: http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=commit;h=9449e6a9eba30c9ed054f57d630a88c9f087080f Not tested it personally, but have added it to packages for users to test :) Thanks Col -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/ ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [RFC][PATCH 1/2] fstab-generator: generate new_root.mount in initrd
The configuration is taken from /proc/cmdline, aiming at emulating the behavior of the kernel when no initramfs is used. The supported options are: root=, rootfstype=, rootwait=, rootflags=, ro, and rw. rootdelay= was dropped, as it is not really useful in a systemd world, but could easily be added. Cc: Harald Hoyer har...@redhat.com Cc: Dave Reisner dreis...@archlinux.org --- Hi guys, Together with the next patch this aims to add enough kernel commandline parsing support to systemd so that it can be used in an initramfs without any extra glue to parse the command line and pass on the correct parameters to systemd. A patch exists using this work to add (shell-free) systemd support to Arch's mkinitcpio [0]. This is based on similar work in dracut. Comments welcome, Tom [0]: https://mailman.archlinux.org/pipermail/arch-projects/2012-November/003446.html src/fstab-generator/fstab-generator.c | 159 +- 1 file changed, 135 insertions(+), 24 deletions(-) diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c index ba55f2c..8b0b548 100644 --- a/src/fstab-generator/fstab-generator.c +++ b/src/fstab-generator/fstab-generator.c @@ -202,18 +202,21 @@ static bool mount_is_network(struct mntent *me) { fstype_is_network(me-mnt_type); } -static int add_mount(const char *what, const char *where, struct mntent *me) { +static int add_mount(const char *what, const char *where, const char *type, const char *opts, + int passno, bool wait, bool noauto, bool nofail, bool automount, bool isbind, bool isnetwork, + const char *source) { char *name = NULL, *unit = NULL, *lnk = NULL, *device = NULL, *automount_name = NULL, *automount_unit = NULL; FILE *f = NULL; -bool noauto, nofail, automount, isbind, isnetwork; int r; const char *post, *pre; assert(what); assert(where); -assert(me); +assert(type); +assert(opts); +assert(source); -if (streq(me-mnt_type, autofs)) +if (streq(type, autofs)) return 0; if (!is_path(where)) { @@ -225,15 +228,6 @@ static int add_mount(const char *what, const char *where, struct mntent *me) { mount_point_ignore(where)) return 0; -isnetwork = mount_is_network(me); -isbind = !!hasmntopt(me, bind); - -noauto = !!hasmntopt(me, noauto); -nofail = !!hasmntopt(me, nofail); -automount = -hasmntopt(me, comment=systemd.automount) || -hasmntopt(me, x-systemd.automount); - if (isnetwork) { post = SPECIAL_REMOTE_FS_TARGET; pre = SPECIAL_REMOTE_FS_PRE_TARGET; @@ -264,10 +258,12 @@ static int add_mount(const char *what, const char *where, struct mntent *me) { goto finish; } -fputs(# Automatically generated by systemd-fstab-generator\n\n +fprintf(f, + # Automatically generated by systemd-fstab-generator\n\n [Unit]\n - SourcePath=/etc/fstab\n - DefaultDependencies=no\n, f); + SourcePath=%s\n + DefaultDependencies=no\n, + source); if (!path_equal(where, /)) fprintf(f, @@ -293,14 +289,18 @@ static int add_mount(const char *what, const char *where, struct mntent *me) { FsckPassNo=%i\n, what, where, -me-mnt_type, -me-mnt_passno); +type, +passno); -if (!isempty(me-mnt_opts) -!streq(me-mnt_opts, defaults)) +if (!isempty(opts) +!streq(opts, defaults)) fprintf(f, Options=%s\n, -me-mnt_opts); +opts); + +if (wait) +fprintf(f, +TimeoutSec=0\n); fflush(f); if (ferror(f)) { @@ -459,7 +459,13 @@ static int parse_fstab(void) { if (streq(me-mnt_type, swap)) k = add_swap(what, me); else -k = add_mount(what, where, me); +k = add_mount(what, where, me-mnt_type, me-mnt_opts, + me-mnt_passno, false, !!hasmntopt(me, noauto), + !!hasmntopt(me, nofail), + hasmntopt(me, comment=systemd.automount) || + hasmntopt(me, x-systemd.automount), + !!hasmntopt(me, bind), mount_is_network(me), + /etc/fstab); free(what); free(where); @@ -473,6 +479,108 @@ finish: return r; } +static int
[systemd-devel] [RFC][PATCH 2/2] systemctl: switch-root - read init= from /proc/cmdline
If the path to init is not specified as an argumnt to systemctl, but init= is given on the kernel commandline, use that. This means the initrd does not need glue code to parse the kernel commandline before passing on init= to systemctl. Cc: Harald Hoyer har...@redhat.com Cc: Dave Reisner dreis...@archlinux.org --- src/systemctl/systemctl.c | 25 ++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c index 7a19d06..fc1db1a 100644 --- a/src/systemctl/systemctl.c +++ b/src/systemctl/systemctl.c @@ -3323,7 +3323,9 @@ finish: static int switch_root(DBusConnection *bus, char **args) { unsigned l; -const char *root, *init; +int r; +const char *root; +char *init = NULL; l = strv_length(args); if (l 2 || l 3) { @@ -3332,9 +3334,22 @@ static int switch_root(DBusConnection *bus, char **args) { } root = args[1]; -init = l = 3 ? args[2] : ; -return bus_method_call_with_reply ( +if (l = 3) { +init = strdup(args[2]); +} else { +parse_env_file(/proc/cmdline, WHITESPACE, + init, init, + NULL); + +if (!init) +init = strdup(); + +} + +log_debug(switching root - root: %s; init: %s, root, init); + +r = bus_method_call_with_reply ( bus, org.freedesktop.systemd1, /org/freedesktop/systemd1, @@ -3345,6 +3360,10 @@ static int switch_root(DBusConnection *bus, char **args) { DBUS_TYPE_STRING, root, DBUS_TYPE_STRING, init, DBUS_TYPE_INVALID); + +free(init); + +return r; } static int set_environment(DBusConnection *bus, char **args) { -- 1.8.0.1 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH] pam_systemd: new option for the session class
From: Matthew Monaco matthew.mon...@0x01b.net --- I don't see any reason why every DM (LightDM for me) needs code to support this. It looks to me like its safe to just point to the data in argv, let me know if it isn't. man/pam_systemd.xml| 9 + src/login/pam-module.c | 14 +++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml index 2d2f191..07f0da9 100644 --- a/man/pam_systemd.xml +++ b/man/pam_systemd.xml @@ -194,6 +194,15 @@ /varlistentry varlistentry +termoptionclass=/option/term + +listitemparaTakes a string +argument which sets the session class. +This takes precedent over the XDG_SESSION_CLASS +environmental variable./para/listitem +/varlistentry + +varlistentry termoptiondebug=/option/term listitemparaTakes a boolean diff --git a/src/login/pam-module.c b/src/login/pam-module.c index 08a9328..9294d47 100644 --- a/src/login/pam-module.c +++ b/src/login/pam-module.c @@ -49,6 +49,7 @@ static int parse_argv(pam_handle_t *handle, bool *kill_processes, char ***kill_only_users, char ***kill_exclude_users, + char **class, bool *debug) { unsigned i; @@ -135,6 +136,12 @@ static int parse_argv(pam_handle_t *handle, *kill_exclude_users = l; } +} else if (startswith(argv[i], class=)) { + +if (class) { + *class = argv[i] + 6; +} + } else if (startswith(argv[i], debug=)) { if ((k = parse_boolean(argv[i] + 6)) 0) { pam_syslog(handle, LOG_ERR, Failed to parse debug= argument.); @@ -322,7 +329,7 @@ _public_ PAM_EXTERN int pam_sm_open_session( struct passwd *pw; bool kill_processes = false, debug = false; -const char *username, *id, *object_path, *runtime_path, *service = NULL, *tty = NULL, *display = NULL, *remote_user = NULL, *remote_host = NULL, *seat = NULL, *type, *class, *cvtnr = NULL; +const char *username, *id, *object_path, *runtime_path, *service = NULL, *tty = NULL, *display = NULL, *remote_user = NULL, *remote_host = NULL, *seat = NULL, *type, *class = NULL, *cvtnr = NULL; char **controllers = NULL, **reset_controllers = NULL, **kill_only_users = NULL, **kill_exclude_users = NULL; DBusError error; uint32_t uid, pid; @@ -349,7 +356,7 @@ _public_ PAM_EXTERN int pam_sm_open_session( argc, argv, controllers, reset_controllers, kill_processes, kill_only_users, kill_exclude_users, - debug) 0) { + class, debug) 0) { r = PAM_SESSION_ERR; goto finish; } @@ -472,7 +479,8 @@ _public_ PAM_EXTERN int pam_sm_open_session( type = !isempty(display) ? x11 : !isempty(tty) ? tty : unspecified; -class = pam_getenv(handle, XDG_SESSION_CLASS); +if (isempty(class)) +class = pam_getenv(handle, XDG_SESSION_CLASS); if (isempty(class)) class = getenv(XDG_SESSION_CLASS); if (isempty(class)) -- 1.8.0.1 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel