Skip to content

auth: reworked pam auth, added pam_setcred #917

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
xJayMorex wants to merge 1 commit into
base: main
Choose a base branch
from
Open

auth: reworked pam auth, added pam_setcred #917

xJayMorex wants to merge 1 commit into from

Conversation

@xJayMorex
Copy link

@xJayMorex xJayMorex commented Nov 17, 2025
edited
Loading

Without calling pam_setcred, unlocking the machine doesn't also unlock GPG based secrets. Reworked CPam::auth to make it less repetitive.

PaideiaDilemma
PaideiaDilemma reviewed Nov 24, 2025
View reviewed changes
@xJayMorex xJayMorex force-pushed the add-pam_setcred branch 4 times, most recently from 948a45e to 282be8e Compare November 25, 2025 14:41
@PaideiaDilemma
Copy link
Collaborator

PaideiaDilemma commented Nov 27, 2025

In this new revision I don't like the refactor. Why not spend the extra lines to do the error handling?

About pam_setcred TBH I just can't find any proper documentation why this is required.
Hyprlock doesn't log you out or anything. Why do we need to extend the lifetime of some CREDs? I searched github and saw that a bunch of lockscreen related applications do indeed call it. But I still don't know why.

@xJayMorex
Copy link
Author

xJayMorex commented Nov 27, 2025
edited
Loading

In this new revision I don't like the refactor. Why not spend the extra lines to do the error handling?

You mean dropping the for loop and handling the steps individually, right?

About pam_setcred TBH I just can't find any proper documentation why this is required. Hyprlock doesn't log you out or anything. Why do we need to extend the lifetime of some CREDs? I searched github and saw that a bunch of lockscreen related applications do indeed call it. But I still don't know why.

If you aren't comfortable with secrets staying in memory while your screen is locked, you need to reset GPG before locking the screen (I have my keyboard shortcut set to gpg-connect-agent --no-autostart reloadagent /bye && hyprlock). You can unlock GPG in a separate step, it's just a matter of convenience. Display managers always unlock GPG during login, so I don't see why shouldn't all lockscreens do it also.

@xJayMorex xJayMorex force-pushed the add-pam_setcred branch 2 times, most recently from 73d8416 to 1c45ba5 Compare November 27, 2025 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PaideiaDilemma PaideiaDilemma PaideiaDilemma left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xJayMorex @PaideiaDilemma