vinzenz/hyperhive
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

weston-vnc: fix PAM service name (weston-remote-access, not weston)

Browse source 
weston calls pam_start("weston-remote-access", ...) in libweston/auth.c.
The previous security.pam.services.weston entry created /etc/pam.d/weston
which was never consulted, so PAM fell back to the system default and
rejected all credentials. Renaming to weston-remote-access makes
pam_permit.so actually take effect.

Fixes #92
This commit is contained in:
iris 2026-05-20 20:28:32 +02:00
parent f9d1e69a50
commit e50173f3e1
1 changed files with 7 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

10
nix/templates/weston-vnc.nix
View file

@ -59,9 +59,13 @@
config = lib.mkIf config.hyperhive.gui.enable { config = lib.mkIf config.hyperhive.gui.enable {
# neatvnc 0.9 always calls the PAM auth callback (weston_authenticate_user) # neatvnc 0.9 always calls the PAM auth callback (weston_authenticate_user)
# for Apple-DH (type 30), regardless of weston.ini auth-method=none. # for Apple-DH (type 30), regardless of weston.ini auth-method=none.
# pam_permit.so makes the "weston" PAM service accept any credentials, # pam_permit.so makes the PAM service accept any credentials so the
# so the browser's empty Apple-DH credentials always pass. # browser's empty Apple-DH credentials always pass.
security.pam.services.weston.text = '' #
# The service name is "weston-remote-access" — that is the literal string
# passed to pam_start() inside libweston (libweston/auth.c). Using "weston"
# instead silently falls back to the system default and rejects auth.
security.pam.services."weston-remote-access".text = ''
auth sufficient pam_permit.so auth sufficient pam_permit.so
account sufficient pam_permit.so account sufficient pam_permit.so
session sufficient pam_permit.so session sufficient pam_permit.so