systemd: Add overlay for systemd to change token prompts type

vunnyso · vunnyso · commit 9325ff4875e8 · 2026-01-28T13:09:09.000+02:00
Use PAM_TEXT_INFO for security token prompts in systemd-homed.

The prompts for security token interaction were previously sent as
error messages. This commit changes them to informational messages.

Additionally, the unused patch for a soft-lock in cosmic-greeter
has been removed.

Signed-off-by: Vunny Sodhi &lt;vunny.sodhi@unikie.com&gt;
diff --git a/REUSE.toml b/REUSE.toml
@@ -34,10 +34,10 @@ path = [
   "overlays/custom-packages/cosmic/cosmic-greeter/0001-Replace-fallback-background-with-Ghaf-default.patch",
   "overlays/custom-packages/cosmic/cosmic-applets/*.patch",
   "overlays/custom-packages/system76-scheduler/0001-fix-add-missing-loop-in-process-scheduler-refresh-ta.patch",
-  "overlays/custom-packages/cosmic/cosmic-greeter/0001-Fix-softlock.patch",
   "overlays/custom-packages/cosmic/cosmic-greeter/0002-fix-username-handle-empty-usernames.patch",
   "modules/secureboot/keys/*",
-  "modules/hardware/passthrough/pci-acs-override/0001-pci-add-pcie_acs_override-for-pci-passthrough.patch"
+  "modules/hardware/passthrough/pci-acs-override/0001-pci-add-pcie_acs_override-for-pci-passthrough.patch",
+  "overlays/custom-packages/systemd/0001-pam_systemd_home-Use-PAM_TEXT_INFO-for-token-prompts.patch"
 ]
 
 [[annotations]]
diff --git a/overlays/custom-packages/cosmic/cosmic-greeter/0001-Fix-softlock.patch b/overlays/custom-packages/cosmic/cosmic-greeter/0001-Fix-softlock.patch
diff --git a/overlays/custom-packages/default.nix b/overlays/custom-packages/default.nix
@@ -20,6 +20,7 @@
   osquery-with-hostname = import ./osquery-with-hostname { inherit prev; };
   papirus-icon-theme = import ./papirus-icon-theme { inherit prev; };
   qemu_kvm = import ./qemu { inherit final prev; };
+  systemd = import ./systemd { inherit prev; };
   tpm2-pkcs11 = import ./tpm2-pkcs11 { inherit prev; };
   tpm2-tools = import ./tpm2-tools { inherit prev; };
   xdg-desktop-portal-cosmic = import ./cosmic/xdg-desktop-portal-cosmic { inherit prev; };
diff --git a/overlays/custom-packages/systemd/0001-pam_systemd_home-Use-PAM_TEXT_INFO-for-token-prompts.patch b/overlays/custom-packages/systemd/0001-pam_systemd_home-Use-PAM_TEXT_INFO-for-token-prompts.patch
@@ -0,0 +1,52 @@
+From cb64146ec7de1bec4079c53895e8e38a59b131b3 Mon Sep 17 00:00:00 2001
+From: Vunny Sodhi <vunny.sodhi@unikie.com>
+Date: Wed, 21 Jan 2026 13:21:25 +0200
+Subject: [PATCH] pam_systemd_home: Use PAM_TEXT_INFO for token prompts
+
+The prompts asking the user to physically authenticate
+or confirm presence on a security token are informational
+requests for action, not error conditions.
+
+This commit changes the message type to PAM_TEXT_INFO,
+which is more appropriate for guiding the user through
+the authentication process.
+
+Signed-off-by: Vunny Sodhi <vunny.sodhi@unikie.com>
+---
+ src/home/pam_systemd_home.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c
+index 78cd06b8e8..a56af7838f 100644
+--- a/src/home/pam_systemd_home.c
++++ b/src/home/pam_systemd_home.c
+@@ -438,7 +438,7 @@ static int handle_generic_user_record_error(
+ 
+                 assert(secret);
+ 
+-                (void) pam_prompt_graceful(handle, PAM_ERROR_MSG, NULL, _("Please authenticate physically on security token of user %s."), user_name);
++                (void) pam_prompt_graceful(handle, PAM_TEXT_INFO, NULL, _("Please authenticate physically on security token of user %s."), user_name);
+ 
+                 r = user_record_set_pkcs11_protected_authentication_path_permitted(secret, true);
+                 if (r < 0)
+@@ -449,7 +449,7 @@ static int handle_generic_user_record_error(
+ 
+                 assert(secret);
+ 
+-                (void) pam_prompt_graceful(handle, PAM_ERROR_MSG, NULL, _("Please confirm presence on security token of user %s."), user_name);
++                (void) pam_prompt_graceful(handle, PAM_TEXT_INFO, NULL, _("Please confirm presence on security token of user %s."), user_name);
+ 
+                 r = user_record_set_fido2_user_presence_permitted(secret, true);
+                 if (r < 0)
+@@ -460,7 +460,7 @@ static int handle_generic_user_record_error(
+ 
+                 assert(secret);
+ 
+-                (void) pam_prompt_graceful(handle, PAM_ERROR_MSG, NULL, _("Please verify user on security token of user %s."), user_name);
++                (void) pam_prompt_graceful(handle, PAM_TEXT_INFO, NULL, _("Please verify user on security token of user %s."), user_name);
+ 
+                 r = user_record_set_fido2_user_verification_permitted(secret, true);
+                 if (r < 0)
+-- 
+2.52.0
+
diff --git a/overlays/custom-packages/systemd/default.nix b/overlays/custom-packages/systemd/default.nix
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2022-2026 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{ prev }:
+prev.systemd.overrideAttrs (oldAttrs: {
+  patches = oldAttrs.patches ++ [
+    ./0001-pam_systemd_home-Use-PAM_TEXT_INFO-for-token-prompts.patch
+  ];
+})
