pam-gnupg fails with SDDM (but works for term login)
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
pam-gnupg fails with SDDM (but works for term login)
I am trying to get pam-gnupg working with SDDM. This is for use with
password-store. I've followed the instructions on the pam-gnupg page.
The setup works fine for logging in on runlevel 3/login, but fails on runlevel 4/sddm.
I've added the following two lines to both /etc/pam.d/login and /etc/pam.d/sddm:
With a disclaimer like that, I'm not about to build and test this pam module. A couple pointers after reading over the README.md though:
Quote:
configure takes an option --with-moduledir to set the installation path of the PAM module. It defaults to /lib/security, but your distribution might use a different path.
Slackware 64 uses /lib64/security for all the pam modules, I dont know how you built but just making sure its noticed.
Quote:
sddm-helper: gkr-pam: couldn't unlock the login keyring.
This is just the gnome-keyring module. It shouldn't have anything to do with this new module.
Quote:
Debug output
Both the auth and the session module take a debug option to enable some basic debug logging to syslog / journal.
Lots of pam modules do this. Turning on 'debug' will probably get the module to report in the log what is going on. Then you will at least know where to look next. Try something like:
With a disclaimer like that, I'm not about to build and test this pam module. A couple pointers after reading over the README.md though:
Right now this is all being done in a clean install QEMU VM. Production use will be limited and offline, but the warning is noted.
Quote:
Originally Posted by 0XBF
Slackware 64 uses /lib64/security for all the pam modules, I dont know how you built but just making sure its noticed.
Built from SBo. The script passes the correct module directory.
Quote:
Originally Posted by 0XBF
Lots of pam modules do this. Turning on 'debug' will probably get the module to report in the log what is going on. Then you will at least know where to look next.
Well...that's interesting. Turning on debug resulted in this output in /var/log/secure (nothing relevant in syslog):
Code:
Jun 3 11:27:43 darkstar sddm-helper: pam_gnupg(sddm:auth): stored passphrase
Jun 3 11:27:43 darkstar sddm-helper: pam_gnupg(sddm:setcred): store-only set, skipping
Jun 3 11:27:43 darkstar sddm-helper: pam_gnupg(sddm:session): presetting passphrase succeeded, cleaning up
Jun 3 11:27:43 darkstar sddm-helper: pam_gnupg(sddm:setcred): store-only set, skipping
This seems to indicate it's working (with my weak pam-fu), although I still need to use my passphrase to unlock 'pass'. Logging in on run level three does not require that. Also, logging in using runlevel three results in NO entries in /var/log/secure for pam-gnupg...it just works. Something's off here.
This seems to indicate it's working (with my weak pam-fu), although I still need to use my passphrase to unlock 'pass'. Logging in on run level three does not require that. Also, logging in using runlevel three results in NO entries in /var/log/secure for pam-gnupg...it just works. Something's off here.
Did you also add 'debug' to the same pam_gnupg.so lines in /etc/pam.d/login ?
They should provide similar debug output if they are both set up with debug, and that might give a useful comparison.
Also, did you make sure that the session line comes after pam_elogind.so in the pam configs? They mention it must come after pam_systemd, which would equate to the elogind module.
One other thing, you are not trying this with sddm-autologin, correct? The readme states that it will not work that way, and needs a typed password to utilize.
Did you also add 'debug' to the same pam_gnupg.so lines in /etc/pam.d/login ?
They should provide similar debug output if they are both set up with debug, and that might give a useful comparison.
Yes - I have now. If I login on runlevel 3 I get almost the exact same log entries (but 'pass' works without a passphrase):
Code:
Jun 3 12:52:36 darkstar login: pam_gnupg(login:auth): stored passphrase
Jun 3 12:52:36 darkstar login: pam_gnupg(login:setcred): store-only set, skipping
Jun 3 12:52:36 darkstar login: pam_gnupg(login:session): presetting passphrase succeeded, cleaning up
Jun 3 12:52:36 darkstar login: pam_gnupg(login:setcred): store-only set, skipping
Quote:
Originally Posted by 0XBF
Also, did you make sure that the session line comes after pam_elogind.so in the pam configs? They mention it must come after pam_systemd, which would equate to the elogind module.
The lines for pam-gnupg are added at the very end of each file. But that's good to know...I ignored that part of the readme, not making the connection between systemd and elogind.
Quote:
Originally Posted by 0XBF
One other thing, you are not trying this with sddm-autologin, correct? The readme states that it will not work that way, and needs a typed password to utilize.
No. The modules are loaded in /etc/pam.d/sddm (not -autologin or -greeter).
Contents of /etc/pam.d/sddm:
Code:
#%PAM-1.0
auth substack system-auth
# Uncomment this line to restrict login to users with a UID greater
# than 999 (in other words, don't allow login for root):
#auth required pam_succeed_if.so uid >= 1000 quiet
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet5.so
auth include postlogin
account include system-auth
password substack system-auth
-password optional pam_gnome_keyring.so use_authtok
-password optional pam_kwallet5.so use_authtok
session optional pam_keyinit.so force revoke
session substack system-auth
session required pam_loginuid.so
-session optional pam_ck_connector.so nox11
-session optional pam_elogind.so
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet5.so auto_start
session include postlogin
auth optional pam_gnupg.so store-only debug
session optional pam_gnupg.so debug
And thanks again.
Last edited by SpacePlod; 06-03-2022 at 12:05 PM.
Reason: clarify debug added to pam login after it was suggested.
I had a VM I was setting up over the last few days, so I tried that pam-gnupg package on it with password-store. I can confirm that it doesnt work in 'sddm' or 'xdm', just the 'login' method of authentication. With the suggested config, the messages are exactly the same. The only difference is that with sddm or xdm, I see polkit starting an authentication agent right after in /var/log/secure, where that doesnt happen for a tty login. I dont know if its related or not.
I also tried without the 'store-only' option set in the xdm or sddm configuration for pam, which does report the errors:
Code:
pam_gnupg_helper: child terminated with exit code 1
pam_gnupg(xdm:setcred): helper terminated with exit code 1
pam_gnupg(xdm:setcred): presetting failed, retaining passphrase
I couldn't get it to work otherwise so I dont think I'll be much more help here. Heading out of town in a couple hours anyway, so I wont be able to keep troubleshooting on this. Good luck.
...
I couldn't get it to work otherwise so I dont think I'll be much more help here. Heading out of town in a couple hours anyway, so I wont be able to keep troubleshooting on this. Good luck.
Thanks. At least I know it's not just me. I'll keep at it for awhile. You've been an immense help and I appreciate your time. Safe travels.
Any chance you were using xfce to test pam-gnupg in runlevel 4?
I was running xfce from sddm when I was testing pam-gnupg last time. When I start xfce from sddm, the gpg-agent is not started. I'm guessing that in this case then the password doesnt get handed off from pam to anything, so invoking 'pass' the first time in an xfce session brings up the dialog box to unlock it.
I tested the same /etc/pam.d/sddm config for Plasma (X11) today. When starting plasma, the gpg-agent starts properly, the password is handed off, and invoking pass has it properly unlocked. You can see that gpg-agent is one of the first processes started at login:
This is the same behaviour as when logging in at a tty in runlevel 3 via the /etc/pam.d/login config.
So it would seem that pam-gnupg works when started from /etc/pam.d/sddm when using plasma, but not when xfce is selected. Not really sure why that would be the case however.
Any chance you were using xfce to test pam-gnupg in runlevel 4?
Yes. That is exactly correct. For kicks, I just switched to blackbox. It worked there as well. And WindowMaker.
Quote:
Originally Posted by 0XBF
So it would seem that pam-gnupg works when started from /etc/pam.d/sddm when using plasma, but not when xfce is selected. Not really sure why that would be the case however.
The issue thus far seems to be with XFCE. I'm going to install i3 tomorrow and give that a shot (it's what will be running on the production box).
I appreciate the testing. This gives me a lead to follow at least. Thanks.
I managed to find out what is going on with xfce4; it starts its own gpg-agent, which seems to replace the one started by pam-gnupg as soon as xfce4 starts. See this link for reference: https://docs.xfce.org/xfce/xfce4-ses...and_gpg_agents
What I did to fix it was start an xfce4 session. Then in a terminal run the following to disable xfce4 from starting its own gpg-agent:
I managed to find out what is going on with xfce4; it starts its own gpg-agent, which seems to replace the one started by pam-gnupg as soon as xfce4 starts. See this link for reference: https://docs.xfce.org/xfce/xfce4-ses...and_gpg_agents
That is interesting (and it worked on my VM with XFCE - i3 is still a no go). I wonder why runlevel 3 works correctly with pam-gnupg/XFCE but not runlevel 4.
I'm going to try something like keychain on i3 to see if that works.
I wonder why runlevel 3 works correctly with pam-gnupg/XFCE but not runlevel 4.
It doesnt work in xfce4 started from runlevel 3 in my VM. Its only unlocked after login, up to the point where you start xfce4.
What I see is immediately after login on a tty, the gpg-agent is started and all is good. However, as soon as you run 'startx' to start the xfce4 session, xfce4's gpg-agent is started, and the original one started from pam-gnupg is stopped. Using 'pass' immediately after the xfce4 session starts will popup with the gpg2 dialog box to unlock it, since its not the same agent that was unlocked from pam. This is what made me suspect xfce4 starts its own agent in the first place and got me looking into that documentation about it.
Just to summarize, login at a tty in runlevel 3, then immediately run 'pgrep -au <your user name>', you should see gpg-agent in the first few processes with a line like:
This is the gpg-agent started and unlocked with pam.
Then after starting xfce4, run 'pgrep -au <your user name>' again. There will be a lot more processes now, but that initial gpg-agent will be gone, and another one with a higher pid is in the processes started when xfce4 starts up, shortly after xfce4-session. This one is not unlocked, so it will popup with a dialog box. After making that fix, the original gpg-agent remains the xfce4 started agent no longer replaces it.
You might be able to check i3 with a similar method, starting it from runlevel3
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.