When updating today I got new pam and pambase installed. These versions seems to break kwallet-pam's ability to autounlock the users kdewallet during login. `journalctl | grep -i wallet´ seems to be mentioning "open_session called without kwallet5_key" juni 17 10:48:37 latentcall sddm[736]: kwalletd5: Checking for pam module juni 17 10:48:37 latentcall sddm[736]: kwalletd5: Got pam-login param juni 17 10:48:37 latentcall sddm[736]: kwalletd5: Waiting for hash on 7- juni 17 10:48:37 latentcall sddm[736]: kwalletd5: waitingForEnvironment on: 3 juni 17 10:48:37 latentcall sddm[736]: kwalletd5: client connected juni 17 10:48:37 latentcall sddm[736]: kwalletd5: client disconnected juni 17 10:48:37 latentcall sddm-helper[717]: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_close_session juni 17 10:48:37 latentcall sddm-helper[717]: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred juni 17 10:48:46 latentcall sddm-helper[385199]: pam_kwallet5(sddm:session): (null): pam_sm_open_session juni 17 10:48:46 latentcall sddm-helper[385199]: pam_kwallet5(sddm:session): pam_kwallet5: open_session called without kwallet5_key juni 17 10:48:46 latentcall plasma_session[385244]: org.kde.plasma.session: Starting autostart service "/etc/xdg/autostart/pam_kwallet_init.desktop" ("/lib64/libexec/pam_kwallet_init") If I downgrade pam and pambase to these versions: sys-libs/pam-1.3.1_p20200128-r1::gentoo [1.4.0-r1::gentoo] sys-auth/pambase-20200304::gentoo [20200616::gentoo] then I get no such messages in journalctl, and autounlocking of kdewallet works again. Reproducible: Always Steps to Reproduce: 1. Update to sys-libs/1.4.0-r1 and sys-auth/pambase-2020616 2. Try logging into a Plasma session with kwallet-pam installed Actual Results: You have to type your login password twice. Expected Results: Automatic unlocking of kdewallet. $ emerge --info Portage 2.3.101 (python 3.7.7-final-0, default/linux/amd64/17.1/systemd, gcc-10.1.0, glibc-2.31-r5, 5.7.2-gentoo x86_64) ================================================================= System uname: Linux-5.7.2-gentoo-x86_64-Intel-R-_Core-TM-_i9-8950HK_CPU_@_2.90GHz-with-gentoo-2.7 KiB Mem: 32687448 total, 29103204 free KiB Swap: 1048572 total, 1048572 free Timestamp of repository gentoo: Wed, 17 Jun 2020 07:05:24 +0000 Head commit of repository gentoo: fec04efb06d26abd4aa7c4c8a3df445606f0341e sh bash 5.0_p17 ld GNU ld (Gentoo 2.34 p4) 2.34.0 app-shells/bash: 5.0_p17::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.30.3-r1::gentoo dev-lang/python: 2.7.18::gentoo, 3.7.7-r2::gentoo, 3.9.0_beta3::gentoo dev-util/cmake: 3.17.3::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.7::gentoo sys-apps/sandbox: 2.20::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r5::gentoo sys-devel/automake: 1.15.1-r2::gentoo, 1.16.2::gentoo sys-devel/binutils: 2.34-r1::gentoo sys-devel/gcc: 7.5.0-r1::gentoo, 10.1.0-r1::gentoo sys-devel/gcc-config: 2.3::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.7::gentoo (virtual/os-headers) sys-libs/glibc: 2.31-r5::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: git sync-uri: https://anongit.gentoo.org/git/repo/sync/gentoo.git priority: -1000 local location: /var/db/repos/local masters: gentoo priority: 10 fol4 location: /var/lib/layman/fol4 sync-type: laymansync sync-uri: https://gitlab.com/madsl/fol4 masters: gentoo priority: 50 raiagent location: /var/lib/layman/raiagent sync-type: laymansync sync-uri: https://github.com/leycec/raiagent masters: gentoo priority: 50 steam-overlay location: /var/lib/layman/steam-overlay sync-type: laymansync sync-uri: https://github.com/anyc/steam-overlay.git masters: gentoo priority: 50 vampire location: /var/lib/layman/vampire sync-type: laymansync sync-uri: https://github.com/TheCrueltySage/vampire-overlay.git masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="@FREE Oracle-BCLA-JavaSE AdobeFlash-11.x google-chrome PUEL grass-ipafonts pmd TeamViewer teamspeak3 FraunhoferFDK ValveSteamLicense android kyocera-mita-ppds bh-luxi Skype-TOS NVIDIA-r2 linux-fw-redistributable no-source-code unRAR BitstreamCyberbit intel-ucode FortiClientSSLVPN MSttfEULA GPL free-noncomm MS-PL Apache2.0 mpeg2enc MPEG-4 Spotify all-rights-reserved" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=native -fno-stack-protector" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.6/conf" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=native -fno-stack-protector" DISTDIR="/var/cache/distfiles" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" INSTALL_MASK=" /usr/share/bash-completion /etc/runlevels /etc/conf.d /etc/init.d " LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j8" PKGDIR="/var/db/packages" PORTAGE_BINHOST="ssh://binhost@cichli.ab3.no/home/binhost/pkg" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X aac acl aes alsa amd64 apng avx avx2 bluetooth branding bzip2 cairo caps cli crypt cups dbus declarative designer dolphin dri dri3 exif f16c ffmpeg flac fma3 fortran gif gold hidpi hvm iconv icu idn introspection ipv6 jpeg kde libglvnd libinput libnotify libtirpc lto lzma mmx mmxext mp3 multilib ncurses net35 net40 net45 networkmanager nls nptl ogg opengl openmp pam pclmul pcre png policykit popcnt pulseaudio qt5 readline samba sdl seccomp split-usr sse sse2 sse3 sse4 sse4_1 sse4_2 ssl ssse3 svg systemd threads tiff touchpad truetype udev unicode usb user-session vaapi vdpau vorbis vulkan wayland xattr xcb xcomposite xinerama xkb xml xv xvmc zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en en_US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LLVM_TARGETS="BPF X86" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_7" PYTHON_TARGETS="python3_7" RUBY_TARGETS="ruby27" USERLAND="GNU" VIDEO_CARDS="intel i965 nvidia modesetting iris" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
confirmed. hit same as well. pam is PITA to debug so I can't see where it's going wrong. char *password; result = pam_get_data(pamh, kwalletPamDataKey, (const void **)&password); if (result != PAM_SUCCESS) { pam_syslog(pamh, LOG_INFO, "%s: open_session called without %s", logPrefix, kwalletPamDataKey); return PAM_SUCCESS;//We will wait for pam_sm_authenticate } this is the last thing fires according to syslog, and nothing happens further.
pambase does not seem relecant at all.
my .05: I've patched locally kwallet-pam to also output error code, and it fails with: PAM_NO_MODULE_DATA 18 That can only happen if in pam_get_data data = _pam_locate_data(pamh, module_data_name); if (data) { *datap = data->data; return PAM_SUCCESS; } doesn't return data. (module_data_name is the second parameter I've also compiled pam and kwallet-pam with USE=debug and here are the relevant calls logged and compare what's the difference when it runs with pam-1.4 and 1.3 And what I found, that with pam-1.4 pam_sm_authenticate never got called, while with 1.3 it does. And it is important, as authenticate must set kwallet5_key.
I've opened an issue with linux-pam as at least at this moment it seems that something changed within a pam in how it parses the config: https://github.com/linux-pam/linux-pam/issues/243
As t8m says in his comment[1] at the github report, it seems like this stems from a misconfigured /etc/pam.d/sddm. Changing "auth include system-login" to "auth substack system-login" in /etc/pam.d/sddm seems to fix the issue. [1] https://github.com/linux-pam/linux-pam/issues/243#issuecomment-645830380
Redirected sddm's upstream. Their pam stack has too many flaws to co-exist with modern pam.
*** Bug 728648 has been marked as a duplicate of this bug. ***
can confirm as well that using > auth substack system-login in /etc/pam.d/sddm fixes kwallet unlocking. and it seems to be working fine with older pam/pambase as well.
Created attachment 645194 [details, diff] 0001-x11-misc-sddm-revbump-fix-kwallet-with-pam-1.4.patch https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e94bdab2ff16b741bb215ebc0c522bb0b8a84742 is unfortunate attached revbump patch, with sed fix to pam file, as the fix is trivial.
If this bug is going to be about sddm instead of kwallet specifically, it would be nice if the title changed to reflect that. I was wondering why sddm was blocking the latest pam, and had to take a winding path to find this bug.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc12cf7f28f79caafd79b95919f3c1aa6f1cdf11 commit fc12cf7f28f79caafd79b95919f3c1aa6f1cdf11 Author: Mikle Kolyada <zlogene@gentoo.org> AuthorDate: 2020-06-20 15:41:55 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2020-06-20 15:42:15 +0000 x11-misc/sddm: fix pam-1.4 compat Closes: https://bugs.gentoo.org/728550 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> x11-misc/sddm/files/pam-1.4-substack.patch | 49 +++++++++++++ x11-misc/sddm/sddm-0.18.1-r2.ebuild | 109 +++++++++++++++++++++++++++++ 2 files changed, 158 insertions(+)
Just wanted to leave a note that this was not limited to sddm or kwallet. I use xdm, gnome-keyring-daemon, and pam_ssh and had the same problem with both pam addons. The same change to substack fixed me too.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/qt.git/commit/?id=874d04dd36d01a9bb6f07d2bad6427c7b6883cbb commit 874d04dd36d01a9bb6f07d2bad6427c7b6883cbb Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2023-02-04 11:22:59 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2023-02-04 12:56:46 +0000 x11-misc/sddm: Adapt to upstream changes for 0.20.0 release prep - Set QTMIN to 5.15.2 - Switch SDDM configuration to /etc/sddm.conf.d/ - New Gentoo defaults file: 01gentoo.conf - For IUSE="elogind", fix path to /bin/loginctl - Don't look for pam_systemd.so by default - Respin pam-1.4 substack patch, dropping upstreamed changes - Respin *-respect-user-flags.patch for minimal context See also: https://github.com/gentoo/gentoo/pull/18935 See also: https://github.com/gentoo/gentoo/pull/25853 Bug: https://bugs.gentoo.org/669980 Bug: https://bugs.gentoo.org/728550 Bug: https://bugs.gentoo.org/790713 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> x11-misc/sddm/files/pam-1.4-substack.patch | 31 --------- .../files/sddm-0.18.1-respect-user-flags.patch | 25 -------- .../sddm-0.20.0-disable-etc-debian-check.patch | 26 ++++++++ ...sddm-0.20.0-no-default-pam_systemd-module.patch | 43 +++++++++++++ .../files/sddm-0.20.0-respect-user-flags.patch | 11 ++++ .../files/sddm-0.20.0-sddm.pam-use-substack.patch | 37 +++++++++++ x11-misc/sddm/sddm-9999.ebuild | 74 ++++++++++++++-------- 7 files changed, 166 insertions(+), 81 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6005bae9a3c36693a31521851a53fcd0aa2b443f commit 6005bae9a3c36693a31521851a53fcd0aa2b443f Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2023-06-18 18:30:04 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2023-06-18 18:51:40 +0000 x11-misc/sddm: Add 0.19.0_p20230608 snapshot w/o KEYWORDS Short summary of changes: - Drop IUSE pam, require elogind or systemd - Drop obsolete default settings (now upstream defaults) - Change RUNTIME_DIR path to "/run/sddm" - Use upstream sddm-tmpfiles.conf - Update dependencies - Drop x11-base/xorg-server RDEPEND (only ensured xdm init script in past) - Switch SDDM configuration to /etc/sddm.conf.d/ - Don't look for pam_systemd.so by default Bug: https://bugs.gentoo.org/669980 Bug: https://bugs.gentoo.org/728550 Bug: https://bugs.gentoo.org/790713 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> x11-misc/sddm/Manifest | 1 + .../sddm-0.20.0-disable-etc-debian-check.patch | 26 ++++ ...sddm-0.20.0-no-default-pam_systemd-module.patch | 43 +++++++ .../files/sddm-0.20.0-respect-user-flags.patch | 11 ++ .../files/sddm-0.20.0-sddm.pam-use-substack.patch | 37 ++++++ x11-misc/sddm/sddm-0.19.0_p20230608.ebuild | 137 +++++++++++++++++++++ 6 files changed, 255 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94c6fa3154bbae2d4a906d9ee4f105fc62320702 commit 94c6fa3154bbae2d4a906d9ee4f105fc62320702 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2023-06-26 15:51:27 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2023-06-27 11:25:40 +0000 x11-misc/sddm: add 0.20.0 See also: https://github.com/sddm/sddm/releases/tag/v0.20.0 This is adding back RDEPEND=x11-base/xorg-server for two reasons: - X11 is the default DisplayServer, with all other options EXPERIMENTAL - every other distro still depends on it, probably for that reason Closes: https://bugs.gentoo.org/669980 Bug: https://bugs.gentoo.org/728550 Closes: https://bugs.gentoo.org/790713 Closes: https://bugs.gentoo.org/907069 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> x11-misc/sddm/Manifest | 1 + .../sddm-0.20.0-fix-use-development-sessions.patch | 83 +++++++++++++ x11-misc/sddm/sddm-0.20.0.ebuild | 132 +++++++++++++++++++++ 3 files changed, 216 insertions(+)
