Created attachment 919594 [details] emerge --info sys-libs/pam sys-auth/pambase mate-extra/mate-screensaver MATE screensaver fails to unlock my session when providing my correct password. From syslog "facility" lever `auth`, the following message appear: ``` [date & host REDACTED] unix_chkpwd[1565]: check pass; user unknown [date & host REDACTED] unix_chkpwd[1571]: check pass; user unknown [date & host REDACTED] unix_chkpwd[1571]: password check failed for user (thican) [date & host REDACTED] mate-screensaver-dialog[1545]: pam_unix(mate-screensaver:auth): authentication failure; logname=thican uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=thican [date & host REDACTED] unix_chkpwd[1575]: check pass; user unknown [date & host REDACTED] mate-screensaver-dialog[1545]: pam_unix(mate-screensaver:auth): conversation failed [date & host REDACTED] mate-screensaver-dialog[1545]: pam_unix(mate-screensaver:auth): auth could not identify password for [thican] ``` I didn’t change nor update recently my PAM configuration. Here the content of /etc/pam.d/mate-screensaver, unchanged. ``` #%PAM-1.0 # Fedora Core auth include system-auth auth optional pam_gnome_keyring.so account include system-auth password include system-auth session include system-auth # SuSE/Novell #auth include common-auth #auth optional pam_gnome_keyring.so #account include common-account #password include common-password #session include common-session ``` I tried with and without pam_gnome_keyring.so line. Also file /etc/pam.d/system-auth, unchanged too. ``` auth required pam_env.so auth requisite pam_faillock.so preauth auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail auth optional pam_cap.so account required pam_unix.so account required pam_faillock.so password required pam_passwdqc.so config=/etc/security/passwdqc.conf password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow session required pam_limits.so session required pam_env.so session required pam_unix.so ``` I don’t have issue when connecting through TTY, as my main way to authenticate, no idea then if MATE screensaver is only concerned in this issue.
I changed the title, I noticed this issue also with KDE screensaver.
Just for records, thanks to KDE, a better solution if using elogind is to unlock the session instead of relying on a "unforeseen" maneuver such as killing the screen locker process. KDE actually still protects user’s session with a black screen and a message how to recover. ``` loginctl unlock-session <SESSION> ``` Get your list of sessions with `loginctl list-sessions` as your user.
After sys-libs/pam update with version 1.7.0_p20241230-r3, I can’t reproduce this issue. Still curious why it happened in previous version 1.6.1, mostly if this issue has been genuinely fixed so it won’t reproduce later.
Created attachment 919801 [details] emerge --info sys-libs/pam, with version 1.7.0_p20241230-r3 New `emerge --info sys-libs/pam` Maybe the new elogind USE flag support has fixed it?
I'll have to assume local config issue that was overwritten by pam version bump, or broken running session happening during update of toolkit (fixed by reboot), since there was no other reported issue of that kind (at least speaking as KDE proj). Otherwise, there's bug 681334, not sure how far that ever got.
(In reply to Andreas Sturmlechner from comment #5) > I'll have to assume local config issue that was overwritten by pam version > bump, or broken running session happening during update of toolkit (fixed by > reboot)[…]. Which local config files are you referencing to? Under /etc/pam.d/? Those are not concerned by sys-libs/pam: ``` # same package list than `qfile /etc/pam.d/* | cut -d ':' -f 1 - | sort -u` % qfile /etc/pam.d/ kde-plasma/kscreenlocker: /etc/pam.d mate-extra/mate-screensaver: /etc/pam.d net-misc/dropbear: /etc/pam.d net-misc/openssh: /etc/pam.d net-print/cups: /etc/pam.d sys-apps/kbd: /etc/pam.d sys-apps/openrc: /etc/pam.d sys-apps/shadow: /etc/pam.d sys-apps/util-linux: /etc/pam.d sys-auth/pambase: /etc/pam.d sys-auth/polkit: /etc/pam.d sys-process/fcron: /etc/pam.d ``` And obviously, no it was not an issue "fix by reboot" because this happened for a few days. Based on auth.log, the first entry about `unix_chkpwd[<PID>]: check pass; user unknown` was this February 15th, and few hours later, I see the error concerning MATE’s screensaver: ``` unix_chkpwd[31915]: check pass; user unknown unix_chkpwd[31915]: password check failed for user (thican) mate-screensaver-dialog[31892]: pam_unix(mate-screensaver:auth): authentication failure; logname=thican uid=1000 euid=1000 tty=:0 ruser= rhost= user=thican unix_chkpwd[31917]: check pass; user unknown ``` And when I also tested with KDE’s: ``` unix_chkpwd[2817]: check pass; user unknown unix_chkpwd[2817]: password check failed for user (thican) kscreenlocker_greet[2786]: pam_unix(kde:auth): authentication failure; logname=thican uid=1000 euid=1000 tty= ruser= rhost= user=thican ``` Here the related emerge logs about those packages, and for pam below. As you might notice, I retried yesterday with previous sys-apps/util-linux and sys-libs/pam to see if I can reproduce. ``` % qlop --verbose --date '3 month ago' $(qfile /etc/pam.d/ | cut -d ':' -f 1 -) 2024-12-04T21:39:00 >>> kde-plasma/kscreenlocker-6.2.4: 2′02″ 2024-12-05T20:17:01 >>> sys-apps/openrc-0.55.1: 30s 2024-12-24T10:31:16 >>> sys-auth/polkit-123-r1: 14s 2024-12-24T10:35:05 >>> sys-auth/polkit-123-r1: 14s 2024-12-27T18:37:05 >>> kde-plasma/kscreenlocker-6.2.4: 18′17″ 2025-01-22T18:24:03 >>> sys-apps/kbd-2.7.1: 20s 2025-01-26T17:02:04 >>> kde-plasma/kscreenlocker-6.2.5: 8′09″ 2025-01-30T18:56:12 >>> net-misc/openssh-9.9_p1: 1′00″ 2025-02-01T20:34:40 >>> net-misc/dropbear-2024.86-r1: 42s 2025-02-19T04:36:48 >>> net-misc/openssh-9.9_p2: 55s 2025-02-21T18:33:49 >>> kde-plasma/kscreenlocker-6.2.5: 18′28″ 2025-02-23T20:58:06 >>> sys-apps/util-linux-2.40.4: 1′25″ 2025-02-26T00:14:37 >>> sys-apps/util-linux-2.40.2: 1′25″ % qlop --verbose sys-libs/pam | tail -n 3 - 2024-07-17T12:51:50 >>> sys-libs/pam-1.6.1: 1′18″ 2025-02-23T20:57:36 >>> sys-libs/pam-1.7.0_p20241230-r3: 30s 2025-02-25T23:21:00 >>> sys-libs/pam-1.6.1: 1′25″ ``` I am unable to reproduce, unfortunately for me, and I don’t see which file might have been fixed recently. The last entry about unix_chkpwd and its error was February 22nd, I don’t see any update fixing this issue except sys-libs/pam-1.7.0_p20241230-r3 February 23rd.
