Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728550 - sys-libs/pam-1.4.0-r1 breaks kde-plasma/kwallet-pam-5.19.1 auto unlock of wallet during login
Summary: sys-libs/pam-1.4.0-r1 breaks kde-plasma/kwallet-pam-5.19.1 auto unlock of wal...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo KDE team
: 728648 (view as bug list)
Depends on:
Reported: 2020-06-17 09:53 UTC by Mads
Modified: 2020-10-15 20:05 UTC (History)
16 users (show)

See Also:
Package list:
Runtime testing required: ---

0001-x11-misc-sddm-revbump-fix-kwallet-with-pam-1.4.patch (0001-x11-misc-sddm-revbump-fix-kwallet-with-pam-1.4.patch,4.02 KB, patch)
2020-06-19 02:47 UTC, Georgy Yakovlev
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mads 2020-06-17 09:53:17 UTC
When updating today I got new pam and pambase installed. These versions seems to break kwallet-pam's ability to autounlock the users kdewallet during login.

`journalctl | grep -i wallet´ seems to be mentioning "open_session called without kwallet5_key"

juni 17 10:48:37 latentcall sddm[736]: kwalletd5: Checking for pam module
juni 17 10:48:37 latentcall sddm[736]: kwalletd5: Got pam-login param
juni 17 10:48:37 latentcall sddm[736]: kwalletd5: Waiting for hash on 7-
juni 17 10:48:37 latentcall sddm[736]: kwalletd5: waitingForEnvironment on: 3
juni 17 10:48:37 latentcall sddm[736]: kwalletd5: client connected
juni 17 10:48:37 latentcall sddm[736]: kwalletd5: client disconnected
juni 17 10:48:37 latentcall sddm-helper[717]: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_close_session
juni 17 10:48:37 latentcall sddm-helper[717]: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred
juni 17 10:48:46 latentcall sddm-helper[385199]: pam_kwallet5(sddm:session): (null): pam_sm_open_session
juni 17 10:48:46 latentcall sddm-helper[385199]: pam_kwallet5(sddm:session): pam_kwallet5: open_session called without kwallet5_key
juni 17 10:48:46 latentcall plasma_session[385244]: org.kde.plasma.session: Starting autostart service  "/etc/xdg/autostart/pam_kwallet_init.desktop" ("/lib64/libexec/pam_kwallet_init")

If I downgrade pam and pambase to these versions:

sys-libs/pam-1.3.1_p20200128-r1::gentoo [1.4.0-r1::gentoo] 
sys-auth/pambase-20200304::gentoo [20200616::gentoo]

then I get no such messages in journalctl, and autounlocking of kdewallet works again.

Reproducible: Always

Steps to Reproduce:
1. Update to sys-libs/1.4.0-r1 and sys-auth/pambase-2020616
2. Try logging into a Plasma session with kwallet-pam installed
Actual Results:  
You have to type your login password twice.

Expected Results:  
Automatic unlocking of kdewallet.

$ emerge --info
Portage 2.3.101 (python 3.7.7-final-0, default/linux/amd64/17.1/systemd, gcc-10.1.0, glibc-2.31-r5, 5.7.2-gentoo x86_64)
System uname: Linux-5.7.2-gentoo-x86_64-Intel-R-_Core-TM-_i9-8950HK_CPU_@_2.90GHz-with-gentoo-2.7
KiB Mem:    32687448 total,  29103204 free
KiB Swap:    1048572 total,   1048572 free
Timestamp of repository gentoo: Wed, 17 Jun 2020 07:05:24 +0000
Head commit of repository gentoo: fec04efb06d26abd4aa7c4c8a3df445606f0341e

sh bash 5.0_p17
ld GNU ld (Gentoo 2.34 p4) 2.34.0
app-shells/bash:          5.0_p17::gentoo
dev-java/java-config:     2.2.0-r4::gentoo
dev-lang/perl:            5.30.3-r1::gentoo
dev-lang/python:          2.7.18::gentoo, 3.7.7-r2::gentoo, 3.9.0_beta3::gentoo
dev-util/cmake:           3.17.3::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.7::gentoo
sys-apps/sandbox:         2.20::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.69-r5::gentoo
sys-devel/automake:       1.15.1-r2::gentoo, 1.16.2::gentoo
sys-devel/binutils:       2.34-r1::gentoo
sys-devel/gcc:            7.5.0-r1::gentoo, 10.1.0-r1::gentoo
sys-devel/gcc-config:     2.3::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.3::gentoo
sys-kernel/linux-headers: 5.7::gentoo (virtual/os-headers)
sys-libs/glibc:           2.31-r5::gentoo

    location: /var/db/repos/gentoo
    sync-type: git
    priority: -1000

    location: /var/db/repos/local
    masters: gentoo
    priority: 10

    location: /var/lib/layman/fol4
    sync-type: laymansync
    masters: gentoo
    priority: 50

    location: /var/lib/layman/raiagent
    sync-type: laymansync
    masters: gentoo
    priority: 50

    location: /var/lib/layman/steam-overlay
    sync-type: laymansync
    masters: gentoo
    priority: 50

    location: /var/lib/layman/vampire
    sync-type: laymansync
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="@FREE Oracle-BCLA-JavaSE AdobeFlash-11.x google-chrome PUEL grass-ipafonts pmd TeamViewer teamspeak3 FraunhoferFDK ValveSteamLicense android kyocera-mita-ppds bh-luxi Skype-TOS NVIDIA-r2 linux-fw-redistributable no-source-code unRAR BitstreamCyberbit intel-ucode FortiClientSSLVPN MSttfEULA GPL free-noncomm MS-PL Apache2.0 mpeg2enc MPEG-4 Spotify all-rights-reserved"
CFLAGS="-O2 -march=native -fno-stack-protector"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.6/conf"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=native -fno-stack-protector"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
INSTALL_MASK="     /usr/share/bash-completion     /etc/runlevels     /etc/conf.d     /etc/init.d     "
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
USE="X aac acl aes alsa amd64 apng avx avx2 bluetooth branding bzip2 cairo caps cli crypt cups dbus declarative designer dolphin dri dri3 exif f16c ffmpeg flac fma3 fortran gif gold hidpi hvm iconv icu idn introspection ipv6 jpeg kde libglvnd libinput libnotify libtirpc lto lzma mmx mmxext mp3 multilib ncurses net35 net40 net45 networkmanager nls nptl ogg opengl openmp pam pclmul pcre png policykit popcnt pulseaudio qt5 readline samba sdl seccomp split-usr sse sse2 sse3 sse4 sse4_1 sse4_2 ssl ssse3 svg systemd threads tiff touchpad truetype udev unicode usb user-session vaapi vdpau vorbis vulkan wayland xattr xcb xcomposite xinerama xkb xml xv xvmc zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en en_US" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LLVM_TARGETS="BPF X86" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_7" PYTHON_TARGETS="python3_7" RUBY_TARGETS="ruby27" USERLAND="GNU" VIDEO_CARDS="intel i965 nvidia modesetting iris" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Comment 1 Georgy Yakovlev gentoo-dev 2020-06-17 11:03:55 UTC
confirmed. hit same as well.
pam is PITA to debug so I can't see where it's going wrong.

    char *password;
    result = pam_get_data(pamh, kwalletPamDataKey, (const void **)&password);

    if (result != PAM_SUCCESS) {
        pam_syslog(pamh, LOG_INFO, "%s: open_session called without %s", logPrefix, kwalletPamDataKey);
        return PAM_SUCCESS;//We will wait for pam_sm_authenticate

this is the last thing fires according to syslog, and nothing happens further.
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-06-17 19:17:00 UTC
pambase does not seem relecant at all.
Comment 3 Vladimir Smirnov 2020-06-17 22:08:35 UTC
my .05:

I've patched locally kwallet-pam to also output error code, and it fails with:

That can only happen if in pam_get_data

    data = _pam_locate_data(pamh, module_data_name);
    if (data) {
        *datap = data->data;
        return PAM_SUCCESS;

doesn't return data. (module_data_name is the second parameter

I've also compiled pam and kwallet-pam with USE=debug and here are the relevant calls logged and compare what's the difference when it runs with pam-1.4 and 1.3

And what I found, that with pam-1.4 pam_sm_authenticate never got called, while with 1.3 it does.

And it is important, as authenticate must set kwallet5_key.
Comment 4 Vladimir Smirnov 2020-06-17 22:27:57 UTC
I've opened an issue with linux-pam as at least at this moment it seems that something changed within a pam in how it parses the config:
Comment 5 Mads 2020-06-18 07:30:45 UTC
As t8m says in his comment[1] at the github report, it seems like this stems from a misconfigured /etc/pam.d/sddm. Changing "auth include system-login" to "auth substack system-login" in /etc/pam.d/sddm seems to fix the issue.

Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-06-18 16:25:27 UTC
Redirected sddm's upstream.
Their pam stack has too many flaws to co-exist with modern pam.
Comment 7 Sam James archtester gentoo-dev Security 2020-06-18 19:40:56 UTC
*** Bug 728648 has been marked as a duplicate of this bug. ***
Comment 8 Georgy Yakovlev gentoo-dev 2020-06-18 22:52:26 UTC
can confirm as well that using

> auth            substack        system-login

in /etc/pam.d/sddm

fixes kwallet unlocking.
and it seems to be working fine with older pam/pambase as well.
Comment 9 Georgy Yakovlev gentoo-dev 2020-06-19 02:47:04 UTC
Created attachment 645194 [details, diff]

is unfortunate

attached revbump patch, with sed fix to pam file, as the fix is trivial.
Comment 10 rnddim 2020-06-20 14:27:02 UTC
If this bug is going to be about sddm instead of kwallet specifically, it would be nice if the title changed to reflect that. I was wondering why sddm was blocking the latest pam, and had to take a winding path to find this bug.
Comment 11 Larry the Git Cow gentoo-dev 2020-06-20 15:42:20 UTC
The bug has been closed via the following commit(s):

commit fc12cf7f28f79caafd79b95919f3c1aa6f1cdf11
Author:     Mikle Kolyada <>
AuthorDate: 2020-06-20 15:41:55 +0000
Commit:     Mikle Kolyada <>
CommitDate: 2020-06-20 15:42:15 +0000

    x11-misc/sddm: fix pam-1.4 compat
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Mikle Kolyada <>

 x11-misc/sddm/files/pam-1.4-substack.patch |  49 +++++++++++++
 x11-misc/sddm/sddm-0.18.1-r2.ebuild        | 109 +++++++++++++++++++++++++++++
 2 files changed, 158 insertions(+)
Comment 12 Kevin Korb 2020-10-15 20:05:14 UTC
Just wanted to leave a note that this was not limited to sddm or kwallet.  I use xdm, gnome-keyring-daemon, and pam_ssh and had the same problem with both pam addons.  The same change to substack fixed me too.