pam is configured so that if pam_unix succeed, pam_systemd_home will be skipped: auth [success=2 default=ignore] pam_unix.so nullok try_first_pass auth [success=1 default=ignore] pam_systemd_home.so Since Gentoo configures nsswitch.conf to use systemd's shadow and user services, pam_unix can authenticate successfully for homed users, skipping pam_systemd_home and leaving their home directory unactivated. When the account management portion of pam_systemd_home activates, it requests for password again to activate the home directory as the authentication management portion was skipped earlier. If the user did not specify a password, the home directory will not be activated and the user will be logged in with HOME=/. I flipped the order of the pam_unix and pam_systemd_home which solves the issue for me, but I'm not sure if this is correct. Reproducible: Always Steps to Reproduce: 1. Create a homed user 2. Login with username and password Actual Results: After entering password, an another password prompt appears Expected Results: Logs in immediately
please use the initial configuration, then perform exec login from your user's terminal emulator and make the run of `journalctl -f` in the next terminal so we see what's going on when you try to login
(In reply to Mikle Kolyada from comment #1) > please use the initial configuration, then perform exec login from your > user's terminal emulator and make the run of `journalctl -f` in the next > terminal so we see what's going on when you try to login Here is the system-auth I used for this log: auth required pam_env.so auth requisite pam_faillock.so preauth auth [success=2 default=ignore] pam_unix.so nullok try_first_pass debug auth [success=1 default=ignore] pam_systemd_home.so debug auth [default=die] pam_faillock.so authfail auth optional pam_cap.so account [success=1 default=ignore] pam_systemd_home.so debug account required pam_unix.so debug account required pam_faillock.so password required pam_passwdqc.so config=/etc/security/passwdqc.conf password [success=1 default=ignore] pam_systemd_home.so debug password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow debug session required pam_limits.so session required pam_env.so session [success=1 default=ignore] pam_systemd_home.so debug session required pam_unix.so It's the one shipped with pambase but have `debug` added to pam_unix and pam_systemd_home. Here is the log where I have to enter the password twice: -- Journal begins at Thu 2021-01-28 06:07:30 UTC, ends at Sat 2021-08-28 05:55:01 UTC. -- Aug 28 05:42:03 leorize-lnx-workstation systemd[1]: Stopped User Runtime Directory /run/user/60252. Aug 28 05:42:03 leorize-lnx-workstation systemd[1]: Removed slice User Slice of UID 60252. Aug 28 05:43:20 leorize-lnx-workstation login[3378680]: pam_unix(login:auth): username [leorize] obtained Aug 28 05:43:23 leorize-lnx-workstation login[3378680]: pam_systemd_home(login:account): pam-systemd-homed account management Aug 28 05:43:23 leorize-lnx-workstation systemd-homed[1161]: leorize: changing state inactive → activating-for-acquire Aug 28 05:43:23 leorize-lnx-workstation systemd-homework[3378691]: None of the supplied plaintext passwords unlock the user record's hashed passwords. Aug 28 05:43:23 leorize-lnx-workstation systemd-homed[1161]: Activation failed: Required key not available Aug 28 05:43:23 leorize-lnx-workstation systemd-homed[1161]: leorize: changing state activating-for-acquire → inactive Aug 28 05:43:23 leorize-lnx-workstation systemd-homed[1161]: Got notification that all sessions of user leorize ended, deactivating automatically. Aug 28 05:43:23 leorize-lnx-workstation systemd-homed[1161]: Home leorize already deactivated, no automatic deactivation needed. Aug 28 05:43:27 leorize-lnx-workstation systemd-homed[1161]: leorize: changing state inactive → activating-for-acquire Aug 28 05:43:27 leorize-lnx-workstation systemd-homework[3378692]: Provided password unlocks user record. Aug 28 05:43:27 leorize-lnx-workstation systemd-homework[3378692]: Read embedded .identity file. Aug 28 05:43:27 leorize-lnx-workstation systemd-homework[3378692]: Provided password unlocks user record. Aug 28 05:43:27 leorize-lnx-workstation systemd-homework[3378692]: Reconciling embedded user identity completed (host and embedded version were identical). Aug 28 05:43:27 leorize-lnx-workstation systemd-homework[3378692]: Recursive changing of ownership not necessary, skipped. Aug 28 05:43:27 leorize-lnx-workstation systemd-homework[3378692]: Synchronized disk. Aug 28 05:43:27 leorize-lnx-workstation systemd-homework[3378692]: Everything completed. Aug 28 05:43:27 leorize-lnx-workstation systemd-homed[1161]: Home leorize is signed exclusively by our key, accepting. Aug 28 05:43:27 leorize-lnx-workstation systemd-homed[1161]: leorize: changing state activating-for-acquire → active Aug 28 05:43:27 leorize-lnx-workstation login[3378680]: pam_systemd_home(login:account): Home for user leorize successfully acquired. Aug 28 05:43:27 leorize-lnx-workstation login[3378680]: pam_systemd_home(login:session): pam-systemd-homed session start Aug 28 05:43:27 leorize-lnx-workstation systemd[1]: Created slice User Slice of UID 60252. Aug 28 05:43:27 leorize-lnx-workstation systemd[1]: Starting User Runtime Directory /run/user/60252... Aug 28 05:43:27 leorize-lnx-workstation systemd-logind[1163]: New session 12 of user leorize. Aug 28 05:43:27 leorize-lnx-workstation systemd[1]: Finished User Runtime Directory /run/user/60252. Aug 28 05:43:27 leorize-lnx-workstation systemd[1]: Starting User Manager for UID 60252... Aug 28 05:43:27 leorize-lnx-workstation systemd[3378696]: pam_systemd_home(systemd-user:account): pam-systemd-homed account management Aug 28 05:43:27 leorize-lnx-workstation systemd[3378696]: pam_systemd_home(systemd-user:account): Home for user leorize successfully acquired. Aug 28 05:43:27 leorize-lnx-workstation systemd[3378696]: pam_systemd_home(systemd-user:session): pam-systemd-homed session start Aug 28 05:43:27 leorize-lnx-workstation systemd[3378696]: Queued start job for default target Main User Target.
Double password is required for me as well. I'm using GDM. I will attempt to test the suggested pam modifications listed in #c2 tonight or tomorrow in order to help debug and be a part of the solution.
switching the order got rid of the double password prompt for me too. i can try submitting a patch if i can understand the ebuild >_>
(In reply to Alexandra Parker from comment #4) > switching the order got rid of the double password prompt for me too. i can > try submitting a patch if i can understand the ebuild >_> Do it against https://github.com/gentoo/pambase
(In reply to Sam James from comment #5) > (In reply to Alexandra Parker from comment #4) > > switching the order got rid of the double password prompt for me too. i can > > try submitting a patch if i can understand the ebuild >_> > > Do it against https://github.com/gentoo/pambase https://github.com/gentoo/pambase/pull/9 hopeful i didn't screw it up
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/proj/pambase.git/commit/?id=dacde6da43a9c87f896b842946b514cd49db5dd3 commit dacde6da43a9c87f896b842946b514cd49db5dd3 Author: Alexandra Parker <alex.iris.parker@gmail.com> AuthorDate: 2022-02-12 21:30:29 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-02-14 16:51:51 +0000 homed: add before pam_unix - --homed inserts pam_systemd_home before pam_unix - --homed --krb5 does that and adjusts krb5's jump to 4 modules Signed-off-by: Alexandra Parker <alex.iris.parker@gmail.com> Closes: https://bugs.gentoo.org/808993 Closes: https://github.com/gentoo/pambase/pull/9 Signed-off-by: Sam James <sam@gentoo.org> templates/system-auth.tpl | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5d8fed027b5ecf1d8b0dcc7ba863cec734bac24 commit c5d8fed027b5ecf1d8b0dcc7ba863cec734bac24 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-02-14 17:11:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-02-14 17:14:03 +0000 sys-auth/pambase: add 20220214 Closes: https://bugs.gentoo.org/808993 Signed-off-by: Sam James <sam@gentoo.org> sys-auth/pambase/Manifest | 1 + sys-auth/pambase/pambase-20220214.ebuild | 112 ++++++++++++++++++++++++++++++ sys-auth/pambase/pambase-999999999.ebuild | 4 +- 3 files changed, 115 insertions(+), 2 deletions(-)