Bug 1155873
| Summary: | pam-kwallet fails to send hash to kwalletd | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
| Component: | pam-kwallet | Assignee: | Rex Dieter <rdieter> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 21 | CC: | bugzilla-redhat, jgrulich, kevin, laurent.rineau__fedora, rdieter, sudhir |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pam-kwallet-0-0.7.20140508git49a5bc0.fc20 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-12-15 04:38:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Found this reference googling, https://www.redhat.com/archives/pam-list/2014-October/msg00000.html which may be relevant Sheesh, I think I found the problem, from startkde:
# At this point all the environment is ready, let's send it to kwalletd if running
if test -n "$PAM_KWALLET_LOGIN" ; then
env | socat STDIN UNIX-CONNECT:$PAM_KWALLET_LOGIN
fi
We don't have any dependency pulling in socat :(
I'll test to see if that being present magically fixes everything.
Did help on my f20/kdm setup @work, as a matter of fact: $ echo $PAM_KWALLET_LOGIN <empty> Sorry "Did help" => "Did *not* help" In my case, it looks like NFS $HOME is getting in the way (in journal): Dec 05 09:39:39 math-171.unl.edu kdm[11969]: :0[11969]: Couldn't create directory: /Net/mathstat/Users/Staff/rdieter/.kde because: 13-Permission denied Dec 05 09:39:39 math-171.unl.edu kdm[11969]: :0[11969]: Couldn't open file: /Net/mathstat/Users/Staff/rdieter/.kde/share/apps/kwallet/kdewallet.salt because: 13-Permission denied Dec 05 09:39:39 math-171.unl.edu kdm[11969]: :0[11969]: kwalletd: Couldn't create or read the salt file Dec 05 09:39:39 math-171.unl.edu kdm[11969]: :0[11969]: pam_kwallet(kdm:auth): pam_kwallet: Fail into creating the hash FWIW - I have a local, unencrypted home directory. pam-kwallet-0-0.7.20140508git49a5bc0.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/pam-kwallet-0-0.7.20140508git49a5bc0.fc21 pam-kwallet-0-0.7.20140508git49a5bc0.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/pam-kwallet-0-0.7.20140508git49a5bc0.fc20 Actually, I think we've just papered things over a bit here. So now we no longer hang on waitForEnvironment() as it is sent, but I think we're still supposed to pass the hash directly via a pipe. Also, doesn't: /tmp/<user>.socket seem a bit lousy/insecure for PAM_KWALLET_LOGIN? Well, I'm an idiot apparently and can't parse the logic - we always run waitForEnvironment(), and the hash is being passed fine. But more to the point - if the hash is passed in via pam_kwalletd, why do we need the environment passed in? Package pam-kwallet-0-0.7.20140508git49a5bc0.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing pam-kwallet-0-0.7.20140508git49a5bc0.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-16364/pam-kwallet-0-0.7.20140508git49a5bc0.fc20 then log in and leave karma (feedback). pam-kwallet-0-0.7.20140508git49a5bc0.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. pam-kwallet-0-0.7.20140508git49a5bc0.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. I am still being asked to enter gpg password after I have already entered my password at the login screen. I am using sddm on F21. My username and gpg key passwords are same. I have set a gpg wallet as default in system settings. My understanding is pam_kwallet does not work with gpg-encrypted wallets It looks like both gpg and blue-fish encrypted wallets are asking for password after the login. pam-kwallet-0-0.7.20140508git49a5bc0.fc21.x86_64 |
Description of problem: pam-kwallet is starting kwalletd but is failing to pass the hash to it. From kwalletd main.cpp: hash = waitForHash(); if (hash == NULL || waitForEnvironment() == -1) { I see kwalletd stuck in waitForEnvironment(), presumably because hash == NULL. (gdb) bt #0 0x00007f5f48f38400 in __accept_nocancel () at /lib64/libpthread.so.0 #1 0x00007f5f4a667dd0 in waitForEnvironment() () at /usr/src/debug/kde-runtime-4.14.2/kwalletd/main.cpp:77 #2 0x00007f5f4a668067 in checkPamModule(int, char**) (argc=argc@entry=4, argv=argv@entry=0x7fff94baf978) at /usr/src/debug/kde-runtime-4.14.2/kwalletd/main.cpp:135 #3 0x00007f5f4a66813d in kdemain(int, char**) (argc=4, argv=0x7fff94baf978) at /usr/src/debug/kde-runtime-4.14.2/kwalletd/main.cpp:147 #2 0x00007f5f4a668067 in checkPamModule (argc=argc@entry=4, argv=argv@entry=0x7fff94baf978) at /usr/src/debug/kde-runtime-4.14.2/kwalletd/main.cpp:135 135 if (hash == NULL || waitForEnvironment() == -1) { (gdb) print hash $2 = <optimized out> I don't know if any compiler optimization could conceivable cause waitForEnvironment() to be called without hash == NULL. I'm also not sure why waitForEnvironment() is called by kwalletd if it called with --pam-login, but I suppose that's not a big issue. I think we need some more debugging from pam-kwallet and/or kwalletd as to what is going wrong. Version-Release number of selected component (if applicable): pam-kwallet-0-0.6.20140508git49a5bc0.fc21.x86_64