Bug 446350

Summary: pam_ssh and pam_keyring stop working after F9 install
Product: [Fedora] Fedora Reporter: Giuseppe Castagna <gc>
Component: pam_sshAssignee: Patrice Dumas <pertusus>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9CC: dmitry, gc, james, manuel.wolfshant
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-16 06:11:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/etc/pam.d/gdm file
none
the gdm config to try... none

Description Giuseppe Castagna 2008-05-14 08:41:49 UTC 
Description of problem:

I have just upgraded from F8 to F9 (full install, no upgrade). I installed
pam_ssh and pam_keyring and restored my /etc/pam.d/gdm (attached) file that
worked in F8 but now it no longer works since keyring_manager and ssh ask
passwd again.
Comment 1 Giuseppe Castagna 2008-05-14 08:41:49 UTC 
Created attachment 305339 [details]
/etc/pam.d/gdm file
Comment 2 Dmitry Butskoy 2008-05-14 13:42:50 UTC 
Try to change:

auth  substack  system-auth

to the line with pam_unix.so only from /etc/pam.d/system-auth:

auth  required  pam_unix.so  try_first_pass  nullok


At least for F5-F7, the similar issue was because of "sufficient pam_unix.so"
instead of "required pam_unix.so", which leads that all the stuff after the
"sufficient" is not in effect.

I'm not seen "substack" keyword before, perhaps it should fix such an issues in
general, but it does not for this case...
Comment 3 Giuseppe Castagna 2008-05-14 22:07:20 UTC 
Sorry, I am not sure I understand what you meant. Are you suggesting
to remplace in /etc/pam.d/gdm the line 

auth  required  pam_unix.so  try_first_pass  nullok

for the line 

auth  substack  system-auth

?

The line 
auth  substack  system-auth
comes directly from the installation of F9 (the only modification I did to 
/etc/pam.d/gdm are the addition of the 4 lines ending by "#aggiunta" ---i.e.,
"addition" in Italian--- modification that worked in F6, F7, and F8.) 
I apologize but I do not understand why you are
referring to /etc/pam.d/system-auth where the line corresponding to auth 
pam_unix.s, at least as it is shipped in F9, is

auth        sufficient    pam_unix.so nullok try_first_pass

Sorry, the problem probably is that I am not a English native speaker.

TIA
Comment 4 Giuseppe Castagna 2008-05-16 06:11:24 UTC 
I just discovered that pam_ssh and pam_keyring are both deprecated. The bug
still exists but the same behaviour can be obtained by gnome-keyring-pam which
is installed by default in F9. It simply suffice to erase the login keyring and
recreate it by using the same passwd as the login account. Then the first time
the system asks for a passwd for a keyring give the password and select the
radio box "Automatically unlock this on login".

See http://live.gnome.org/GnomeKeyring/Pam for details

So I decided to close it as WONTFIX
Comment 5 Dmitry Butskoy 2008-05-19 13:15:34 UTC 
Created attachment 305938 [details]
the gdm config to try...

for comment #3:

try this /etc/pam.d/gdm exactly...
Comment 6 Dmitry Butskoy 2008-05-19 13:17:27 UTC 
for comment #4:

> I just discovered that pam_ssh and pam_keyring are both deprecated.

for pam_keyring, perhaps yes; but what about pam_ssh? Espesially under kde or
even non-GUI environment?