Bug 446350 - pam_ssh and pam_keyring stop working after F9 install
pam_ssh and pam_keyring stop working after F9 install
Product: Fedora
Classification: Fedora
Component: pam_ssh (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Patrice Dumas
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-05-14 04:41 EDT by Giuseppe Castagna
Modified: 2008-05-19 09:17 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-16 02:11:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/etc/pam.d/gdm file (900 bytes, application/octet-stream)
2008-05-14 04:41 EDT, Giuseppe Castagna
no flags Details
the gdm config to try... (924 bytes, text/plain)
2008-05-19 09:15 EDT, Dmitry Butskoy
no flags Details

  None (edit)
Description Giuseppe Castagna 2008-05-14 04:41:49 EDT
Description of problem:

I have just upgraded from F8 to F9 (full install, no upgrade). I installed
pam_ssh and pam_keyring and restored my /etc/pam.d/gdm (attached) file that
worked in F8 but now it no longer works since keyring_manager and ssh ask
passwd again.
Comment 1 Giuseppe Castagna 2008-05-14 04:41:49 EDT
Created attachment 305339 [details]
/etc/pam.d/gdm file
Comment 2 Dmitry Butskoy 2008-05-14 09:42:50 EDT
Try to change:

auth  substack  system-auth

to the line with pam_unix.so only from /etc/pam.d/system-auth:

auth  required  pam_unix.so  try_first_pass  nullok

At least for F5-F7, the similar issue was because of "sufficient pam_unix.so"
instead of "required pam_unix.so", which leads that all the stuff after the
"sufficient" is not in effect.

I'm not seen "substack" keyword before, perhaps it should fix such an issues in
general, but it does not for this case...
Comment 3 Giuseppe Castagna 2008-05-14 18:07:20 EDT
Sorry, I am not sure I understand what you meant. Are you suggesting
to remplace in /etc/pam.d/gdm the line 

auth  required  pam_unix.so  try_first_pass  nullok

for the line 

auth  substack  system-auth


The line 
auth  substack  system-auth
comes directly from the installation of F9 (the only modification I did to 
/etc/pam.d/gdm are the addition of the 4 lines ending by "#aggiunta" ---i.e.,
"addition" in Italian--- modification that worked in F6, F7, and F8.) 
I apologize but I do not understand why you are
referring to /etc/pam.d/system-auth where the line corresponding to auth 
pam_unix.s, at least as it is shipped in F9, is

auth        sufficient    pam_unix.so nullok try_first_pass

Sorry, the problem probably is that I am not a English native speaker.

Comment 4 Giuseppe Castagna 2008-05-16 02:11:24 EDT
I just discovered that pam_ssh and pam_keyring are both deprecated. The bug
still exists but the same behaviour can be obtained by gnome-keyring-pam which
is installed by default in F9. It simply suffice to erase the login keyring and
recreate it by using the same passwd as the login account. Then the first time
the system asks for a passwd for a keyring give the password and select the
radio box "Automatically unlock this on login".

See http://live.gnome.org/GnomeKeyring/Pam for details

So I decided to close it as WONTFIX
Comment 5 Dmitry Butskoy 2008-05-19 09:15:34 EDT
Created attachment 305938 [details]
the gdm config to try...

for comment #3:

try this /etc/pam.d/gdm exactly...
Comment 6 Dmitry Butskoy 2008-05-19 09:17:27 EDT
for comment #4:

> I just discovered that pam_ssh and pam_keyring are both deprecated.

for pam_keyring, perhaps yes; but what about pam_ssh? Espesially under kde or
even non-GUI environment?

Note You need to log in before you can comment on or make changes to this bug.