446350 – pam_ssh and pam_keyring stop working after F9 install

Bug 446350 - pam_ssh and pam_keyring stop working after F9 install

Summary: pam_ssh and pam_keyring stop working after F9 install

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pam_ssh
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Patrice Dumas
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-05-14 08:41 UTC by Giuseppe Castagna
Modified:	2008-05-19 13:17 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-05-16 06:11:40 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
/etc/pam.d/gdm file (900 bytes, application/octet-stream) 2008-05-14 08:41 UTC, Giuseppe Castagna	no flags	Details
the gdm config to try... (924 bytes, text/plain) 2008-05-19 13:15 UTC, Dmitry Butskoy	no flags	Details
View All

Description Giuseppe Castagna 2008-05-14 08:41:49 UTC

Description of problem:

I have just upgraded from F8 to F9 (full install, no upgrade). I installed
pam_ssh and pam_keyring and restored my /etc/pam.d/gdm (attached) file that
worked in F8 but now it no longer works since keyring_manager and ssh ask
passwd again.

Comment 1 Giuseppe Castagna 2008-05-14 08:41:49 UTC

Created attachment 305339 [details]
/etc/pam.d/gdm file

Comment 2 Dmitry Butskoy 2008-05-14 13:42:50 UTC

Try to change:

auth  substack  system-auth

to the line with pam_unix.so only from /etc/pam.d/system-auth:

auth  required  pam_unix.so  try_first_pass  nullok


At least for F5-F7, the similar issue was because of "sufficient pam_unix.so"
instead of "required pam_unix.so", which leads that all the stuff after the
"sufficient" is not in effect.

I'm not seen "substack" keyword before, perhaps it should fix such an issues in
general, but it does not for this case...

Comment 3 Giuseppe Castagna 2008-05-14 22:07:20 UTC

Sorry, I am not sure I understand what you meant. Are you suggesting
to remplace in /etc/pam.d/gdm the line 

auth  required  pam_unix.so  try_first_pass  nullok

for the line 

auth  substack  system-auth

?

The line 
auth  substack  system-auth
comes directly from the installation of F9 (the only modification I did to 
/etc/pam.d/gdm are the addition of the 4 lines ending by "#aggiunta" ---i.e.,
"addition" in Italian--- modification that worked in F6, F7, and F8.) 
I apologize but I do not understand why you are
referring to /etc/pam.d/system-auth where the line corresponding to auth 
pam_unix.s, at least as it is shipped in F9, is

auth        sufficient    pam_unix.so nullok try_first_pass

Sorry, the problem probably is that I am not a English native speaker.

TIA

Comment 4 Giuseppe Castagna 2008-05-16 06:11:24 UTC

I just discovered that pam_ssh and pam_keyring are both deprecated. The bug
still exists but the same behaviour can be obtained by gnome-keyring-pam which
is installed by default in F9. It simply suffice to erase the login keyring and
recreate it by using the same passwd as the login account. Then the first time
the system asks for a passwd for a keyring give the password and select the
radio box "Automatically unlock this on login".

See http://live.gnome.org/GnomeKeyring/Pam for details

So I decided to close it as WONTFIX

Comment 5 Dmitry Butskoy 2008-05-19 13:15:34 UTC

Created attachment 305938 [details]
the gdm config to try...

for comment #3:

try this /etc/pam.d/gdm exactly...

Comment 6 Dmitry Butskoy 2008-05-19 13:17:27 UTC

for comment #4:

> I just discovered that pam_ssh and pam_keyring are both deprecated.

for pam_keyring, perhaps yes; but what about pam_ssh? Espesially under kde or
even non-GUI environment?

Note You need to log in before you can comment on or make changes to this bug.