PolicyKit fails with systemsettings5,NetworkManager,ssh (and more?)

Hi,
it looks like authentication though PolicyKit that is used by many apps to authenticate is thoroughly broken. It manifests in rejection of valid root passwords when in need to make changes. Examples:

  1. NetworkManager. Changing connections impossible as root password rejected.
  2. systemsettings5. Changing SDDM login screen impossible as root password rejected.
  3. SSH. When you ssh in Tumbleweed box and then try to do “su -” root password rejected.

All relevant packages are updated as of 20190616:
polkit version: 0.115-5.3
gnome-keyring: 3.31.91-1.3

gnome-keyring-pam: 3.31.91-1.3

pam-ssh: 2.3-1.4
pam: 1.3.1-3.4

Does anybody know if that is a royal screw-up somewhere upstream, packagers problem or that more looks like updates messed up some config files? Any known fixes for that?

Essentially as it is now my Tumbleweed box can be managed only grabbing keybord connected to the box and logging in as root.

I am also running a separate Leap 15.1 box and it is doing fine so far after smooth upgrade from Leap 15.0.

The culprit seems to be this message “gkr-pam: unable to locate daemon control file”

Here are systemd journal snippets for NetworkManager:
Jun 16 12:37:30 somehost polkitd[1719]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.freedesktop.NetworkManager.settings.modify.system for unix-process:11562:4768409 [/usr/bin/kcmshell5 kcm_networkmanagement.desktop] (own>
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finish obtain authorization: false
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finishing obtaining privileges
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finish obtain authorization: false
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: polkit_qt_listener_initiate_authentication_finish callback for 0x559c593ca4a0
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finishing obtaining privileges
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Completed: false
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: COMPLETED
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Dialog cancelled
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: "Password: "
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Request: "Password: "
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: REQUEST
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Trying again
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Finishing obtaining privileges
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Completed: false
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: COMPLETED
Jun 16 12:37:21 somehost polkit-agent-helper-1[11570]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser=root rhost= user=root
Jun 16 12:37:21 somehost unix_chkpwd[11575]: password check failed for user (root)
Jun 16 12:37:21 somehost unix_chkpwd[11575]: check pass; user unknown
Jun 16 12:37:21 somehost polkit-agent-helper-1[11570]: pam_kwallet5(polkit-1:auth): (null): pam_sm_authenticate
Jun 16 12:37:21 somehost polkit-agent-helper-1[11570]: gkr-pam: unable to locate daemon control file
Jun 16 12:37:21 somehost polkit-kde-authentication-agent-1[4302]: Dialog accepted
Jun 16 12:37:07 somehost polkit-kde-authentication-agent-1[4302]: "Password: "
Jun 16 12:37:07 somehost polkit-kde-authentication-agent-1[4302]: Request: "Password: "
Jun 16 12:37:07 somehost polkit-kde-authentication-agent-1[4302]: REQUEST
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Trying again
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: WinId of the shown dialog is 39845921 39845921
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: WinId of the dialog is 39845921 39845921
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Action description has been found
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Message of action: “System policy prevents modification of network settings for all users”
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Initiating authentication
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: polkit_qt_listener_initiate_authentication callback for 0x559c593ca4a0
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: GSimpleAsyncResult: 0x559c59afd4b0
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Listener adapter polkit_qt_listener_initiate_authentication

Here are systemd journal snippets forsystemsettings5:
Jun 16 12:37:30 somehost polkitd[1719]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.freedesktop.NetworkManager.settings.modify.system for unix-process:11562:4768409 [/usr/bin/kcmshell5 kcm_networkmanagement.desktop] (own>
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finish obtain authorization: false
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finishing obtaining privileges
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finish obtain authorization: false
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: polkit_qt_listener_initiate_authentication_finish callback for 0x559c593ca4a0
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Listener adapter polkit_qt_listener_initiate_authentication_finish
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Finishing obtaining privileges
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Completed: false
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: COMPLETED
Jun 16 12:37:30 somehost polkit-kde-authentication-agent-1[4302]: Dialog cancelled
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: "Password: "
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Request: "Password: "
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: REQUEST
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Trying again
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Finishing obtaining privileges
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: Completed: false
Jun 16 12:37:23 somehost polkit-kde-authentication-agent-1[4302]: COMPLETED
Jun 16 12:37:21 somehost polkit-agent-helper-1[11570]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser=root rhost= user=root
Jun 16 12:37:21 somehost unix_chkpwd[11575]: password check failed for user (root)
Jun 16 12:37:21 somehost unix_chkpwd[11575]: check pass; user unknown
Jun 16 12:37:21 somehost polkit-agent-helper-1[11570]: pam_kwallet5(polkit-1:auth): (null): pam_sm_authenticate
Jun 16 12:37:21 somehost polkit-agent-helper-1[11570]: gkr-pam: unable to locate daemon control file
Jun 16 12:37:21 somehost polkit-kde-authentication-agent-1[4302]: Dialog accepted
Jun 16 12:37:07 somehost polkit-kde-authentication-agent-1[4302]: "Password: "
Jun 16 12:37:07 somehost polkit-kde-authentication-agent-1[4302]: Request: "Password: "
Jun 16 12:37:07 somehost polkit-kde-authentication-agent-1[4302]: REQUEST
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Trying again
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: WinId of the shown dialog is 39845921 39845921
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: WinId of the dialog is 39845921 39845921
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Action description has been found
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Message of action: “System policy prevents modification of network settings for all users”
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Initiating authentication
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: polkit_qt_listener_initiate_authentication callback for 0x559c593ca4a0
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: GSimpleAsyncResult: 0x559c59afd4b0
Jun 16 12:37:06 somehost polkit-kde-authentication-agent-1[4302]: Listener adapter polkit_qt_listener_initiate_authentication

Here are systemd journal snippets for ssh session:
Jun 16 12:50:45 somehost systemd-logind[1605]: Removed session 4.
Jun 16 12:50:45 somehost systemd-logind[1605]: Session 4 logged out. Waiting for processes to exit.
Jun 16 12:50:45 somehost systemd[1]: session-4.scope: Succeeded.
Jun 16 12:50:45 somehost sshd[11875]: pam_kwallet5(sshd:setcred): pam_kwallet5: pam_sm_setcred
Jun 16 12:50:45 somehost sshd[11875]: pam_kwallet5(sshd:session): pam_kwallet5: pam_sm_close_session
Jun 16 12:50:45 somehost sshd[11875]: pam_unix(sshd:session): session closed for user someuser
Jun 16 12:50:45 somehost sshd[11877]: Disconnected from user someuser 192.168.1.2 port 39492
Jun 16 12:50:45 somehost sshd[11877]: Received disconnect from 192.168.1.2 port 39492:11: disconnected by user
Jun 16 12:50:39 somehost su[11924]: FAILED SU (to root) someuser on pts/8
Jun 16 12:50:37 somehost su[11924]: pam_unix(su-l:auth): authentication failure; logname=someuser uid=1000 euid=1000 tty=pts/8 ruser=someuser rhost= user=root
Jun 16 12:50:37 somehost unix_chkpwd[11927]: password check failed for user (root)
Jun 16 12:50:37 somehost unix_chkpwd[11927]: check pass; user unknown
Jun 16 12:50:37 somehost su[11924]: pam_kwallet5(su-l:auth): (null): pam_sm_authenticate
Jun 16 12:50:24 somehost su[11919]: FAILED SU (to root) someuser on pts/8
Jun 16 12:50:23 somehost su[11919]: pam_unix(su-l:auth): authentication failure; logname=someuser uid=1000 euid=1000 tty=pts/8 ruser=someuser rhost= user=root
Jun 16 12:50:23 somehost unix_chkpwd[11922]: password check failed for user (root)
Jun 16 12:50:23 somehost unix_chkpwd[11922]: check pass; user unknown
Jun 16 12:50:22 somehost su[11919]: pam_kwallet5(su-l:auth): (null): pam_sm_authenticate
Jun 16 12:50:10 somehost sshd[11877]: pam_kwallet5(sshd:setcred): pam_kwallet5: pam_sm_setcred
Jun 16 12:50:10 somehost sshd[11875]: pam_kwallet5(sshd:session): pam_kwallet5: not a graphical session, skipping. Use force_run parameter to ignore this.
Jun 16 12:50:10 somehost sshd[11875]: pam_kwallet5(sshd:session): (null): pam_sm_open_session
Jun 16 12:50:10 somehost sshd[11875]: pam_unix(sshd:session): session opened for user someuser by (uid=0)
Jun 16 12:50:10 somehost systemd[1]: Started Session 4 of user someuser.
Jun 16 12:50:10 somehost systemd-logind[1605]: New session 4 of user someuser.
Jun 16 12:50:10 somehost sshd[11875]: pam_kwallet5(sshd:setcred): (null): pam_sm_setcred
Jun 16 12:50:10 somehost sshd[11875]: Accepted publickey for someuser from 192.168.1.2 port 39492 ssh2: ED25519 SHA256:T2FG2zLytE26AIK8ozRcWUjIBasOGwd6v74LwtlDVMU

I don’t know the answer. However, there are other bugs showing up, such that uninstalling pam_kwallet fixes them. It might be a bug in libgcrypt.

I suggest unistalling pam_kwallet to see if that helps. And, by the way, if prompted to open “kwallet”, then your login password should work (that’s what pam_kwallet uses).

Hi,

I un-uninstalled pam_kwallet and in all cases I mentioned in my post authentication now goes through. Case solved. Thanks a LOT!