Pam_pkcs11.so and pam_fprintd.so: cannot open shared object file: No such file or directory

I’m trying to solve a few snags I’ve been having related sleep and lock screen, getting to all warnings and errors to better isolate the actual issues.

The warnings below are present since I first installed OS a few days ago. They happen upon successful logins.

Jun 25 13:58:30 localhost.localdomain kscreenlocker_greet[3052]: PAM unable to dlopen(/usr/lib64/security/pam_fprintd.so): /usr/lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Jun 25 13:58:30 localhost.localdomain kscreenlocker_greet[3052]: PAM adding faulty module: /usr/lib64/security/pam_fprintd.so
Jun 25 13:58:30 localhost.localdomain kscreenlocker_greet[3052]: PAM unable to dlopen(/usr/lib64/security/pam_pkcs11.so): /usr/lib64/security/pam_pkcs11.so: cannot open shared object file: No such file or directory
Jun 25 13:58:30 localhost.localdomain kscreenlocker_greet[3052]: PAM adding faulty module: /usr/lib64/security/pam_pkcs11.so
Jun 25 13:59:25 localhost.localdomain unix_chkpwd[3514]: password check failed for user (USERNAME)
Jun 25 13:59:25 localhost.localdomain kscreenlocker_greet[3052]: pam_unix(kde-fingerprint:auth): authentication failure; logname=USERNAME uid=1000 euid=1000 tty= ruser= rhost=  user=USERNAME
Jun 25 13:59:25 localhost.localdomain unix_chkpwd[3515]: password check failed for user (USERNAME)
Jun 25 13:59:25 localhost.localdomain kscreenlocker_greet[3052]: pam_unix(kde-smartcard:auth): authentication failure; logname=USERNAME uid=1000 euid=1000 tty= ruser= rhost=  user=USERNAME

Well, no wonder it can’t find figerprint and smartcard reader files because I have neither devices on my desktop PC. How can I make pam stop looking?

Google shows authconfig --disablefingerprint --update for fingerprint, but that’s very old and for a different distro.

Show

grep -Er 'fprintd|pkcs11'  /etc/pam.d

It returns nothing.

Fine. Then look at /usr/lib/pam.d. The PAM modules do not appear out of nowhere.

Okay just to make sure I got it right, do you want me to locate pam_pkcs11.so and pam_fprintd.so? They don’t exist anywhere in the system, /usr/lib/pam.d included.

I agree it’s weird. I wonder if it’s the theme. Everything I’m using comes with Tumbleweed, just with the usual tweaks like color and wallpaper.

When I briefly jumped into the root profile today I noticed it doesn’t seem to try to access these modules, so I’ll try to create a third one and redo my configuration step-by-step to narrow down what’s prompting these requests.

Sorry about the double post, I can’t edit the previous one anymore to add the results of the tests.

Basically openSUSE is convinced I got a smartcard and fingerprint reader. Everything else seems to be just symptoms of it, like the lock screen theme adding these two lines below the password field:

(or scan your fingerprint on the reader)
(or scan your smartcard)

Something I didn’t realize but is relevant is that the references to these devices only appear in the journal when doing a login back to a previously logged user, coming either from a sleep, Lock, or Switch User. They don’t on a Log Out or fresh boot.

And it turns out the pam errors and auth failed messages don’t happen at the same stages.

The pam_fprintd.so, pam_pkcs11.so by the kscreenlocker_greet actually happen in the process of locking the screen:

Jun 25 13:58:30 localhost.localdomain kscreenlocker_greet[3052]: PAM unable to dlopen(/usr/lib64/security/pam_fprintd.so): /usr/lib64/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Jun 25 13:58:30 localhost.localdomain kscreenlocker_greet[3052]: PAM adding faulty module: /usr/lib64/security/pam_fprintd.so
Jun 25 13:58:30 localhost.localdomain kscreenlocker_greet[3052]: PAM unable to dlopen(/usr/lib64/security/pam_pkcs11.so): /usr/lib64/security/pam_pkcs11.so: cannot open shared object file: No such file or directory
Jun 25 13:58:30 localhost.localdomain kscreenlocker_greet[3052]: PAM adding faulty module: /usr/lib64/security/pam_pkcs11.so

The (not) failed checks happen when unlocking it:

Jun 25 13:59:25 localhost.localdomain unix_chkpwd[3514]: password check failed for user (USERNAME)
Jun 25 13:59:25 localhost.localdomain kscreenlocker_greet[3052]: pam_unix(kde-fingerprint:auth): authentication failure; logname=USERNAME uid=1000 euid=1000 tty= ruser= rhost=  user=USERNAME
Jun 25 13:59:25 localhost.localdomain unix_chkpwd[3515]: password check failed for user (USERNAME)
Jun 25 13:59:25 localhost.localdomain kscreenlocker_greet[3052]: pam_unix(kde-smartcard:auth): authentication failure; logname=USERNAME uid=1000 euid=1000 tty= ruser= rhost=  user=USERNAME

I didn’t see them for the root because I was logging into it from the “Other…” menu, manually inputting the username besides the password. When you do that the unlocking warnings never happen. (because I was also logged out of any user the pam errors didn’t show up either)

It turns out this quirk of manual username preventing the auth failed messages also happens for other users, may it be my regular profile or the ones I created to test this issue.

Finally, the test users also experience these issues from the start, even with vanilla config.

No. All that I want you to do is to search for them in PAM configuration.

grep -Er 'fprintd|pkcs11'  /usr/lib/pam.d

It has nothing to do with openSUSE. kscreenlocker6 wants to use them. It is upstream issue that should be reported upstream.

You may try to work around it by finding which PAM files are responsible for these errors, copying them into /etc/pam.d and deleting offending lines.

Oh, if that’s the case it’s the /usr/lib/pam.d/kde-fingerprint and /usr/lib/pam.d/kde-smartcard files. In the meantime I already went ahead and commented the references to the .so files. For reference of whoever stumbles on this thread:

#%PAM-1.0
# for smartcard
#auth     required       pam_pkcs11.so        wait_for_card card_only
auth     include        common-auth
account  include        common-account
password include        common-password
#%PAM-1.0
# for fingerprint
#auth     required       pam_fprintd.so
auth     include        common-auth
account  include        common-account
password include        common-password

The missing file errors are gone but the unlock warnings (unix_chkpwd, kscreenlocker_greet) remain.

There’s no pam_unix file, but there’s a pam_unix.so which is included in a number of basic files such as common-auth as follows:

auth	required	pam_unix.so	try_first_pass 

And such common- files containing pam_unix references are included everywhere. To my inexperienced ears it sounds like a bad idea to comment out the unix references, so that’s the end of the trail for the workaround at least. I’ll look it up how to file a report in the appropriate channels.

kscreenlocker assumes the services kde-fingerprint and kde-smartcard are non-interactive, so pam_unix gets no chance to ask you for the password and fails. At the end it is invoked as part of interactive service and finally succeeds.

Both kde-fingerprint and kde-smartcard PAM definitions are provided by openSUSE so you should open bug on https://bugzilla.opensuse.org/ (same user/password as here).

I did open a bug report earlier today.

It was closed, they said that’s intended behavior and to report further upstream.

It’s surprising that seeking nonexistent services without giving the user the chance to configure it and disable unsupported devices is intended behavior, and don’t hold my hopes high anything will be changed if that’s by design.

In any case, thanks for you help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.