lader1
July 10, 2021, 8:34pm
1
Hi there and thx if you read this post.
I have been using a luks crypted user partition for years, which was automounted on login by kdm via pam modules. However kdm is obsolete in 15.3 and is replaced by sddm.
But the present config doesn’t work with sddm.
So, is there a standard way on 15.3 for using luks cryped partitions with sddm ?
Thx again
@lader1 :
This is a known issue with SDDM – <https://github.com/sddm/sddm/issues/694 >.
You have to add “session optional pam_cryptpass.so
” to the file ‘/etc/pam.d/sddm’. - And then, restart the systemd Display Manager service.
pam_cryptpass was provided by cryptconfig which was removed from openSUSE years ago.
So what happens if you add the same PAM modules to SDDM configuration?
Correct, but, “pam_mount” may well do the job –
auth optional pam_mount.so
session [success=1 default=ignore] pam_succeed_if.so service = system-user
session optional pam_mount.so
Complete SDDM version –
#%PAM-1.0
auth include common-auth
auth optional pam_mount.so
auth optional pam_kwallet5.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_keyinit.so force revoke
session [success=1 default=ignore] pam_succeed_if.so service = system-user
session optional pam_mount.so
session optional pam_kwallet5.so auto_start
Further pam_mount options in – ‘/usr/share/doc/packages/pam_mount/options.txt’.
lader1
July 12, 2021, 5:35pm
5
problem: pam_cryptpass.so doesn’t exist in /lib64/sercurity
lader1
July 12, 2021, 7:08pm
6
dcurtisfra:
Correct, but, “pam_mount” may well do the job –
auth optional pam_mount.so
session [success=1 default=ignore] pam_succeed_if.so service = system-user
session optional pam_mount.so
Complete SDDM version –
#%PAM-1.0
auth include common-auth
auth optional pam_mount.so
auth optional pam_kwallet5.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_keyinit.so force revoke
session [success=1 default=ignore] pam_succeed_if.so service = system-user
session optional pam_mount.so
session optional pam_kwallet5.so auto_start
Further pam_mount options in – ‘/usr/share/doc/packages/pam_mount/options.txt’.
interesting solution, unfortunately, it doesn’t work. Here is what journalctl returns:
juil. 12 18:39:42 beta.uhara.net sddm-greeter[3115]: Hunspell dictionary is missing for "en_GB" . Search paths ("/usr/share/qt5/qtvirtualkeyboard/hunspell", "/usr/share/hunspell", "/usr/share/myspell/dicts")
juil. 12 18:39:42 beta.uhara.net sddm-greeter[3115]: Message received from daemon: Capabilities
juil. 12 18:39:42 beta.uhara.net sddm-greeter[3115]: Message received from daemon: HostName
juil. 12 18:39:53 beta.uhara.net sddm-greeter[3115]: Reading from "/usr/share/xsessions/plasma5.desktop"
juil. 12 18:39:53 beta.uhara.net sddm-helper[3132]: PAM unable to dlopen(/lib64/security/pam_kwallet5.so): /lib64/security/pam_kwallet5.so: Ne peut ouvrir le fichier d'objet partagé: Aucun fichier ou dossier de ce type
juil. 12 18:39:53 beta.uhara.net sddm-helper[3132]: PAM adding faulty module: /lib64/security/pam_kwallet5.so
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: [PAM] Starting...
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: [PAM] Authenticating...
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: [PAM] Preparing to converse...
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: [PAM] Conversation with 1 messages
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: [PAM] returning.
juil. 12 18:39:54 beta.uhara.net sddm-greeter[3115]: Message received from daemon: LoginSucceeded
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: pam_unix(sddm:session): session opened for user cg by (uid=0)
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: pam_succeed_if(sddm:session): requirement "service = system-user" not met by user "cg"
juil. 12 18:39:54 beta.uhara.net sddm-helper[3114]: [PAM] Closing session
juil. 12 18:39:54 beta.uhara.net sddm-helper[3114]: pam_unix(sddm-greeter:session): session closed for user sddm
juil. 12 18:39:54 beta.uhara.net sddm-helper[3114]: [PAM] Ended.
juil. 12 18:39:54 beta.uhara.net kernel: loop: module loaded
juil. 12 18:39:57 beta.uhara.net kernel: alg: No test for essiv(cbc(aes),sha256) (essiv(cbc-aes-aesni,sha256-generic))
juil. 12 18:39:58 beta.uhara.net kernel: EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)
juil. 12 18:39:58 beta.uhara.net sddm-helper[3132]: Starting: "/etc/X11/xdm/Xsession \"/usr/bin/startplasma-x11\""
juil. 12 18:39:58 beta.uhara.net sddm-helper[3167]: Adding cookie to "/home/cg/.Xauthority"
juil. 12 18:39:59 beta.uhara.net sddm-helper[3132]: [PAM] Closing session
juil. 12 18:39:59 beta.uhara.net sddm-helper[3132]: pam_unix(sddm:session): session closed for user cg
juil. 12 18:39:59 beta.uhara.net sddm-helper[3132]: pam_succeed_if(sddm:session): requirement "service = system-user" not met by user "cg"
juil. 12 18:39:59 beta.uhara.net systemd[1]: home-cg.mount: Succeeded.
juil. 12 18:39:59 beta.uhara.net systemd[1851]: home-cg.mount: Succeeded.
juil. 12 18:40:00 beta.uhara.net sddm-helper[3132]: [PAM] Ended.
juil. 12 18:40:00 beta.uhara.net kernel: broken atomic modeset userspace detected, disabling atomic
juil. 12 18:40:01 beta.uhara.net sddm-helper[3266]: [PAM] Starting...
juil. 12 18:40:01 beta.uhara.net sddm-helper[3266]: [PAM] Authenticating...
juil. 12 18:40:01 beta.uhara.net sddm-helper[3266]: [PAM] returning.
I am not sure what you are trying to say here.
You have KDM PAM configuration that works. Show this configuration. And show SDDM PAM configuration that does not work. Full configuration in both cases.
So far you never even explained how you mounted encrypted container using KDM.
lader1
July 12, 2021, 9:43pm
8
arvidjaar:
I am not sure what you are trying to say here.
You have KDM PAM configuration that works. Show this configuration. And show SDDM PAM configuration that does not work. Full configuration in both cases.
So far you never even explained how you mounted encrypted container using KDM.
Because right here or on the net, solutions are provided with cryptpass whereas it doesn’t exist anymore.
As to the working kdm config, just add “auth required pam_mount.so” to /etc/pam.d/common-auth-pc and /etc/pam.d/common-session-pc
lader1:
juil. 12 18:39:53 sddm-greeter[3115]: Reading from "/usr/share/xsessions/plasma5.desktop"
juil. 12 18:39:53 sddm-helper[3132]: **PAM unable to dlopen(/lib64/security/pam_kwallet5.so)**: /lib64/security/pam_kwallet5.so: Ne peut ouvrir le fichier d'objet partagé: Aucun fichier ou dossier de ce type
juil. 12 18:39:53 sddm-helper[3132]: **PAM adding faulty module: /lib64/security/pam_kwallet5.so**
.
.
juil. 12 18:39:54 sddm-greeter[3115]: Message received from daemon: LoginSucceeded
juil. 12 18:39:54 sddm-helper[3132]: pam_unix(sddm:session): session opened for user cg by (uid=0)
juil. 12 18:39:54 sddm-helper[3132]: pam_succeed_if(sddm:session): requirement "service = system-user" not met by user "cg"
juil. 12 18:39:54 sddm-helper[3114]: [PAM] Closing session
juil. 12 18:39:54 sddm-helper[3114]: pam_unix(sddm-greeter:session): session closed for user sddm
juil. 12 18:39:54 sddm-helper[3114]: [PAM] Ended.
juil. 12 18:39:54 kernel: loop: module loaded
juil. 12 18:39:57 kernel: alg: No test for essiv(cbc(aes),sha256) (essiv(cbc-aes-aesni,sha256-generic))
juil. 12 18:39:58 kernel: **EXT4-fs (dm-0): mounted filesystem with ordered data mode.** Opts: (null)
juil. 12 18:39:58 sddm-helper[3132]: Starting: "/etc/X11/xdm/Xsession \"/usr/bin/startplasma-x11\""
juil. 12 18:39:58 sddm-helper[3167]: Adding cookie to "/home/cg/.Xauthority"
juil. 12 18:39:59 sddm-helper[3132]: [PAM] Closing session
juil. 12 18:39:59 sddm-helper[3132]: pam_unix(sddm:session): session closed for user cg
juil. 12 18:39:59 sddm-helper[3132]: pam_succeed_if(sddm:session): requirement "service = system-user" not met by user "cg"
juil. 12 18:39:59 systemd[1]: home-cg.mount: Succeeded.
juil. 12 18:39:59 systemd[1851]: home-cg.mount: Succeeded.
juil. 12 18:40:00 sddm-helper[3132]: [PAM] Ended.
First up, please, please, use the systemd Journal option “–no-hostname ” when posting Journal entries …
The time-stamp option “–output=short-monotonic
” is also helpful …
Second, the PAM KWallet shared object file seems to be corrupt – please try a forced reinstall of the “pam_kwallet” and “pam_kwallet-common” packages – assuming of course that, you’re using KWallet …
On the other hand, does the user mount of a LUKS partition need KWallet for the key?
Third, it seems that, a partition was mounted – please show us the output of “findmnt --mountpoint «directory »” for the (presumably LUKS) partition.
One more thing, if KDM needs “auth required pam_mount.so” then, maybe SDDM also needs the “required ” in place of the “optional ” …