sddm and luks crypted partition

Hi there and thx if you read this post.

I have been using a luks crypted user partition for years, which was automounted on login by kdm via pam modules. However kdm is obsolete in 15.3 and is replaced by sddm.
But the present config doesn’t work with sddm.
So, is there a standard way on 15.3 for using luks cryped partitions with sddm ?

Thx again

@lader1:

This is a known issue with SDDM – <https://github.com/sddm/sddm/issues/694>.

  • You have to add “session optional pam_cryptpass.so
    ” to the file ‘/etc/pam.d/sddm’. - And then, restart the systemd Display Manager service.

pam_cryptpass was provided by cryptconfig which was removed from openSUSE years ago.

So what happens if you add the same PAM modules to SDDM configuration?

Correct, but, “pam_mount” may well do the job –


auth     optional       pam_mount.so
session [success=1 default=ignore] pam_succeed_if.so service = system-user
session  optional       pam_mount.so

Complete SDDM version –


#%PAM-1.0
auth     include        common-auth
auth     optional       pam_mount.so
auth     optional       pam_kwallet5.so
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
session  optional       pam_keyinit.so force revoke
session [success=1 default=ignore] pam_succeed_if.so service = system-user
session  optional       pam_mount.so
session  optional       pam_kwallet5.so auto_start

Further pam_mount options in – ‘/usr/share/doc/packages/pam_mount/options.txt’.

problem: pam_cryptpass.so doesn’t exist in /lib64/sercurity

interesting solution, unfortunately, it doesn’t work. Here is what journalctl returns:

juil. 12 18:39:42 beta.uhara.net sddm-greeter[3115]: Hunspell dictionary is missing for "en_GB" . Search paths ("/usr/share/qt5/qtvirtualkeyboard/hunspell", "/usr/share/hunspell", "/usr/share/myspell/dicts")
juil. 12 18:39:42 beta.uhara.net sddm-greeter[3115]: Message received from daemon: Capabilities
juil. 12 18:39:42 beta.uhara.net sddm-greeter[3115]: Message received from daemon: HostName
juil. 12 18:39:53 beta.uhara.net sddm-greeter[3115]: Reading from "/usr/share/xsessions/plasma5.desktop"
juil. 12 18:39:53 beta.uhara.net sddm-helper[3132]: PAM unable to dlopen(/lib64/security/pam_kwallet5.so): /lib64/security/pam_kwallet5.so: Ne peut ouvrir le fichier d'objet partagé: Aucun fichier ou dossier de ce type
juil. 12 18:39:53 beta.uhara.net sddm-helper[3132]: PAM adding faulty module: /lib64/security/pam_kwallet5.so
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: [PAM] Starting...
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: [PAM] Authenticating...
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: [PAM] Preparing to converse...
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: [PAM] Conversation with 1 messages
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: [PAM] returning.
juil. 12 18:39:54 beta.uhara.net sddm-greeter[3115]: Message received from daemon: LoginSucceeded
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: pam_unix(sddm:session): session opened for user cg by (uid=0)
juil. 12 18:39:54 beta.uhara.net sddm-helper[3132]: pam_succeed_if(sddm:session): requirement "service = system-user" not met by user "cg"
juil. 12 18:39:54 beta.uhara.net sddm-helper[3114]: [PAM] Closing session
juil. 12 18:39:54 beta.uhara.net sddm-helper[3114]: pam_unix(sddm-greeter:session): session closed for user sddm
juil. 12 18:39:54 beta.uhara.net sddm-helper[3114]: [PAM] Ended.
juil. 12 18:39:54 beta.uhara.net kernel: loop: module loaded
juil. 12 18:39:57 beta.uhara.net kernel: alg: No test for essiv(cbc(aes),sha256) (essiv(cbc-aes-aesni,sha256-generic))
juil. 12 18:39:58 beta.uhara.net kernel: EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)
juil. 12 18:39:58 beta.uhara.net sddm-helper[3132]: Starting: "/etc/X11/xdm/Xsession \"/usr/bin/startplasma-x11\""
juil. 12 18:39:58 beta.uhara.net sddm-helper[3167]: Adding cookie to "/home/cg/.Xauthority"
juil. 12 18:39:59 beta.uhara.net sddm-helper[3132]: [PAM] Closing session
juil. 12 18:39:59 beta.uhara.net sddm-helper[3132]: pam_unix(sddm:session): session closed for user cg
juil. 12 18:39:59 beta.uhara.net sddm-helper[3132]: pam_succeed_if(sddm:session): requirement "service = system-user" not met by user "cg"
juil. 12 18:39:59 beta.uhara.net systemd[1]: home-cg.mount: Succeeded.
juil. 12 18:39:59 beta.uhara.net systemd[1851]: home-cg.mount: Succeeded.
juil. 12 18:40:00 beta.uhara.net sddm-helper[3132]: [PAM] Ended.
juil. 12 18:40:00 beta.uhara.net kernel: broken atomic modeset userspace detected, disabling atomic
juil. 12 18:40:01 beta.uhara.net sddm-helper[3266]: [PAM] Starting...
juil. 12 18:40:01 beta.uhara.net sddm-helper[3266]: [PAM] Authenticating...
juil. 12 18:40:01 beta.uhara.net sddm-helper[3266]: [PAM] returning.


I am not sure what you are trying to say here.

You have KDM PAM configuration that works. Show this configuration. And show SDDM PAM configuration that does not work. Full configuration in both cases.

So far you never even explained how you mounted encrypted container using KDM.

Because right here or on the net, solutions are provided with cryptpass whereas it doesn’t exist anymore.

As to the working kdm config, just add “auth required pam_mount.so” to /etc/pam.d/common-auth-pc and /etc/pam.d/common-session-pc

First up, please, please, use the systemd Journal option “–no-hostname” when posting Journal entries …

  • The time-stamp option “–output=short-monotonic
    ” is also helpful …

Second, the PAM KWallet shared object file seems to be corrupt – please try a forced reinstall of the “pam_kwallet” and “pam_kwallet-common” packages – assuming of course that, you’re using KWallet …

  • On the other hand, does the user mount of a LUKS partition need KWallet for the key?

Third, it seems that, a partition was mounted – please show us the output of “findmnt --mountpoint «directory»” for the (presumably LUKS) partition.

One more thing, if KDM needs “auth required pam_mount.so” then, maybe SDDM also needs the “required” in place of the “optional” …