I upgraded two Opensuse machines to Leap 15.2 the other day and one of them is getting the error sshd: gkr-pam: unable to locate daemon control file every so often in /var/log/warn. It doesn’t seem to be causing anything to fail but I would still like to find out what is wrong. I’ve found a number of references to this online but none of them have given anything that helps me directly and I couldn’t find any that made reference to sshd.
I have a machine that has been upgraded multiple times from Leap 42.1 to 15.2 that showed this gkr-pam error for sshd and sudo too. The package gnome-keyring-pam that contains the lib pam_gnome_keyring.so is installed on this machine because i used GNOME sometimes in the past.The gkr-pam errors are related to pam_gnome_keyring.so. Since i do not use Gnome anymore i do not need a Gnome keyring so it is OK for me that there are no keyring related files. I have disabled pam_gnome_keyring.so in the file /etc/pam.d/common-auth
..
auth required pam_env.so
**#auth optional pam_gnome_keyring.so**
auth required pam_unix.so try_first_pass
to suppress the annoying gkr.pam errors for ssh, sudo and some other tools i cannot remember anymore.
Hi
AFAIK it’s related to kerberos. I see an old thread here: https://forums.opensuse.org/showthread.php/470858-SSH-connection-using-Kerberos
Well at least not in my case because i have not installed the kerberos pam module.
And if we look to the code of the gnome keyring pam module e.g. https://gitlab.gnome.org/GNOME/gnome-keyring/-/blob/master/pam/gkr-pam-module.c
static int
stop_daemon (pam_handle_t *ph,
struct passwd *pwd)
{
char control[MAX_CONTROL_SIZE];
int res;
assert (pwd);
res = get_control_file(ph, control);
** if (res != GKD_CONTROL_RESULT_OK) {
syslog (GKR_LOG_ERR, "gkr-pam: unable to locate daemon control file");
return PAM_SERVICE_ERR;
}
...**
we see the error messages. The get_control_file function checks the environment variables ENV_CONTROL or if this is null XDG_RUNTIME_DIR and if the affected processes (sshd and so on) do not have this in their environment (and this is the case at least on my machine) then pam_gnome_keyring.so complains. As I have said the installation of my machine is old and has been updated to new Leap versions many times maybe the missing environment variables are related to this fact. But if the variables are set in the environment e.g for sshd i am rather sure the error messages would not occur. But since i do not use the gnome keyring tweaking the environment is to much effort for me.
/* control must be at least MAX_CONTROL_SIZE */
static int
get_control_file (pam_handle_t *ph, char *control)
{
const char *control_root;
const char *suffix;
control_root = get_any_env (ph, **ENV_CONTROL**);
if (control_root == NULL) {
control_root = get_any_env (ph, "**XDG_RUNTIME_DIR**");
if (control_root == NULL)
return GKD_CONTROL_RESULT_NO_DAEMON;
suffix = "/keyring/control";
} else {
suffix = "/control";
}
if (strlen (control_root) + strlen (suffix) + 1 > MAX_CONTROL_SIZE) {
syslog (GKR_LOG_ERR, "gkr-pam: address is too long for unix socket path: %s/%s",
control, suffix);
return GKD_CONTROL_RESULT_FAILED;
}
strcpy (control, control_root);
strcat (control, suffix);
return GKD_CONTROL_RESULT_OK;
}
Hi
Have you run rpmconfigcheck lately?
Thanks for the responses. I think this may be because I had gnome installed at some point in the distant past. I have removed gnome-keyring-pam and that seems to have stopped the messages.
I just updated a machine to Leap 15.3 from 15.2 and this error came back and I had to remove gnome-keyring-pam again!
Same thing happened on one of my machines when I upgraded to Leap 15.4 from 15.3