pam-gnupg icon indicating copy to clipboard operation
pam-gnupg copied to clipboard

Published 20 hours ago verified publisher icon cruegge

Modules pam_gnupg and pam_kwallet5 seem to be mutually exclusive

Open arkadesOrg opened this issue 3 years ago • 5 comments

I have activated both modules, but since then pam_kwallet5 does not unlock the blowfish wallet anymore. Is it a known issue? Which log is shall I look into?

arkadesOrg avatar Feb 17 '22 10:02 arkadesOrg

That's not a known issue. Can you post your relevant pam config files? Also, kwallet's pam module logs to syslog – does it show any error messages? Maybe you need to set the syslog daemon's log level to debug. If you use journald, that should be the default, unless overridden in /etc/systemd/journald.conf.

cruegge avatar Feb 19 '22 01:02 cruegge

thx for quick response!

here is my pam.d/sddm:

#%PAM-1.0

auth include system-login auth optional pam_gnome_keyring.so auth optional pam_kwallet5.so auth optional pam_gnupg.so store-only

account include system-login

password include system-login password optional pam_gnome_keyring.so use_authtok

session optional pam_keyinit.so force revoke session include system-login session optional pam_gnome_keyring.so auto_start session optional pam_kwallet5.so auto_start session optional pam_gnupg.so

I already tried journalctl --grep pam_gnupg which shows nothing.

I did override the default systemd/djournald.conf, it contains:

[Journal] SystemMaxFileSize=50M SystemMaxFiles=100 RuntimeMaxFileSize=50M RuntimeMaxFiles=100 MaxFileSec=1week MaxLevelSyslog=debug

arkadesOrg avatar Feb 19 '22 16:02 arkadesOrg

Are there any pam_kwallet5-related lines in the journal? Your config run pam_gnupg after pam_kwallet5, so it's strange that the latter is affected at all. I don't use kwallet myself; does it interact in any way with the gnupg agent?

cruegge avatar Feb 20 '22 15:02 cruegge

@cruegge thank you for the tipps! I will watch the issue a bit. After an archlinux update and another reboot it seems to work. But I will monitor it. Meanwhile, kind regards!

arkadesOrg avatar Mar 01 '22 19:03 arkadesOrg

Which desktop environment do you use? If you are not using KDE, you need to make sure

pam_kwallet_init

from kwallet-pam is executed during GUI login.

pam_kwallet_init actually unlocks kwallet with login password.

https://wiki.archlinux.org/title/KDE_Wallet#Unlocking_KWallet_automatically_in_a_window_manager

amano-kenji avatar Aug 02 '22 03:08 amano-kenji

thanks for your help! Has been quite a long time, but I think, back then, I changed the pam configuration so that the pam_gnupg.so was included BEFORE pam_kwallet5.so

kind regards

arkadesOrg avatar Nov 29 '23 19:11 arkadesOrg