Infinite loop on Debian (installed with nix package manager)

[gBonvenuto]

I've not created a /etc/pam.d/hyprlock file. I tought that the default su would work.

Here's the log:

[LOG]   | got iface: wl_shm v1
[LOG]   | got iface: wl_drm v2
[LOG]   | got iface: zwp_linux_dmabuf_v1 v4
[LOG]    > Bound to zwp_linux_dmabuf_v1 v4
[LOG]   | got iface: wl_compositor v6
[LOG]    > Bound to wl_compositor v6
[LOG]   | got iface: wl_subcompositor v1
[LOG]   | got iface: wl_data_device_manager v3
[LOG]   | got iface: zwlr_export_dmabuf_manager_v1 v1
[LOG]   | got iface: zwlr_data_control_manager_v1 v2
[LOG]   | got iface: zwp_primary_selection_device_manager_v1 v1
[LOG]   | got iface: wp_viewporter v1
[LOG]    > Bound to wp_viewporter v1
[LOG]   | got iface: zwlr_gamma_control_manager_v1 v1
[LOG]   | got iface: zwlr_output_power_manager_v1 v1
[LOG]   | got iface: xdg_wm_base v6
[LOG]   | got iface: wl_seat v9
[LOG]    > Bound to wl_seat v9
[LOG]   | got iface: wp_presentation v1
[LOG]   | got iface: ext_idle_notifier_v1 v1
[LOG]   | got iface: zwlr_layer_shell_v1 v4
[LOG]   | got iface: org_kde_kwin_server_decoration_manager v1
[LOG]   | got iface: zxdg_decoration_manager_v1 v1
[LOG]   | got iface: zwlr_output_manager_v1 v4
[LOG]   | got iface: zwp_keyboard_shortcuts_inhibit_manager_v1 v1
[LOG]   | got iface: zwp_pointer_constraints_v1 v1
[LOG]   | got iface: zwp_relative_pointer_manager_v1 v1
[LOG]   | got iface: zwp_virtual_keyboard_manager_v1 v1
[LOG]   | got iface: zwlr_virtual_pointer_manager_v1 v2
[LOG]   | got iface: zwlr_foreign_toplevel_manager_v1 v3
[LOG]   | got iface: wp_drm_lease_device_v1 v1
[LOG]   | got iface: zwp_tablet_manager_v2 v1
[LOG]   | got iface: zwp_idle_inhibit_manager_v1 v1
[LOG]   | got iface: zxdg_exporter_v1 v1
[LOG]   | got iface: zxdg_importer_v1 v1
[LOG]   | got iface: zxdg_exporter_v2 v1
[LOG]   | got iface: zxdg_importer_v2 v1
[LOG]   | got iface: zwp_pointer_gestures_v1 v3
[LOG]   | got iface: zwp_text_input_manager_v3 v1
[LOG]   | got iface: zwp_input_method_manager_v2 v1
[LOG]   | got iface: xdg_activation_v1 v1
[LOG]   | got iface: ext_session_lock_manager_v1 v1
[LOG]    > Bound to ext_session_lock_manager_v1 v1
[LOG]   | got iface: wp_cursor_shape_manager_v1 v1
[LOG]    > Bound to wp_cursor_shape_manager_v1 v1
[LOG]   | got iface: wp_tearing_control_manager_v1 v1
[LOG]   | got iface: wp_single_pixel_buffer_manager_v1 v1
[LOG]   | got iface: xwayland_shell_v1 v1
[LOG]   | got iface: hyprland_toplevel_export_manager_v1 v2
[LOG]   | got iface: wp_fractional_scale_manager_v1 v1
[LOG]    > Bound to wp_fractional_scale_manager_v1 v1
[LOG]   | got iface: zwp_text_input_manager_v1 v1
[LOG]   | got iface: hyprland_global_shortcuts_manager_v1 v1
[LOG]   | got iface: zwlr_screencopy_manager_v1 v3
[LOG]    > Bound to zwlr_screencopy_manager_v1 v3
[LOG]   | got iface: zxdg_output_manager_v1 v3
[LOG]   | got iface: wl_output v4
[LOG]    > Bound to wl_output v4
[LOG] [core] dmabufFeedbackMainDevice
[LOG] output 49 make LG Display model 0x05F2
[LOG] output 49 name eDP-1
[LOG] output 49 description LG Display 0x05F2 (eDP-1)
[LOG] output 49 done
[LOG] Running on Hyprland
[LOG] Locking session
[ERR] Pam module "/etc/pam.d/hyprlock" not found! Falling back to "su"
[ERR] auth: pam_authenticate failed for su
[LOG] onLockLocked called
[LOG] Failed attempts: 0
[LOG] got fractional 1
[LOG] got fractional 1
[LOG] configure with serial 4235
[LOG] Configuring surface for logical [Vector2D: x: 1920, y: 1080] and pixel [Vector2D: x: 1920, y: 1080]
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 1
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 2
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 3
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 4
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 5
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 6
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 7
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 8
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 9
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 10
[ERR] auth: pam_authenticate failed for su
[ERR] Invalid key down event (stray release event?)
[LOG] Failed attempts: 11
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 12
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 13
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 14
[ERR] auth: pam_authenticate failed for su

# I've ommitted the repeated output 

[LOG] Failed attempts: 2492
[ERR] auth: pam_authenticate failed for su
[LOG] Failed attempts: 2493
[ERR] auth: pam_authenticate failed for su
[LOG] Unlocking with a SIGUSR1
[LOG] Unlocking session
[LOG] Unlocked, exiting!
[LOG] Reached the end, exiting

Here's the /etc/pam.d/su:

#
# The PAM configuration file for the Shadow `su' service
#

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

# Uncomment this to force users to be a member of group wheel
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "wheel" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth       required   pam_wheel.so

# Uncomment this if you want wheel members to be able to
# su without a password.
# auth       sufficient pam_wheel.so trust

# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth       required   pam_wheel.so deny group=nosu

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session    optional   pam_mail.so nopen

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so

# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session

[gBonvenuto]

I don't know if it's the same issue, but using this as the /etc/pam.d/hyprlock:

auth 	  sufficient   pam_unix.so try_first_pass likeauth nullok
auth	  sufficient   pam_fprintd.so timeout=10
auth include login # For Debian

(which works on swaylock)

It doesn't recognize the password

[alba4k]

try with just the 3rd line, without the fingerprint stuff

[gBonvenuto]

Sorry for the delay, with just the third line it doesn't let me write anything and fails after some seconds.

Here's the /etc/pam.d/login if it helps

#
# The PAM configuration file for the Shadow `login' service
#

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

# Sets the loginuid process attribute
session    required     pam_loginuid.so

# Prints the message of the day upon successful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional   pam_motd.so motd=/run/motd.dynamic
session    optional   pam_motd.so noupdate

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# pam_selinux.so changes the SELinux context of the used TTY and configures
# SELinux in order to transition to the user context with the next execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables can also be set in /etc/default/locale
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restraint on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so

# Prints the last login info upon successful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the status of the user's mailbox upon successful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so standard

# Create a new session keyring.
session    optional   pam_keyinit.so force revoke

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

[hweissi]

I'm having the same issue on Ubuntu, and /var/log/auth.log contains the following after a failed unlock attempt:

Jun 30 13:41:22 ipn052 pamtester: PAM unable to dlopen(/nix/store/74i9zjvp9x1kfcrfiwic8lwsqrx99a3n-linux-pam-1.6.1/lib/security/pam_selinux.so): /nix/store/74i9zjvp9x1kfcrfiwic8lwsqrx99a3n-linux-pam-1.6.1/lib/security/pam_selinux.so: cannot open shared object file: No such file or directory
Jun 30 13:41:22 ipn052 pamtester: PAM adding faulty module: /nix/store/74i9zjvp9x1kfcrfiwic8lwsqrx99a3n-linux-pam-1.6.1/lib/security/pam_selinux.so
Jun 30 13:41:22 ipn052 pamtester: PAM unable to dlopen(/nix/store/74i9zjvp9x1kfcrfiwic8lwsqrx99a3n-linux-pam-1.6.1/lib/security/pam_fprintd.so): /nix/store/74i9zjvp9x1kfcrfiwic8lwsqrx99a3n-linux-pam-1.6.1/lib/security/pam_fprintd.so: cannot open shared object file: No such file or directory
Jun 30 13:41:22 ipn052 pamtester: PAM adding faulty module: /nix/store/74i9zjvp9x1kfcrfiwic8lwsqrx99a3n-linux-pam-1.6.1/lib/security/pam_fprintd.so
Jun 30 13:41:22 ipn052 pamtester: PAM unable to dlopen(/nix/store/74i9zjvp9x1kfcrfiwic8lwsqrx99a3n-linux-pam-1.6.1/lib/security/pam_sss.so): /nix/store/74i9zjvp9x1kfcrfiwic8lwsqrx99a3n-linux-pam-1.6.1/lib/security/pam_sss.so: cannot open shared object file: No such file or directory
Jun 30 13:41:22 ipn052 pamtester: PAM adding faulty module: /nix/store/74i9zjvp9x1kfcrfiwic8lwsqrx99a3n-linux-pam-1.6.1/lib/security/pam_sss.so
Jun 30 13:41:22 ipn052 pamtester: PAM unable to dlopen(/nix/store/74i9zjvp9x1kfcrfiwic8lwsqrx99a3n-linux-pam-1.6.1/lib/security/pam_cap.so): /nix/store/74i9zjvp9x1kfcrfiwic8lwsqrx99a3n-linux-pam-1.6.1/lib/security/pam_cap.so: cannot open shared object file: No such file or directory
Jun 30 13:41:22 ipn052 pamtester: PAM adding faulty module: /nix/store/74i9zjvp9x1kfcrfiwic8lwsqrx99a3n-linux-pam-1.6.1/lib/security/pam_cap.so
Jun 30 13:41:22 ipn052 pamtester: PAM (other) illegal module type: @include
Jun 30 13:41:22 ipn052 pamtester: PAM pam_parse: expecting return value; [...common-auth]
Jun 30 13:41:22 ipn052 pamtester: PAM (other) no module name supplied
Jun 30 13:41:22 ipn052 pamtester: PAM (other) illegal module type: @include
Jun 30 13:41:22 ipn052 pamtester: PAM pam_parse: expecting return value; [...common-account]
Jun 30 13:41:22 ipn052 pamtester: PAM (other) no module name supplied
Jun 30 13:41:22 ipn052 pamtester: PAM (other) illegal module type: @include
Jun 30 13:41:22 ipn052 pamtester: PAM pam_parse: expecting return value; [...common-password]
Jun 30 13:41:22 ipn052 pamtester: PAM (other) no module name supplied
Jun 30 13:41:22 ipn052 pamtester: PAM (other) illegal module type: @include
Jun 30 13:41:22 ipn052 pamtester: PAM pam_parse: expecting return value; [...common-session]
Jun 30 13:41:22 ipn052 pamtester: PAM (other) no module name supplied
Jun 30 13:41:25 ipn052 pamtester: pam_unix(login2:auth): authentication failure; logname=hweissi uid=1001 euid=1001 tty= ruser= rhost=  user=hweissi

The illegal module type: @include errors come from the fact that Ubuntu and Debian use a custom patched PAM version that supports the non-standard @include keyword. This can be fixed by replacing @include with auth include everywhere.

The failure to load PAM modules is the bigger issue. Packages from nixpkgs want to use the nix store for their shared objects, where some more specific modules used in Ubuntu (like pam_selinux.so) don't exist in nixpkgs. Things like fprintd could maybe be added, but that would be a lot of configuration work and definitely not the responsibility of Hyprlock.

TLDR: Unless there's some way to make packages from nixpkgs use a non-nixpkgs libpam.so, I think PAM authentication of Nix packages with non-nix systems will not work without a lot of customization effort