physlock icon indicating copy to clipboard operation
physlock copied to clipboard

Published 20 hours ago verified publisher icon muennich

res=failed in journal

Open x70b1 opened this issue 5 years ago • 2 comments

I have the following line in my journal:

Jan 24 15:33:22 foo kernel: audit: type=1100 audit(1579876402.043:98): pid=40521 uid=1000 auid=1000 ses=1 msg='op=PAM:authentication grantors=pam_unix acct="x70b1" exe="/usr/bin/physlock" hostname=foo addr=? terminal=tty2 res=success'
Jan 24 15:33:22 foo kernel: audit: type=1110 audit(1579876402.043:99): pid=40521 uid=1000 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_unix acct="x70b1" exe="/usr/bin/physlock" hostname=foo addr=? terminal=tty2 res=success'
Jan 24 15:33:22 foo kernel: audit: type=1109 audit(1579876402.043:100): pid=40521 uid=1000 auid=1000 ses=1 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/bin/physlock" hostname=foo addr=? terminal=tty2 res=failed'

My PAM config /etc/pam.d/physlock:

#%PAM-1.0
auth		required	pam_unix.so
account		required	pam_unix.so
password	required	pam_unix.so
session		required	pam_unix.so

I am just asking myself what the third line is about. It seems like an error. But I couldn't find a solution.

i3lock only prints one line, while physlock writes 3 lines log.

Is there anything known about this? Regardless of this, everything works.

x70b1 avatar Jan 24 '20 14:01 x70b1

I do not know what's causing the bad_ident message. If you're running the current HEAD then the second log message seems to be right, because physlock now calls pam_setcred. Can you please post i3lock's PAM config?

xyb3rt avatar Mar 14 '20 13:03 xyb3rt

It's the default config:

#
# PAM configuration file for the i3lock screen locker. By default, it includes
# the 'system-auth' configuration file (see /etc/pam.d/login)
#

auth include system-auth

My system-auth:

#%PAM-1.0

auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_permit.so

I changed my config to:

#%PAM-1.0
auth		required	pam_unix.so	try_first_pass nullok
account		required	pam_unix.so
password	required	pam_unix.so	try_first_pass nullok sha512 shadow
session		required	pam_unix.so

But the error log is still the same. If I put auth include system-auth in my config the error is in the log too.

x70b1 avatar Mar 16 '20 10:03 x70b1