[Bug 1219767] New: nullok option of pam_unix doesn't work as expected when logging in via a tty with an empty password
https://bugzilla.suse.com/show_bug.cgi?id=1219767 Bug ID: 1219767 Summary: nullok option of pam_unix doesn't work as expected when logging in via a tty with an empty password Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: screening-team-bugs@suse.de Reporter: fbui@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- To allow a user to log in with an empty password, the option "nullok" of pam_unix is added in /etc/pam.d/common-auth: auth required pam_env.so auth optional pam_gnome_keyring.so auth required pam_unix.so try_first_pass nullok auth required pam_ecryptfs.so unwrap But when trying to log in via tty1 with user "foo" who has an empty password, login still prompts for a password. It appears that pam_gnome_keyring is interfering in the process of authentication cancelling the effect of nullok. Indeed after commenting the line with pam_gnome_keyring.so, the login process works as expect and there's no more password prompt. Please note that in this scenario gnome/gdm is not involved at all (the system was booted with multi-user.target target)so I don't really see why pam_gnome_keyring interferes here. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219767 https://bugzilla.suse.com/show_bug.cgi?id=1219767#c1 Franck Bui <fbui@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|screening-team-bugs@suse.de |valentin.lefebvre@suse.com --- Comment #1 from Franck Bui <fbui@suse.com> --- Valentin (added in Cc) found that the option "--gnome_keyring-only_if" of pam_gnome_keyring might be missing in common-auth. This option is actually used to instruct the gnome PAM module to interact only when the gnome stack is involved. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219767 https://bugzilla.suse.com/show_bug.cgi?id=1219767#c2 Valentin Lefebvre <valentin.lefebvre@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kukuk@suse.com Flags| |needinfo?(kukuk@suse.com) --- Comment #2 from Valentin Lefebvre <valentin.lefebvre@suse.com> --- (In reply to Franck Bui from comment #1)
Valentin (added in Cc) found that the option "--gnome_keyring-only_if" of pam_gnome_keyring might be missing in common-auth. This option is actually used to instruct the gnome PAM module to interact only when the gnome stack is involved.
Indeed, the gnome-keyring pam module is added by `pam-config` from the packaging of gnome-keyring. And the module is set into AUTH and SESSION. As it was discussed at bsc #443189, pam-gnome-keyring's option "only_if=service" has been removed from AUTH, to be only in one place at SESSION. As shown by Franck, it now, causes a problem. pam_gnome_keyring is invovlved by all services during the AUTH stack. I would suggest to add gnome keyring pam module option "only_if", not only for SESSION or PASSWORD, but also for AUTH (common-auth) when using pam-config. Thorsten(added in NeedInfo) do you have some infos or inputs according that ? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219767 https://bugzilla.suse.com/show_bug.cgi?id=1219767#c3 Thorsten Kukuk <kukuk@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(kukuk@suse.com) | --- Comment #3 from Thorsten Kukuk <kukuk@suse.com> --- (In reply to Valentin Lefebvre from comment #2)
As it was discussed at bsc #443189, pam-gnome-keyring's option "only_if=service" has been removed from AUTH, to be only in one place at SESSION.
No, the auto_start_if option has been removed, not the only_if. Could it be that pam_gnome_keyring changed and the old "auto_start_if=" option got split into "auto_start" and "only_if"?
I would suggest to add gnome keyring pam module option "only_if", not only for SESSION or PASSWORD, but also for AUTH (common-auth) when using pam-config.
This makes sense.
Thorsten(added in NeedInfo) do you have some infos or inputs according that ?
Not really, I don't use GNOME. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219767 https://bugzilla.suse.com/show_bug.cgi?id=1219767#c4 Valentin Lefebvre <valentin.lefebvre@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #4 from Valentin Lefebvre <valentin.lefebvre@suse.com> --- (In reply to Thorsten Kukuk from comment #3)
(In reply to Valentin Lefebvre from comment #2)
As it was discussed at bsc #443189, pam-gnome-keyring's option "only_if=service" has been removed from AUTH, to be only in one place at SESSION.
No, the auto_start_if option has been removed, not the only_if.
Could it be that pam_gnome_keyring changed and the old "auto_start_if=" option got split into "auto_start" and "only_if"?
I would suggest to add gnome keyring pam module option "only_if", not only for SESSION or PASSWORD, but also for AUTH (common-auth) when using pam-config.
This makes sense.
Thorsten(added in NeedInfo) do you have some infos or inputs according that ?
Not really, I don't use GNOME.
Thanks for the input. Upstream request has been push for the pam-config project to add the "only_if" option to the AUTH stask: https://github.com/SUSE/pam-config/pull/25 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219767 https://bugzilla.suse.com/show_bug.cgi?id=1219767#c8 Valentin Lefebvre <valentin.lefebvre@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED --- Comment #8 from Valentin Lefebvre <valentin.lefebvre@suse.com> --- Everything should be good. Don't hesitate to reopen if the issue appears again. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219767 https://bugzilla.suse.com/show_bug.cgi?id=1219767#c9 --- Comment #9 from Maintenance Automation <maint-coord+maintenance-robot@suse.de> --- SUSE-RU-2024:0980-1: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1219767 Maintenance Incident: [SUSE:Maintenance:32672](https://smelt.suse.de/incident/32672/) Sources used: openSUSE Leap Micro 5.3 (src): pam-config-1.1-150200.3.6.1 openSUSE Leap Micro 5.4 (src): pam-config-1.1-150200.3.6.1 openSUSE Leap 15.5 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro 5.3 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro 5.4 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro 5.5 (src): pam-config-1.1-150200.3.6.1 Basesystem Module 15-SP5 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro 5.1 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro 5.2 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): pam-config-1.1-150200.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219767 https://bugzilla.suse.com/show_bug.cgi?id=1219767#c10 --- Comment #10 from Maintenance Automation <maint-coord+maintenance-robot@suse.de> --- SUSE-RU-2024:0980-2: An update that has one fix can now be installed. URL: https://www.suse.com/support/update/announcement/2024/suse-ru-20240980-2 Category: recommended (moderate) Bug References: 1219767 Maintenance Incident: [SUSE:Maintenance:32672](https://smelt.suse.de/incident/32672/) Sources used: SUSE Linux Enterprise Micro 5.5 (src): pam-config-1.1-150200.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com