Hi, resend, asthis never showed up on the list. The same happened on a second system. It was not the SuSE update, but the KDE 3.0.2 images. This time I checked when it happened :-) Martin ---------- Forwarded Message ---------- Subject: screensaver fails password check Date: Mon, 29 Jul 2002 15:42:03 +0200 From: Martin Knoblauch <martin.knoblauch@mscsoftware.com> To: suse-kde@suse.com Hi, today I installed the latest online update for SuSE-8.0 and additionaly upgraded to KDE-3.0.2. Since then the scrensaver locks me out. Logging in to the console or via KDE login works OK. Just the screensaver. Calling "kcheckpass" manually yields: mknoblau@knobi:~> kcheckpass Password: authentication failure for user mknoblau [uid 15833] mknoblau@knobi:~> This is found in /var/log/messages: Jul 29 15:40:27 knobi kcheckpass[1237]: pam_unix2: pam_sm_authenticate() called Jul 29 15:40:27 knobi kcheckpass[1237]: pam_unix2: username=[mknoblau] Jul 29 15:40:27 knobi kcheckpass[1237]: pam_unix2: wrong password, return PAM_AUTH_ERR Any idea what has gone wrong? Thanks Martin -- Martin Knoblauch MSC.software GmbH Am Moosfeld 13 D-81829 Muenchen, Germany e-mail: martin.knoblauch@mscsoftware.com http://www.mscsoftware.com Phone/Fax: +49-89-431987-189 / -7189 Mobile: +49-174-3069245
Hi, your are not alone. I've got the same problem here with suse 8.0 upgrading kde 3.0.1 to 3.0.2. -- Christian Benitz Tel. : +(49) 2165 - 91 13 53 Kölnerstraße 51 Fax : +(49) 2165 - 91 31 66 41363 Jüchen Mobil: +(49) 177 - 8 91 13 53 Germany Email: christian@benitz.de http://www.benitz.de ICQ : 5832138 =============================================================== Einfach mal reinschauen, auch für Dich ist was dabei http://www.hobby-total.de Am Mit, 2002-07-31 um 15.53 schrieb Martin Knoblauch:
Hi,
resend, asthis never showed up on the list. The same happened on a second system. It was not the SuSE update, but the KDE 3.0.2 images. This time I checked when it happened :-)
Martin
---------- Forwarded Message ----------
Subject: screensaver fails password check Date: Mon, 29 Jul 2002 15:42:03 +0200 From: Martin Knoblauch <martin.knoblauch@mscsoftware.com> To: suse-kde@suse.com
Hi,
today I installed the latest online update for SuSE-8.0 and additionaly upgraded to KDE-3.0.2. Since then the scrensaver locks me out. Logging in to the console or via KDE login works OK. Just the screensaver. Calling "kcheckpass" manually yields:
mknoblau@knobi:~> kcheckpass Password: authentication failure for user mknoblau [uid 15833] mknoblau@knobi:~>
This is found in /var/log/messages:
Jul 29 15:40:27 knobi kcheckpass[1237]: pam_unix2: pam_sm_authenticate() called Jul 29 15:40:27 knobi kcheckpass[1237]: pam_unix2: username=[mknoblau] Jul 29 15:40:27 knobi kcheckpass[1237]: pam_unix2: wrong password, return PAM_AUTH_ERR
Any idea what has gone wrong?
Thanks Martin -- Martin Knoblauch MSC.software GmbH Am Moosfeld 13 D-81829 Muenchen, Germany
e-mail: martin.knoblauch@mscsoftware.com http://www.mscsoftware.com Phone/Fax: +49-89-431987-189 / -7189 Mobile: +49-174-3069245
-- To unsubscribe, email: suse-kde-unsubscribe@suse.com For additional commands, email: suse-kde-help@suse.com Please do not cross-post to suse-linux-e
Am Mittwoch, 31. Juli 2002 15:53 schrieb Martin Knoblauch:
today I installed the latest online update for SuSE-8.0 and additionaly upgraded to KDE-3.0.2. Since then the scrensaver locks me out.
had the same problem but ONLY with NIS accounts. copied /etc/pam.d/xscreensaver to /etc/pam.d/kscreensaver and now it works just fine. bye, MH
fine that solves the problem. bye chris Am Mit, 2002-07-31 um 19.31 schrieb Mathias Homann:
Am Mittwoch, 31. Juli 2002 15:53 schrieb Martin Knoblauch:
today I installed the latest online update for SuSE-8.0 and additionaly upgraded to KDE-3.0.2. Since then the scrensaver locks me out.
had the same problem but ONLY with NIS accounts. copied /etc/pam.d/xscreensaver to /etc/pam.d/kscreensaver and now it works just fine.
bye, MH
-- To unsubscribe, email: suse-kde-unsubscribe@suse.com For additional commands, email: suse-kde-help@suse.com Please do not cross-post to suse-linux-e
-- Christian Benitz Tel. : +(49) 2165 - 91 13 53 Kölnerstraße 51 Fax : +(49) 2165 - 91 31 66 41363 Jüchen Mobil: +(49) 177 - 8 91 13 53 Germany Email: christian@benitz.de http://www.benitz.de ICQ : 5832138 =============================================================== Einfach mal reinschauen, auch für Dich ist was dabei http://www.hobby-total.de
did not help in my case :-( Actually I had no xscreensaver file at all, so I copied the xdm one. But as I said, no help. Could you please post your kscreensaver file? Btw. no NIS involved in my case(s). Martin On Thursday 01 August 2002 04:21, Christian Benitz wrote:
fine that solves the problem.
bye chris
Am Mit, 2002-07-31 um 19.31 schrieb Mathias Homann:
Am Mittwoch, 31. Juli 2002 15:53 schrieb Martin Knoblauch:
today I installed the latest online update for SuSE-8.0 and additionaly upgraded to KDE-3.0.2. Since then the scrensaver locks me out.
had the same problem but ONLY with NIS accounts. copied /etc/pam.d/xscreensaver to /etc/pam.d/kscreensaver and now it works just fine.
bye, MH
-- To unsubscribe, email: suse-kde-unsubscribe@suse.com For additional commands, email: suse-kde-help@suse.com Please do not cross-post to suse-linux-e
On Wednesday 31 July 2002 19:31, Mathias Homann wrote:
Am Mittwoch, 31. Juli 2002 15:53 schrieb Martin Knoblauch:
today I installed the latest online update for SuSE-8.0 and additionaly upgraded to KDE-3.0.2. Since then the scrensaver locks me out.
had the same problem but ONLY with NIS accounts. copied /etc/pam.d/xscreensaver to /etc/pam.d/kscreensaver and now it works just fine.
bye, MH
OK, after getting serious on this (strace is your friend), it turned out that my logins failed because "kcheckpass" couldn't open /etc/shadow from non-root accounts. The question is now: should the shadow file be world readable, or chould kcheckpass be made setuid-root. Martin -- Martin Knoblauch Senior System Architect MSC.software GmbH Am Moosfeld 13 D-81829 Muenchen, Germany e-mail: martin.knoblauch@mscsoftware.com http://www.mscsoftware.com Phone/Fax: +49-89-431987-189 / -7189 Mobile: +49-174-3069245
On Friday 02 August 2002 11:22, Martin Knoblauch wrote:
The question is now: should the shadow file be world readable,
No, no, no, the whole point of having a shadow file is that it should be root-only.
or chould kcheckpass be made setuid-root.
kcheckpass should be owned by root, group shadow and be setgid shadow. chmod g+s /opt/kde3/bin/kcheckpass Also, check your security settings in /etc/sysconfig/security, variable PERMISSIONS_SECURITY. Edit permissions.{easy|secure|paranoid}, depending on your settings, and make sure that the line for kcheckpass has 2755 as the mode. //Anders
On Friday 02 August 2002 11:29, Anders Johansson wrote:
On Friday 02 August 2002 11:22, Martin Knoblauch wrote:
The question is now: should the shadow file be world readable,
No, no, no, the whole point of having a shadow file is that it should be root-only.
completely agreed.
or chould kcheckpass be made setuid-root.
kcheckpass should be owned by root, group shadow and be setgid shadow.
chmod g+s /opt/kde3/bin/kcheckpass
yeah, problem turned out to be that kcheckpass was root.root. The mode was correct.
Also, check your security settings in /etc/sysconfig/security, variable PERMISSIONS_SECURITY. Edit permissions.{easy|secure|paranoid}, depending on your settings, and make sure that the line for kcheckpass has 2755 as the mode.
//Anders
OK, the setting was "easy, local". Interestingly CHECK_PERMISSIONS was "set", so the ownership should have been corrected automagically... which apparently did not work. Anyway, I am no longer locked out. Martin -- Martin Knoblauch Senior System Architect MSC.software GmbH Am Moosfeld 13 D-81829 Muenchen, Germany e-mail: martin.knoblauch@mscsoftware.com http://www.mscsoftware.com Phone/Fax: +49-89-431987-189 / -7189 Mobile: +49-174-3069245
participants (4)
-
Anders Johansson -
Christian Benitz -
Martin Knoblauch -
Mathias Homann