Login fails silently on system restart, after adding new module to /etc/pam.d/common-auth
I am attempting to add an auth-only PAM module (poldi, to support login via GPG SmartCards).
The way I have it configured works perfectly well for most authentication use-cases:
- sudo
- unlocking a locked screen
- logging in after logging out
However, it fails when logging in after a system restart. It acts as though the challenge is successful, the screen changes, but then it returns to the login page with no error message.
I've tried adding pam_poldi.so to the various session files, I've tried putting it before every occurrence of pam_unix.so with arguments like [success=1 default=ignore] to try skipping Unix auth if poldi can handle it. No luck so far, I always end up with the looping login behavior.
Again, this configuration works perfectly well for every auth case after the initial login.
I'm on a default install of Ubuntu 18.04.
Here is the relevant portion of /etc/pam.d/common-auth:
auth [success=2 default=ignore] pam_poldi.so
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
It's possible that this is a bug/limitation with the PAM package (libpam-poldi) itself, but I'd like to get a stronger understanding of how PAM works on Ubuntu so that I can verify where the issue lies.
How should I proceed?
Update 1
I confirmed it is a PAM configuration issue and not a limitation with the specific PAM module. I replaced the line
auth [success=2 default=ignore] pam_poldi.so
with
auth [success=2 default=ignore] pam_permit.so
and observed the same looping login behavior, where it appears that I am about to login, the screen goes dark for a second or two, then I'm back at the login screen.
Update 2
The issue appears to be in GDM's PAM configuration specifically, as I am able to successfully login after restart from the Ctrl+Alt+F1-F6 virtual terminals, but not from the GDM greeter.
My guess is that something in the rest of the GDM PAM configuration is screwing this up, but I am out of my depth when it comes to understanding how GDM interacts with PAM, as configured by default on Ubuntu 18.04. Any help would be greatly appreciated.
18.04 login authentication pam
edited Dec 15 at 7:40
mature
1,659522
asked Nov 30 at 16:13
Cameron Jeffers
62
add a comment |
I am attempting to add an auth-only PAM module (poldi, to support login via GPG SmartCards).
The way I have it configured works perfectly well for most authentication use-cases:
- sudo
- unlocking a locked screen
- logging in after logging out
However, it fails when logging in after a system restart. It acts as though the challenge is successful, the screen changes, but then it returns to the login page with no error message.
I've tried adding pam_poldi.so to the various session files, I've tried putting it before every occurrence of pam_unix.so with arguments like [success=1 default=ignore] to try skipping Unix auth if poldi can handle it. No luck so far, I always end up with the looping login behavior.
Again, this configuration works perfectly well for every auth case after the initial login.
I'm on a default install of Ubuntu 18.04.
Here is the relevant portion of /etc/pam.d/common-auth:
auth [success=2 default=ignore] pam_poldi.so
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
It's possible that this is a bug/limitation with the PAM package (libpam-poldi) itself, but I'd like to get a stronger understanding of how PAM works on Ubuntu so that I can verify where the issue lies.
How should I proceed?
Update 1
I confirmed it is a PAM configuration issue and not a limitation with the specific PAM module. I replaced the line
auth [success=2 default=ignore] pam_poldi.so
with
auth [success=2 default=ignore] pam_permit.so
and observed the same looping login behavior, where it appears that I am about to login, the screen goes dark for a second or two, then I'm back at the login screen.
Update 2
The issue appears to be in GDM's PAM configuration specifically, as I am able to successfully login after restart from the Ctrl+Alt+F1-F6 virtual terminals, but not from the GDM greeter.
My guess is that something in the rest of the GDM PAM configuration is screwing this up, but I am out of my depth when it comes to understanding how GDM interacts with PAM, as configured by default on Ubuntu 18.04. Any help would be greatly appreciated.
18.04 login authentication pam
edited Dec 15 at 7:40
mature
1,659522
asked Nov 30 at 16:13
Cameron Jeffers
62
add a comment |
I am attempting to add an auth-only PAM module (poldi, to support login via GPG SmartCards).
The way I have it configured works perfectly well for most authentication use-cases:
- sudo
- unlocking a locked screen
- logging in after logging out
However, it fails when logging in after a system restart. It acts as though the challenge is successful, the screen changes, but then it returns to the login page with no error message.
I've tried adding pam_poldi.so to the various session files, I've tried putting it before every occurrence of pam_unix.so with arguments like [success=1 default=ignore] to try skipping Unix auth if poldi can handle it. No luck so far, I always end up with the looping login behavior.
Again, this configuration works perfectly well for every auth case after the initial login.
I'm on a default install of Ubuntu 18.04.
Here is the relevant portion of /etc/pam.d/common-auth:
auth [success=2 default=ignore] pam_poldi.so
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
It's possible that this is a bug/limitation with the PAM package (libpam-poldi) itself, but I'd like to get a stronger understanding of how PAM works on Ubuntu so that I can verify where the issue lies.
How should I proceed?
Update 1
I confirmed it is a PAM configuration issue and not a limitation with the specific PAM module. I replaced the line
auth [success=2 default=ignore] pam_poldi.so
with
auth [success=2 default=ignore] pam_permit.so
and observed the same looping login behavior, where it appears that I am about to login, the screen goes dark for a second or two, then I'm back at the login screen.
Update 2
The issue appears to be in GDM's PAM configuration specifically, as I am able to successfully login after restart from the Ctrl+Alt+F1-F6 virtual terminals, but not from the GDM greeter.
My guess is that something in the rest of the GDM PAM configuration is screwing this up, but I am out of my depth when it comes to understanding how GDM interacts with PAM, as configured by default on Ubuntu 18.04. Any help would be greatly appreciated.
18.04 login authentication pam
edited Dec 15 at 7:40
mature
1,659522
asked Nov 30 at 16:13
Cameron Jeffers
62
I am attempting to add an auth-only PAM module (poldi, to support login via GPG SmartCards).
The way I have it configured works perfectly well for most authentication use-cases:
- sudo
- unlocking a locked screen
- logging in after logging out
However, it fails when logging in after a system restart. It acts as though the challenge is successful, the screen changes, but then it returns to the login page with no error message.
I've tried adding pam_poldi.so to the various session files, I've tried putting it before every occurrence of pam_unix.so with arguments like [success=1 default=ignore] to try skipping Unix auth if poldi can handle it. No luck so far, I always end up with the looping login behavior.
Again, this configuration works perfectly well for every auth case after the initial login.
I'm on a default install of Ubuntu 18.04.
Here is the relevant portion of /etc/pam.d/common-auth:
auth [success=2 default=ignore] pam_poldi.so
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
It's possible that this is a bug/limitation with the PAM package (libpam-poldi) itself, but I'd like to get a stronger understanding of how PAM works on Ubuntu so that I can verify where the issue lies.
How should I proceed?
Update 1
I confirmed it is a PAM configuration issue and not a limitation with the specific PAM module. I replaced the line
auth [success=2 default=ignore] pam_poldi.so
with
auth [success=2 default=ignore] pam_permit.so
and observed the same looping login behavior, where it appears that I am about to login, the screen goes dark for a second or two, then I'm back at the login screen.
Update 2
The issue appears to be in GDM's PAM configuration specifically, as I am able to successfully login after restart from the Ctrl+Alt+F1-F6 virtual terminals, but not from the GDM greeter.
My guess is that something in the rest of the GDM PAM configuration is screwing this up, but I am out of my depth when it comes to understanding how GDM interacts with PAM, as configured by default on Ubuntu 18.04. Any help would be greatly appreciated.
18.04 login authentication pam
18.04 login authentication pam
edited Dec 15 at 7:40
mature
1,659522
asked Nov 30 at 16:13
Cameron Jeffers
62
edited Dec 15 at 7:40
mature
1,659522
asked Nov 30 at 16:13
Cameron Jeffers
62
edited Dec 15 at 7:40
mature
1,659522
edited Dec 15 at 7:40
mature
1,659522
edited Dec 15 at 7:40
mature
1,659522
1,659522
asked Nov 30 at 16:13
Cameron Jeffers
62
asked Nov 30 at 16:13
Cameron Jeffers
62
asked Nov 30 at 16:13
Cameron Jeffers
62
62
add a comment |
add a comment |
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1097458%2flogin-fails-silently-on-system-restart-after-adding-new-module-to-etc-pam-d-co%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1097458%2flogin-fails-silently-on-system-restart-after-adding-new-module-to-etc-pam-d-co%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
