[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#35674: GDM auto-login doesn't work
|
From: |
Alex Griffin |
|
Subject: |
bug#35674: GDM auto-login doesn't work |
|
Date: |
Fri, 01 Nov 2019 16:02:41 +0000 |
|
User-agent: |
Cyrus-JMAP/3.1.7-509-ge3ec61c-fmstable-20191030v1 |
On Mon, May 13, 2019, at 2:24 PM, Timothy Sample wrote:
> If I turn on debugging output, I can see that the issue has to do with
> the way PAM is configured. Digging a little deeper, I found that our
> auto-login PAM service is
>
> auth [success=ok default=1] pam_gdm.so
> auth sufficient pam_permit.so
>
> What this means is that if “pam_gdm.so” is not successful, the
> “pam_permit.so” line will be skipped, and auto-login will not work. The
> “pam_gdm.so” module does some sort of cached password lookup using the
> “keyutils” library (presumably for an encrypted home directory). Our
> build of GDM does not support this (we don’t include “keyutils” in its
> inputs), so the module never succeeds. As a result, auto-login fails.
I tried adding keyutils to the GDM package and it made no difference. I
confirmed that it linked correctly, but didn't look into it further.
> It looks like this particular way of doing things was cribbed from Red
> Hat, where the module that gets skipped by “default=1” is
> “pam_gnome_keyring.so” (and not “pam_permit.so”). Other distros simply
> mark it as optional. I suggest we either omit the first rule, since it
> will never do anything anyway, or follow other distros and change its
> control field to “optional”.
I can confirm that changing the control value to "optional" satisfies PAM, but
I ran into another problem. GDM continually crashes and restarts about 40 times
once autologin is enabled. If I switch to another tty and run `herd restart
xorg-server`, then GDM starts fine and automatically logs me in.
I've attached a file with a bunch of log messages. Not full log files, but
snippets from a bunch of logs that I thought looked relevant.
> My experience with PAM is limited, so I would appreciate a second
> opinion before committing anything.
This bug was my introduction to PAM, so perhaps my opinion isn't very
reassuring, but changing pam_gdm.so to optional seems harmless in this case.
Even if it somehow screws something up, it will only affect people who went out
of their way to make their system less secure by enabling auto-login.
--
Alex Griffin
gdm_errors.txt
Description: Text document
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#35674: GDM auto-login doesn't work,
Alex Griffin <=