Bug#723050: can't log in
Hello Maximiliano, Thanks for still being around my bug report :-) > I don't know if the problem is still reproduceable for you, it was > never reproduceable for me. I am still using the same machine, and though up-to-date, this bug is still here. :( > But if you do, could you check the permissions of the > /sbin/unix_chkpwd command? Permissions on unix_chkpwd seems to be correct with setgid shadow: -rwxr-sr-x 1 root shadow 35K 02-14 00:27 /sbin/unix_chkpwd* > it uses the "/etc/pam.d/other" pam service. And here is my /etc/pam.d/other: # # # /etc/pam.d/other - specify the PAM fallback behaviour # # Note that this file is used for any unspecified service; for example #if /etc/pam.d/cron specifies no session modules but cron calls #pam_open_session, the session module out of /etc/pam.d/other is #used. If you really want nothing to happen then use pam_permit.so or #pam_deny.so as appropriate. # We fall back to the system default in /etc/pam.d/common-* # @include common-auth @include common-account @include common-password @include common-session # Thank you. -- Mathieu -- To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5335bb95.6010...@gmail.com
Bug#723050: can't log in
Muchas gracias Maximiliano! It was the permissions on /etc/shadow which were root:root 600. Fixing them to root:shadow 640 made both xscreensaver and kscreensaver able to log me back in! I have no idea what may have changed permissions on shadow file, though. Anyway, thank you very much for your help! :-) -- Mathieu Le 28/03/2014 20:25, Maximiliano Curia a écrit : > ¡Hola Mathieu! > > El 2014-03-28 a las 19:12 +0100, Mathieu MD escribió: >>> But if you do, could you check the permissions of the >>> /sbin/unix_chkpwd command? > >> Permissions on unix_chkpwd seems to be correct with setgid shadow: >> -rwxr-sr-x 1 root shadow 35K 02-14 00:27 /sbin/unix_chkpwd* > > And the password of your user is in /etc/shadow which is readable by the > shadow group? > > It might be interesting to know if /sbin/unix_chkpwd is being called at all, > using second session and strace you can check this, so you lock your screen > and from another session, you'll need to find the pid of your screensaver, > it can be kscreensaver, xscreensaver, or in my case plasma_overlay, > then: > $ strace -vfp $pid_of_screensaver -e execve > > Try to unlock the screensaver and check the logged output. > > The output shouldn't be more than 30 lines, if it's more, redirect it into a > file and attach the file here. > -- To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5335fdcd.3040...@gmail.com
Bug#723050: kscreensaver does not validate correct user password anymore
Package: kscreensaver Version: 4:4.10.5-2 Severity: critical Justification: breaks the whole system Dear Maintainer, After an upgrade this morning of packages xscreensaver (amd64 5.15-3) and kscreensaver (amd64 4:4.10.5-2) I cannot unlock the screensaver (both kscreensaver and xscreensaver) when I input the correct password. However 'sudo' through SSH from another host does still accept the same password. It did worked before upgrade. In /var/log/auth.log I get these messages: # xscreensaver #-8<--8<-- Sep 15 15:10:28 inspiron unix_chkpwd[29077]: check pass; user unknown Sep 15 15:10:31 inspiron unix_chkpwd[29079]: check pass; user unknown Sep 15 15:10:31 inspiron unix_chkpwd[29079]: password check failed for user (mathieu) Sep 15 15:10:31 inspiron xscreensaver: pam_unix(xscreensaver:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=mathieu Sep 15 15:10:33 inspiron xscreensaver[23380]: FAILED LOGIN 1 ON DISPLAY ":0.0", FOR "mathieu" #-8<--8<-- and # kscreensaver #-8<--8<-- Sep 15 19:44:02 inspiron unix_chkpwd[17310]: check pass; user unknown Sep 15 19:44:02 inspiron unix_chkpwd[17311]: check pass; user unknown Sep 15 19:44:02 inspiron unix_chkpwd[17311]: password check failed for user (mathieu) Sep 15 19:44:02 inspiron kcheckpass[17309]: pam_unix(kdm:auth): authentication failure; logname=mathieu uid=1000 euid=1000 tty=:1 ruser= rhost= user=mathieu Sep 15 19:44:02 inspiron kcheckpass[17309]: Authentication failure for mathieu (invoked by uid 1000) #-8<--8<-- -- System Information: Debian Release: jessie/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.10-2-amd64 (SMP w/3 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages kscreensaver depends on: ii kde-runtime 4:4.10.5-1 ii kde-workspace-bin 4:4.10.5-3 ii libc6 2.17-92+b1 ii libgl1-mesa-glx [libgl1] 9.1.6-2 ii libglu1-mesa [libglu1]9.0.0-1 ii libkdecore5 4:4.10.5-1 ii libkdeui5 4:4.10.5-1 ii libkexiv2-11 4:4.10.5-1 ii libkio5 4:4.10.5-1 ii libkparts44:4.10.5-1 ii libkscreensaver5 4:4.10.5-3 ii libqt4-opengl 4:4.8.5+dfsg-4 ii libqtcore44:4.8.5+dfsg-4 ii libqtgui4 4:4.8.5+dfsg-4 ii libstdc++64.8.1-2 ii libx11-6 2:1.6.1-1 Versions of packages kscreensaver recommends: ii kde-window-manager 4:4.10.5-3 Versions of packages kscreensaver suggests: ii kscreensaver-xsavers 4:4.10.5-2 Versions of packages xscreensaver depends on: ii libatk1.0-0 2.8.0-2 ii libc6 2.17-92+b1 ii libcairo2 1.12.14-4 ii libfontconfig1 2.10.2-2 ii libfreetype62.4.9-1.1 ii libgdk-pixbuf2.0-0 2.28.2-1 ii libglade2-0 1:2.6.4-1 ii libglib2.0-02.36.4-1 ii libgtk2.0-0 2.24.20-1 ii libice6 2:1.0.8-2 ii libpam0g1.1.3-9 ii libpango1.0-0 1.32.5-5+b1 ii libsm6 2:1.2.1-2 ii libx11-62:1.6.1-1 ii libxext62:1.3.2-1 ii libxi6 2:1.7.2-1 ii libxinerama12:1.1.3-1 ii libxml2 2.9.1+dfsg1-3 ii libxmu6 2:1.1.1-1 ii libxpm4 1:3.5.10-1 ii libxrandr2 2:1.4.1-1 ii libxrender1 1:0.9.8-1 ii libxt6 1:1.1.4-1 ii libxxf86vm1 1:1.1.3-1 ii xscreensaver-data 5.15-3 Versions of packages xscreensaver recommends: ii libjpeg-progs 8d-1 ii perl [perl5] 5.18.1-3 ii wamerican [wordlist] 7.1-1 ii wfrench [wordlist]1.2.3-10 Versions of packages xscreensaver suggests: ii chromium [www-browser] 29.0.1547.57-3 pn fortune pn gdm3 | kdm-gdmcompat ii iceweasel [www-browser] 23.0-1~bpo70+1 ii konqueror [www-browser] 4:4.10.5-1 pn qcam | streamer ii w3m [www-browser]0.5.3-11 pn xdaliclock pn xfishtank ii xscreensaver-gl 5.15-3 -- no debconf information -- To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130915210245.32744.74878.report...@inspiron.lan
Bug#723050: can't log in
Thanks for your feedback. It may have been the case the very first day, but now that I had reboot many times, and still the problem is the same, what could it be? (sorry for replying late: I did not received your message) -- Mathieu > I see you also pulled in the libc and pam updates. During the libc > upgrade there should have been a dialog requesting service restarts > for ssh and cupsd as the upgrade breaks authentication. The wall of > text explaining the upgrade should have stated that X (and therefore > kdm) needs to be restarted manually after the upgrade, as restarting > X logs out any active sessions and would therefore kill the upgrade. > ssh works because it can be restarted safely. > This happens every time libc and pam are updated and is due to a > limitation in pam. > TLDR; Any time you upgrade libc or pam, you /must/ log out and > restart kdm. > /not maintainer -- To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52433f8a.3040...@gmail.com
Bug#723050: can't log in
Hi Maximiliano, I do use kdm to login. I tried to run xscreensaver as you told, but it did not change anything: I still cannot login back. Here is my pam files: # # /etc/pam.d/kdm - specify the PAM behaviour of kdm # auth required pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth sessionrequired pam_limits.so @include common-account @include common-password @include common-session Where it's missing SELinux (which is not installed) and pam_loginuid.so lines, comparing to yours, and you don't have common-session. I tried adding the pam_loginuid.so, but it didn't helped. # # /etc/pam.d/xscreensaver - PAM behavior for xscreensaver # @include common-auth @include common-account Thanks for trying! -- Mathieu Le 15/11/2013 15:02, Maximiliano Curia a écrit : > Hi, > > In article <52433f8a.3040...@gmail.com> you wrote: >> Thanks for your feedback. > >> It may have been the case the very first day, but now that I had reboot >> many times, and still the problem is the same, what could it be? > >> (sorry for replying late: I did not received your message) > > I was trying to follow the code, and it looks like > /usr/lib/kde4/libexec/kcheckpass uses the kdm pam service, which > imports the common services and adds some normal pam stuff. :: > > auth required pam_nologin.so > auth required pam_env.so readenv=1 > auth required pam_env.so readenv=1 envfile=/etc/default/locale > @include common-auth > # SELinux needs to be the first session rule. This ensures that any > # lingering context has been cleared. Without out this it is possible > # that a module could execute code in the wrong domain. > session[success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so close > sessionrequired pam_limits.so > sessionrequired pam_loginuid.so > @include common-session > # SELinux needs to intervene at login time to ensure that the process > # starts in the proper default security context. Only sessions which are > # intended to run in the user's context should be run after this. > session[success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so open > @include common-account > @include common-password > > Which is fine for a starting session. > > But, this is different from what xscreensaver uses, which is only the > common-auth and common-account. :: > > @include common-auth > @include common-account > > Also, you could be using KDE without having kdm installed, which would load > the "other" pam service file. :: > > @include common-auth > @include common-account > @include common-password > @include common-session > > So, I'm still not sure if this could be the cause of this issue, but I'll need > to know what pam modules you have enabled. > And if you replace kscreensaver with xscreensaver (run xscreensaver, settings, > restart daemon, lock screen) if you can unlock you session or not. > > Thanks, > -- To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/528e7545.7050...@gmail.com
