-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PAM not working under ArchLinux (using LightDM) #37
Comments
Can you check if you have the same stuff as in this issue in your log? See #36. Sorry, I don't mean to be an inactive maintainer. I'm stuggling with moving houses at the moment and don't have my development machine or internet worked out yet. |
Any more details on this bug? |
Sorry for the long delay, I was really busy these days... Well, to tell the truth... there's no error on the logs, nothing related to the PAM module. Just to be sure... is the Also, my
Does the order matter in any way? I really don't know much about how PAM config works. Just to give more details, my .zshrc config looks like this now:
|
I think you have to put the pam options in the file defined as |
@Dan-Silva yeah, it matters where you're logging in from. |
Well, to keep things simple I'm logging through a TTY now (just to get it working). It looks like the SSH doesn't work (it still asks me for the passphrase through a pinentry) and the GPG key is always invalid, e.g. when I try the following command:
It returns the following (without asking me the passphrase):
Again, I see no logs on the journal. |
And an interesting fact is that when putting the config in
... and GPG just pops up an pinentry! Just as if the behaviours were switched. Bizarre. |
Is the ssh keyring from gpg encrypted (has a password)? |
Yes, with the same password I use on login. |
I think @ramonmaruko may have solved this mystery. See #40. I'll tackle this as soon as I get a chance. |
I updated it but I'm still having the same issues. And didn't find anything new on syslog :/ |
I had encountered that error before while trying to to use an SSH key, and I "fixed" it by issuing |
Right, story time!
Is an error that comes up whenever your ssh keyring is locked, gpg-agent tries to unlock it, but fails to prompt you. It prompts you by launching the appropriate pinentry program (curses, gtk-2 or qt4). In order to do this, gpg-agent needs to know either which X session to pop up on or which tty (seed it with However I don't have this information when starting gpg-agent. It can't read it from the envionment systemd launches So you actually must do a This is actually why I devised the
So I recommend either
So the This explanation probably help you guys understand why I get caught with my pants down with a broken the pam module - I don't use it. The pam module, imho, is only useful for two cases which I don't do:
The second you need to rely on the pinentry showing up, the pam module is going to be nothing but headaches and weird behaviour unless you understand how the pinentry system works. If it wasn't for |
Any updates or can I chalk this one up to configuration problems (or was envoy abandoned in the end?). I understand navigating the ins and outs of gpg-agent annoying... I was actually surprised I was able to support it at all). |
Well, actually my desired behaviour is to unlock the keyring on login by using my password, so I guess it's reasonable for me to still try using the PAM module. In the end I just ended up aliasing my I'm really sorry that I'm not able to provide so much information. The log doesn't contain any useful information other than what I already provided here, and my configs didn't change so much... I'm thinking about touching the source code, but I probably won't be able to do anything for the next weeks. Anyway, my problem persists with the latest version. |
If the pam module isn't unlocking the session at all, that's a bug and something I'll investigate into. That said, unlocking like this, I think, might need some gpg-agent configuration to keep it from expiring your password. I should get myself more familiar with this code. You're not the first to have problems and my ability to support them is limited since I don't use it: I don't reuse my password and I want it to timeout. Time to create some test keys when I get home. |
I get the exact same behavior, the PAM module is not working at all (I have to provide the passphrase on first use), though I put the instructions into the same file where pam_ssh works ( |
@untitaker sorry for the delay.
|
No worries, remember I'm not entitled to anything.
Yes.
GPG has that problem. SSH unlocks fine. |
Wait, are we talking about ssh keys gpg keys? And is
envoy's pam can't handle ssh, is this in comparison to pam_ssh? |
We're talking about the unlocking of GPG keys. I'll try out envoy sometime again, I didn't know that envoy doesn't unlock SSH keys (probably my reading comprehension failed me) and now I'm just as confused as you are. On 22 May 2015 17:28:50 CEST, Simon Gomizelj notifications@github.com wrote:
|
This issue is just gotten a little overloaded and I indeed confused myself.
This is something I don't support right now. The presetting support in envoy for gpg-agent is specifically only for the ssh keys it manages. Envoy started off as an ssh helper and grown, but to support unlocking gpg keys I first have to tackle #30. I don't know how to enumerate them.
Thats what its built for. I confused myself by thinking about ssh-agent instead of gpg-agent (pam_ssh is for ssh-agent). If you're using ssh-agent, pam_envoy for unlocking doesn't work. |
Alright, because there are a few different people jumping on here with different issues, I'm going to close and lock this issue. If:
|
I enabled the envoy service with:
... added these to my /etc/pam.d/login:
... and added
envoy id_rsa
to my .zshrc, but it still doesn't work... there's something else I should configure to make it work? or is it a bug?The text was updated successfully, but these errors were encountered: