Bugzilla – Bug 1219767
nullok option of pam_unix doesn't work as expected when logging in via a tty with an empty password
Last modified: 2024-03-25 08:30:00 UTC
To allow a user to log in with an empty password, the option "nullok" of pam_unix is added in /etc/pam.d/common-auth: auth required pam_env.so auth optional pam_gnome_keyring.so auth required pam_unix.so try_first_pass nullok auth required pam_ecryptfs.so unwrap But when trying to log in via tty1 with user "foo" who has an empty password, login still prompts for a password. It appears that pam_gnome_keyring is interfering in the process of authentication cancelling the effect of nullok. Indeed after commenting the line with pam_gnome_keyring.so, the login process works as expect and there's no more password prompt. Please note that in this scenario gnome/gdm is not involved at all (the system was booted with multi-user.target target)so I don't really see why pam_gnome_keyring interferes here.
Valentin (added in Cc) found that the option "--gnome_keyring-only_if" of pam_gnome_keyring might be missing in common-auth. This option is actually used to instruct the gnome PAM module to interact only when the gnome stack is involved.
(In reply to Franck Bui from comment #1) > Valentin (added in Cc) found that the option "--gnome_keyring-only_if" of > pam_gnome_keyring might be missing in common-auth. This option is actually > used to instruct the gnome PAM module to interact only when the gnome stack > is involved. Indeed, the gnome-keyring pam module is added by `pam-config` from the packaging of gnome-keyring. And the module is set into AUTH and SESSION. As it was discussed at bsc #443189, pam-gnome-keyring's option "only_if=service" has been removed from AUTH, to be only in one place at SESSION. As shown by Franck, it now, causes a problem. pam_gnome_keyring is invovlved by all services during the AUTH stack. I would suggest to add gnome keyring pam module option "only_if", not only for SESSION or PASSWORD, but also for AUTH (common-auth) when using pam-config. Thorsten(added in NeedInfo) do you have some infos or inputs according that ?
(In reply to Valentin Lefebvre from comment #2) > As it was discussed at bsc #443189, pam-gnome-keyring's option > "only_if=service" has been removed from AUTH, to be only in one place at > SESSION. No, the auto_start_if option has been removed, not the only_if. Could it be that pam_gnome_keyring changed and the old "auto_start_if=" option got split into "auto_start" and "only_if"? > I would suggest to add gnome keyring pam module option "only_if", not only > for SESSION or PASSWORD, but also for AUTH (common-auth) when using > pam-config. This makes sense. > Thorsten(added in NeedInfo) do you have some infos or inputs according that ? Not really, I don't use GNOME.
(In reply to Thorsten Kukuk from comment #3) > (In reply to Valentin Lefebvre from comment #2) > > > As it was discussed at bsc #443189, pam-gnome-keyring's option > > "only_if=service" has been removed from AUTH, to be only in one place at > > SESSION. > > No, the auto_start_if option has been removed, not the only_if. > > Could it be that pam_gnome_keyring changed and the old "auto_start_if=" > option got split into "auto_start" and "only_if"? > > > > I would suggest to add gnome keyring pam module option "only_if", not only > > for SESSION or PASSWORD, but also for AUTH (common-auth) when using > > pam-config. > > This makes sense. > > > Thorsten(added in NeedInfo) do you have some infos or inputs according that ? > > Not really, I don't use GNOME. Thanks for the input. Upstream request has been push for the pam-config project to add the "only_if" option to the AUTH stask: https://github.com/SUSE/pam-config/pull/25
This is an autogenerated message for OBS integration: This bug (1219767) was mentioned in https://build.opensuse.org/request/show/1146373 Factory / pam-config
Everything should be good. Don't hesitate to reopen if the issue appears again.
SUSE-RU-2024:0980-1: An update that has one fix can now be installed. Category: recommended (moderate) Bug References: 1219767 Maintenance Incident: [SUSE:Maintenance:32672](https://smelt.suse.de/incident/32672/) Sources used: openSUSE Leap Micro 5.3 (src): pam-config-1.1-150200.3.6.1 openSUSE Leap Micro 5.4 (src): pam-config-1.1-150200.3.6.1 openSUSE Leap 15.5 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro 5.3 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro 5.4 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro 5.5 (src): pam-config-1.1-150200.3.6.1 Basesystem Module 15-SP5 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro 5.1 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro 5.2 (src): pam-config-1.1-150200.3.6.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): pam-config-1.1-150200.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.