I am attempting to add an auth-only PAM module (
poldi, to support login via GPG SmartCards).
The way I have it configured works perfectly well for most authentication use-cases:
- unlocking a locked screen
- logging in after logging out
However, it fails when logging in after a system restart. It acts as though the challenge is successful, the screen changes, but then it returns to the login page with no error message.
I’ve tried adding
pam_poldi.soto the various session files, I’ve tried putting it before every occurrence of
pam_unix.sowith arguments like
[success=1 default=ignore]to try skipping Unix auth if
poldican handle it. No luck so far, I always end up with the looping login behavior.
Again, this configuration works perfectly well for every auth case after the initial login.
I’m on a default install of Ubuntu 18.04.
Here is the relevant portion of
auth [success=2 default=ignore] pam_poldi.so # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so
It’s possible that this is a bug/limitation with the PAM package (
libpam-poldi) itself, but I’d like to get a stronger understanding of how PAM works on Ubuntu so that I can verify where the issue lies.
How should I proceed?
I confirmed it is a PAM configuration issue and not a limitation with the specific PAM module. I replaced the line
auth [success=2 default=ignore] pam_poldi.so
auth [success=2 default=ignore] pam_permit.so
and observed the same looping login behavior, where it appears that I am about to login, the screen goes dark for a second or two, then I’m back at the login screen.
The issue appears to be in GDM’s PAM configuration specifically, as I am able to successfully login after restart from the Ctrl+Alt+F1–F6 virtual terminals, but not from the GDM greeter.
My guess is that something in the rest of the GDM PAM configuration is screwing this up, but I am out of my depth when it comes to understanding how GDM interacts with PAM, as configured by default on Ubuntu 18.04. Any help would be greatly appreciated.