Login fails silently on system restart, after adding new module to /etc/pam.d/common-auth

I am attempting to add an auth-only PAM module (poldi, to support login via GPG SmartCards).

The way I have it configured works perfectly well for most authentication use-cases:

  • sudo
  • unlocking a locked screen
  • logging in after logging out

However, it fails when logging in after a system restart. It acts as though the challenge is successful, the screen changes, but then it returns to the login page with no error message.

I’ve tried adding pam_poldi.so to the various session files, I’ve tried putting it before every occurrence of pam_unix.so with arguments like [success=1 default=ignore] to try skipping Unix auth if poldi can handle it. No luck so far, I always end up with the looping login behavior.

Again, this configuration works perfectly well for every auth case after the initial login.

I’m on a default install of Ubuntu 18.04.

Here is the relevant portion of /etc/pam.d/common-auth:

auth    [success=2 default=ignore]      pam_poldi.so
# here are the per-package modules (the "Primary" block)
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional        pam_ecryptfs.so unwrap
auth    optional                        pam_cap.so

It’s possible that this is a bug/limitation with the PAM package (libpam-poldi) itself, but I’d like to get a stronger understanding of how PAM works on Ubuntu so that I can verify where the issue lies.

How should I proceed?

Update 1

I confirmed it is a PAM configuration issue and not a limitation with the specific PAM module. I replaced the line

auth    [success=2 default=ignore]    pam_poldi.so

with

auth    [success=2 default=ignore]    pam_permit.so

and observed the same looping login behavior, where it appears that I am about to login, the screen goes dark for a second or two, then I’m back at the login screen.

Update 2

The issue appears to be in GDM’s PAM configuration specifically, as I am able to successfully login after restart from the Ctrl+Alt+F1F6 virtual terminals, but not from the GDM greeter.

My guess is that something in the rest of the GDM PAM configuration is screwing this up, but I am out of my depth when it comes to understanding how GDM interacts with PAM, as configured by default on Ubuntu 18.04. Any help would be greatly appreciated.

Answer

Attribution
Source : Link , Question Author : Cameron Jeffers , Answer Author : Community

Leave a Comment