xpra icon
Bug tracker and wiki

Opened 2 months ago

Closed 5 weeks ago

#2858 closed defect (needinfo)

pam_fprintd.so and pam_ssh.so

Reported by: Niki Waibel Owned by: Niki Waibel
Priority: major Milestone: 4.1
Component: server Version: trunk
Keywords: Cc:

Description (last modified by Antoine Martin)

hi, i am trying to get PAM auth going. i realized (after quite a while) that things are not working because i have

auth        sufficient    pam_fprintd.so
auth        sufficient    pam_ssh.so
session     sufficient    pam_fprintd.so
session     sufficient    pam_ssh.so

in /etc/pam.d/system-auth (Fedora32)

is it possible to keep system-auth as it is and disable/ignore pam_fprintd.so somehow from /etc/pam.d/xpra?

i've tried

session [default=ignore success=ignore new_authtok_reqd=ignore]   pam_fprintd.so
auth required pam_ssh.so

as well as

session [default=bad success=bad new_authtok_reqd=bad]   pam_fprintd.so
auth required pam_ssh.so

but xpra always waits until the fingerprint is used on the xpra server, or its time out; which is nonsense.

the fingerprint allows the login (independent of the ssh passphrase or unix password), as well as ssh passphrase or unix login.

even if i remove all "include" lines from /etc/pam.d/xpra, the fingerprint can authenticate successfully the xpra session.

also, in /var/log/secure, i can see

Aug  9 14:34:29 lnx-1 python3.8[46183]: PAM unable to resolve symbol: pam_sm_open_session
Aug  9 14:34:29 lnx-1 python3.8[46183]: PAM unable to resolve symbol: pam_sm_close_session

not sure if that's related.

$ xpra version
4.1-r27063

Change History (3)

comment:1 Changed 2 months ago by Antoine Martin

Description: modified (diff)
Owner: changed from Antoine Martin to Niki Waibel

Looks like you know more about pam than I do... so maybe you should direct your question to the pam folks?
Are you running the proxy or just a seamless server with system authentication?

The symbol problems (PAM unable to resolve symbol: ...) won't help for sure, try a newer beta (ie: new one today) or build from source.

comment:2 Changed 2 months ago by Niki Waibel

i've tried the fedora systemd xpra proxy first (winswitch-beta repo), but then turned it off to make things simpler:

xpra start --bind-tcp=127.0.0.1:14500 --tcp-auth=pam
xpra attach tcp://user@127.0.0.1:14500

is what i am using.

i just read man pam.conf to guess what might be done. so i am far from "knowing" pam ;-) thought i ask here first, as xpra should work smoothly, even in case the systen uses fingerprint authentication.

comment:3 Changed 5 weeks ago by Antoine Martin

Resolution: needinfo
Status: newclosed

I really don't know what to do from the xpra side.
Feel free to post here, or elsewhere on the wiki, if you find a satisfactory solution.

Note: See TracTickets for help on using tickets.