GDM auto-login doesn't work

  • Done
  • quality assurance status badge
Details
5 participants
  • Alex Griffin
  • Pierre Neidhardt
  • Marius Bakke
  • Ricardo Wurmus
  • Timothy Sample
Owner
unassigned
Submitted by
Alex Griffin
Severity
normal
Merged with
A
A
Alex Griffin wrote on 10 May 2019 22:31
(address . bug-guix@gnu.org)
f3aa62e2-3b0e-4f2b-985d-240d8b57d8fe@www.fastmail.com
After configuring Guix to enable GDM auto-login, I am still presented with a password prompt upon booting my machine. I'm not sure whether it's a bug in Guix or something I'm doing wrong, so I've attached the configuration I'm using just in case.
--
Alex Griffin
(use-modules (gnu)) (use-service-modules desktop networking ssh xorg) (load "simple-firewall.scm") (operating-system (locale "en_US.utf8") (timezone "America/Chicago") (keyboard-layout (keyboard-layout "us" "workman")) (bootloader (bootloader-configuration (bootloader grub-bootloader) (target "/dev/sda") (timeout 2) (keyboard-layout keyboard-layout) (menu-entries (list (menu-entry (label "Debian 10 (buster)") (device "debboot") (linux "(hd0,gpt3)/vmlinuz-4.19.0-4-amd64") (linux-arguments '("root=UUID=227c5e05-6dff-4802-9537-688e20892cf6" "ro" "quiet" "splash")) (initrd "(hd0,gpt3)/initrd.img-4.19.0-4-amd64")) (menu-entry (label "PureOS") (device "pureosboot") (linux "(hd0,gpt5)/vmlinuz-4.19.0-4-amd64") (linux-arguments '("root=UUID=b315dea0-efc1-48ea-9bb4-f1c3aa7e2ce5" "ro" "quiet" "splash")) (initrd "(hd0,gpt5)/initrd.img-4.19.0-4-amd64")))))) (mapped-devices (list (mapped-device (source (uuid "5abba48a-e3e2-4114-8dfc-d97f2a5ba9ac")) (target "home") (type luks-device-mapping)))) (file-systems (cons* (file-system (mount-point "/") (device (uuid "1f1bdd00-3aa2-476f-8b5d-4a8200737eb9" 'ext4)) (type "ext4")) (file-system (mount-point "/home") (device "/dev/mapper/home") (type "ext4")) %base-file-systems)) (host-name "tenzin") (users (cons* (user-account (name "ajgrf") (comment "Alex Griffin") (group "ajgrf") (home-directory "/home/ajgrf") (supplementary-groups '("wheel" "netdev" "audio" "video"))) %base-user-accounts)) (groups (cons* (user-group (name "ajgrf") (id 1000)) %base-groups)) (packages (cons* (specification->package "nss-certs") %base-packages)) (services (cons* (service gnome-desktop-service-type) (service iptables-service-type (simple-firewall #:open-tcp-ports '(6600 8376 29254) #:open-udp-ports '(1900))) (modify-services %desktop-services (gdm-service-type config => (gdm-configuration (inherit config) (xorg-configuration (xorg-configuration (keyboard-layout keyboard-layout))) (auto-login? #t) (default-user "ajgrf")))))))
R
R
Ricardo Wurmus wrote on 10 May 2019 23:18
(name . Alex Griffin)(address . a@ajgrf.com)(address . 35674@debbugs.gnu.org)
87bm0arosc.fsf@elephly.net
Hi Alex,

Toggle quote (5 lines)
> After configuring Guix to enable GDM auto-login, I am still presented
> with a password prompt upon booting my machine. I'm not sure whether
> it's a bug in Guix or something I'm doing wrong, so I've attached the
> configuration I'm using just in case.

I have observed the same problem. It’s not something you’re doing wrong.

--
Ricardo
T
T
Timothy Sample wrote on 13 May 2019 16:24
(address . 35674@debbugs.gnu.org)
87ftpiv3d1.fsf@ngyro.com
Hello,

Ricardo Wurmus <rekado@elephly.net> writes:

Toggle quote (9 lines)
> Hi Alex,
>
>> After configuring Guix to enable GDM auto-login, I am still presented
>> with a password prompt upon booting my machine. I'm not sure whether
>> it's a bug in Guix or something I'm doing wrong, so I've attached the
>> configuration I'm using just in case.
>
> I have observed the same problem. It’s not something you’re doing wrong.

I noticed recently that GDM stopped reading its configuration file. I
pushed a430a3501a6d3a565cb78e04a8dbb3ab846ec5fc, which fixes that
problem, but unfortunately does not fix auto-login.

If I turn on debugging output, I can see that the issue has to do with
the way PAM is configured. Digging a little deeper, I found that our
auto-login PAM service is

auth [success=ok default=1] pam_gdm.so
auth sufficient pam_permit.so

What this means is that if “pam_gdm.so” is not successful, the
“pam_permit.so” line will be skipped, and auto-login will not work. The
“pam_gdm.so” module does some sort of cached password lookup using the
“keyutils” library (presumably for an encrypted home directory). Our
build of GDM does not support this (we don’t include “keyutils” in its
inputs), so the module never succeeds. As a result, auto-login fails.

It looks like this particular way of doing things was cribbed from Red
Hat, where the module that gets skipped by “default=1” is
“pam_gnome_keyring.so” (and not “pam_permit.so”). Other distros simply
mark it as optional. I suggest we either omit the first rule, since it
will never do anything anyway, or follow other distros and change its
control field to “optional”.

My experience with PAM is limited, so I would appreciate a second
opinion before committing anything.


-- Tim
A
A
Alex Griffin wrote on 1 Nov 2019 17:02
(name . Ricardo Wurmus)(address . rekado@elephly.net)
49a78343-9a08-434e-ade4-743c9d871452@www.fastmail.com
On Mon, May 13, 2019, at 2:24 PM, Timothy Sample wrote:
Toggle quote (14 lines)
> If I turn on debugging output, I can see that the issue has to do with
> the way PAM is configured. Digging a little deeper, I found that our
> auto-login PAM service is
>
> auth [success=ok default=1] pam_gdm.so
> auth sufficient pam_permit.so
>
> What this means is that if “pam_gdm.so” is not successful, the
> “pam_permit.so” line will be skipped, and auto-login will not work. The
> “pam_gdm.so” module does some sort of cached password lookup using the
> “keyutils” library (presumably for an encrypted home directory). Our
> build of GDM does not support this (we don’t include “keyutils” in its
> inputs), so the module never succeeds. As a result, auto-login fails.

I tried adding keyutils to the GDM package and it made no difference. I confirmed that it linked correctly, but didn't look into it further.

Toggle quote (7 lines)
> It looks like this particular way of doing things was cribbed from Red
> Hat, where the module that gets skipped by “default=1” is
> “pam_gnome_keyring.so” (and not “pam_permit.so”). Other distros simply
> mark it as optional. I suggest we either omit the first rule, since it
> will never do anything anyway, or follow other distros and change its
> control field to “optional”.

I can confirm that changing the control value to "optional" satisfies PAM, but I ran into another problem. GDM continually crashes and restarts about 40 times once autologin is enabled. If I switch to another tty and run `herd restart xorg-server`, then GDM starts fine and automatically logs me in.

I've attached a file with a bunch of log messages. Not full log files, but snippets from a bunch of logs that I thought looked relevant.

Toggle quote (3 lines)
> My experience with PAM is limited, so I would appreciate a second
> opinion before committing anything.

This bug was my introduction to PAM, so perhaps my opinion isn't very reassuring, but changing pam_gdm.so to optional seems harmless in this case. Even if it somehow screws something up, it will only affect people who went out of their way to make their system less secure by enabling auto-login.

--
Alex Griffin
Attachment: gdm_errors.txt
P
P
Pierre Neidhardt wrote on 3 Apr 2020 20:26
control message for bug #40411
(address . control@debbugs.gnu.org)
87369ks9xc.fsf@ambrevar.xyz
merge 40411 35674
quit
A
A
Alex Griffin wrote on 15 Jun 2020 01:24
[PATCH] services: Fix gdm-autologin pam service.
(name . guix-patches@gnu.org)(address . guix-patches@gnu.org)
-CkK6xCmE4SCUTOS1nupxqCONmgZkMEUjRUNRiBXxpuT9bRhVj74k6fTGlkQg4xu8r6BAWNhSpod7a0vH4ufBiNT1GR_fxHbc0U5Vqr-xMw=@ajgrf.com
This patch fixes GDM's auto-login feature.

See the discussions in #35674 and #40411. It works for me, but I don't want to just commit it because I don't really understand PAM. (Then again, who does?)

--
Alex Griffin
From 2d07fab70a4051189e013a20a95cfbb08c904803 Mon Sep 17 00:00:00 2001
From: Alex Griffin <a@ajgrf.com>
Date: Sun, 14 Jun 2020 17:58:47 -0500
Subject: [PATCH] services: Fix gdm-autologin pam service.

* gnu/services/xorg.scm (gdm-pam-service): Mark pam_gdm.so optional.
---
gnu/services/xorg.scm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

Toggle diff (23 lines)
diff --git a/gnu/services/xorg.scm b/gnu/services/xorg.scm
index ca39994516..4590709187 100644
--- a/gnu/services/xorg.scm
+++ b/gnu/services/xorg.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2019 Tim Gesthuizen <tim.gesthuizen@yahoo.de>
;;; Copyright © 2020 shtwzrd <shtwzrd@protonmail.com>
;;; Copyright © 2020 Jakub K?dzio?ka <kuba@kadziolka.net>
+;;; Copyright © 2020 Alex Griffin <a@ajgrf.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -925,7 +926,7 @@ the GNOME desktop environment.")
(inherit (unix-pam-service "gdm-autologin"
#:login-uid? #t))
(auth (list (pam-entry
- (control "[success=ok default=1]")
+ (control "optional")
(module (file-append (gdm-configuration-gdm config)
"/lib/security/pam_gdm.so")))
(pam-entry
--
2.26.2
M
M
Marius Bakke wrote on 2 Oct 2020 19:54
875z7sh5t7.fsf@gnu.org
Alex Griffin via Guix-patches via <guix-patches@gnu.org> writes:

Toggle quote (4 lines)
> This patch fixes GDM's auto-login feature.
>
> See the discussions in #35674 and #40411. It works for me, but I don't want to just commit it because I don't really understand PAM. (Then again, who does?)

[...]

Toggle quote (7 lines)
> @@ -925,7 +926,7 @@ the GNOME desktop environment.")
> (inherit (unix-pam-service "gdm-autologin"
> #:login-uid? #t))
> (auth (list (pam-entry
> - (control "[success=ok default=1]")
> + (control "optional")

This is one of the alternatives Timothy proposed in #35674 back in May
last year(!). As long as GDM still rejects wrong or blank passwords, I
think it is good to go.

It would be good to get it in 1.2.0. :-)
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl93aVQACgkQoqBt8qM6
VPqRHggArQUeDOH1f44wmrz/vDGIKmHgC2OK0/+u35Z0ucRyV8g1qoHnL/qePRlD
CFIYE9P5DTeC+UZ7ndyJF072cRJS3rLYBSHS/oOWbjrHhF29XarYhGtyoYKapUyA
0W36+56x1Fm7d5HCB6sTZFPcyceMYNXF3292296v+n3iIebqIv2LcA83LWNXefEj
Rayuf1BHoF09ywvV8gk/JaBiZXRzrJt8NOgfRQlUtu4Q+y/MSgA4coSbclKZvuSX
2KtQRYilgSyY633aeQKEp3ylWEbxRuwKa6SJ2aIWmfYlIUMmez+De1DgJq4Z8W7J
rl41R6bO8uJsYk8Dur99U2cwv0yoqg==
=R2ue
-----END PGP SIGNATURE-----

A
A
Alex Griffin wrote on 18 Feb 2022 17:27
control message for bug #35674
(address . control@debbugs.gnu.org)
87o834w35j.fsf@ajgrf.com
close 35674
close 40411
quit
?