Arch Linux

sjoerd222888

Member

Registered: 2017-04-26

Posts: 15

Authentication issue in KDE - su, sudo, screen unlocking

Dear all

I have the following issue with a fresh arch installation: inside KDE/plasma with SDDM neither su or sudo work. I tried to use them in both konsole and xterm. What does also not work is authentication after the screen locker starts (this means I cannot unlock the screen). Initial login with SDDM works. (So to "unlock" the session I have to restart the SDDM service).

If I switch to another session (using CTRL-F2, etc.) I can use su and sudo as expected there.

What I have tried so far is reinstalling 'pambase' and 'pam' and check the configuration for /etc/pam.d/system-auth:

#%PAM-1.0

auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_permit.so

And of course also /etc/pam.d/sddm:

#%PAM-1.0

auth        include		system-login
account     include		system-login
password    include		system-login
session     include		system-login

What might be interessting is the output of journalctl after calling su:

Apr 28 14:42:30 zenbook su[7401]: pam_unix(su:auth): authentication failure; logname=myuser uid=1000 euid=0 tty=pts/2 ruser=myuser rhost=  user=
Apr 28 14:42:32 zenbook su[7401]: FAILED SU (to root) myuser on pts/2

Or after calling 'sudo nano':

Apr 28 15:06:29 zenbook sudo[7542]: pam_unix(sudo:auth): authentication failure; logname=alexander uid=1000 euid=0 tty=/dev/pts/2 ruser=myuser rhos
Apr 28 15:06:43 zenbook sudo[7542]: myuser : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/myuser ; USER=root ; COMMAND=/usr/bin/nano

I don't know what further information would be helpful to resolve this issue. I would be happy to provide more information if required.

Last edited by sjoerd222888 (2017-06-15 21:31:07)

sjoerd222

Member

Registered: 2015-09-22

Posts: 7

Re: Authentication issue in KDE - su, sudo, screen unlocking

So far I think it is related to SDDM because I have the same issue for example in Enlitenment when run with SDDM. If I start however an X11 session without SDDM su and sudo work without problems.

loqs

Member

Registered: 2014-03-06

Posts: 17,369

Re: Authentication issue in KDE - su, sudo, screen unlocking

What version of the linux kernel is the affected system using?

sjoerd222888

Member

Registered: 2017-04-26

Posts: 15

Re: Authentication issue in KDE - su, sudo, screen unlocking

uname -r

yields

4.11.6-1-ARCH

seth

Member

Registered: 2012-09-03

Posts: 51,165

Re: Authentication issue in KDE - su, sudo, screen unlocking

pacman -Qkk sddm
cat /etc/pam.d/sddm*

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

sjoerd222888

Member

Registered: 2017-04-26

Posts: 15

Re: Authentication issue in KDE - su, sudo, screen unlocking

backup file: sddm: /etc/sddm.conf (Modification time mismatch)
backup file: sddm: /etc/sddm.conf (Size mismatch)
backup file: sddm: /etc/pam.d/sddm (Modification time mismatch)
sddm: 194 total files, 0 altered files

#%PAM-1.0

auth		include		system-login
account		include		system-login
password	include		system-login
session		include		system-login
#%PAM-1.0
auth        required    pam_env.so
auth        required    pam_tally.so file=/var/log/faillog onerr=succeed
auth        required    pam_shells.so
auth        required    pam_nologin.so
auth        required    pam_permit.so
-auth       optional    pam_gnome_keyring.so
account     include     system-local-login
password    include     system-local-login
session     include     system-local-login
-session    optional    pam_gnome_keyring.so auto_start
#%PAM-1.0

# Load environment from /etc/environment and ~/.pam_environment
auth		required pam_env.so

# Always let the greeter start without authentication
auth		required pam_permit.so

# No action required for account management
account		required pam_permit.so

# Can't change password
password	required pam_deny.so

# Setup session
session		required pam_unix.so
session		optional pam_systemd.so

seth

Member

Registered: 2012-09-03

Posts: 51,165

Re: Authentication issue in KDE - su, sudo, screen unlocking

loginctl show-session $XDG_SESSION_ID

Is this considered a remote session?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

sjoerd222888

Member

Registered: 2017-04-26

Posts: 15

Re: Authentication issue in KDE - su, sudo, screen unlocking

loginctl show-session $XDG_SESSION_ID

yields

loginctl show-session $XDG_SESSION_ID
Id=c2
User=1000
Name=myuser
Timestamp=Thu 2017-06-29 23:21:33 CEST
TimestampMonotonic=12092200
VTNr=1
Seat=seat0
Display=:0
Remote=no
Service=sddm
Desktop=KDE
Scope=session-c2.scope
Leader=375
Audit=0
Type=x11
Class=user
Active=yes
State=active
IdleHint=no
IdleSinceHint=0
IdleSinceHintMonotonic=0
LockedHint=no

It is a local session. No remote connection like ssh if this is what you are asking.

seth

Member

Registered: 2012-09-03

Posts: 51,165

Re: Authentication issue in KDE - su, sudo, screen unlocking

Wild guess: can you create a dummy user and su into that?

Get root access for this avoiding sddm:

useradd dummy
passwd dummy # enter "dummy" as password twice

Then login via sddm and try

su dummy # password is dummy

Ultimately as root again you can

userdel dummy

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

sjoerd222888

Member

Registered: 2017-04-26

Posts: 15

Re: Authentication issue in KDE - su, sudo, screen unlocking

Yes I can su into a new dummy user.

seth

Member

Registered: 2012-09-03

Posts: 51,165

Re: Authentication issue in KDE - su, sudo, screen unlocking

I bet you can log into any user but root.
Either sddm gets you nto a tty that's not listed in /etc/securetty or its measures to prevent root login spill into the session.
Compare the output of "who" or "finger" with /etc/securetty

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

sjoerd222888

Member

Registered: 2017-04-26

Posts: 15

Re: Authentication issue in KDE - su, sudo, screen unlocking

'who' gives me this:

myuser pts/0        Jul  9 19:07 (:0)
myuser pts/1        Jul  9 19:07 (:0)
myuser pts/2        Jul  9 19:07 (:0)
myuser pts/3        Jul  9 19:07 (:0)
root     tty2         Jul  9 21:48

While 'cat /etc/securetty' yields

#
# /etc/securetty
#

console
tty1
tty2
tty3
tty4
tty5
tty6
ttyS0
hvc0

# End of file

My several logins that appear I presume are because of open sessions in 'konsole'. So this are there virtual logins as I just learned and there is one root login on tty2.

Can I draw any conclusions from this?

Last edited by sjoerd222888 (2017-07-11 21:35:57)

sjoerd222888

Member

Registered: 2017-04-26

Posts: 15

Re: Authentication issue in KDE - su, sudo, screen unlocking

Adding pts/0, pts/1, pts/2 to /etc/securetty does not have any effect.

seth

Member

Registered: 2012-09-03

Posts: 51,165

Re: Authentication issue in KDE - su, sudo, screen unlocking

Sorry, I missed your edit.
who/securetty is sane, please remove the added pts/* entries again.

Broadsword:

ls /etc/pam*
pacman -Qo /etc/pam.d/*
for PKG in $(pacman -Qoq /etc/pam.d/*); do sudo pacman -Qkk "$PKG"; done

(some packages will require root access for verification, thus the sudo - you'll have to do this avoiding sddm, I'm afraid)

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

sjoerd222888

Member

Registered: 2017-04-26

Posts: 15

Re: Authentication issue in KDE - su, sudo, screen unlocking

ls /etc/pam* yields

chage
chfn
chgpasswd
chpasswd
chsh
cups
groupadd
groupdel
groupmems
groupmod
kde
lightdm
lightdm-autologin
lightdm-greeter
login
lxdm
newusers
other
passwd
polkit-1
rlogin
rsh
sddm
sddm-autologin
sddm-greeter
shadow
sshd
su
su-l
sudo
system-auth
system-local-login
system-login
system-remote-login
system-services
systemd-user
useradd
userdel
usermod
xdm

pacman -Qo /etc/pam.d/* yields

/etc/pam.d/chage is owned by shadow 4.4-3
/etc/pam.d/chfn is owned by util-linux 2.29.2-2
/etc/pam.d/chgpasswd is owned by shadow 4.4-3
/etc/pam.d/chpasswd is owned by shadow 4.4-3
/etc/pam.d/chsh is owned by util-linux 2.29.2-2
/etc/pam.d/cups is owned by cups 2.2.4-2
/etc/pam.d/groupadd is owned by shadow 4.4-3
/etc/pam.d/groupdel is owned by shadow 4.4-3
/etc/pam.d/groupmems is owned by shadow 4.4-3
/etc/pam.d/groupmod is owned by shadow 4.4-3
/etc/pam.d/kde is owned by plasma-workspace 5.10.4-1
/etc/pam.d/lightdm is owned by lightdm 1:1.22.0-1
/etc/pam.d/lightdm-autologin is owned by lightdm 1:1.22.0-1
/etc/pam.d/lightdm-greeter is owned by lightdm 1:1.22.0-1
/etc/pam.d/login is owned by util-linux 2.29.2-2
/etc/pam.d/lxdm is owned by lxdm 0.5.3-4
/etc/pam.d/newusers is owned by shadow 4.4-3
/etc/pam.d/other is owned by pambase 20130928-1
/etc/pam.d/passwd is owned by shadow 4.4-3
/etc/pam.d/polkit-1 is owned by polkit 0.113+29+g3272a98-1
/etc/pam.d/rlogin is owned by inetutils 1.9.4-5
/etc/pam.d/rsh is owned by inetutils 1.9.4-5
/etc/pam.d/sddm is owned by sddm 0.14.0-2
/etc/pam.d/sddm-autologin is owned by sddm 0.14.0-2
/etc/pam.d/sddm-greeter is owned by sddm 0.14.0-2
/etc/pam.d/shadow is owned by shadow 4.4-3
/etc/pam.d/sshd is owned by openssh 7.5p1-2
/etc/pam.d/su is owned by util-linux 2.29.2-2
/etc/pam.d/su-l is owned by util-linux 2.29.2-2
/etc/pam.d/sudo is owned by sudo 1.8.20.p2-1
/etc/pam.d/system-auth is owned by pambase 20130928-1
/etc/pam.d/system-local-login is owned by pambase 20130928-1
/etc/pam.d/system-login is owned by pambase 20130928-1
/etc/pam.d/system-remote-login is owned by pambase 20130928-1
/etc/pam.d/system-services is owned by pambase 20130928-1
/etc/pam.d/systemd-user is owned by systemd 233.75-3
/etc/pam.d/useradd is owned by shadow 4.4-3
/etc/pam.d/userdel is owned by shadow 4.4-3
/etc/pam.d/usermod is owned by shadow 4.4-3
/etc/pam.d/xdm is owned by xorg-xdm 1.1.11-6

for PKG in $(pacman -Qoq /etc/pam.d/*); do sudo pacman -Qkk "$PKG"; done yields

shadow: 560 total files, 0 altered files
util-linux: 462 total files, 0 altered files
shadow: 560 total files, 0 altered files
shadow: 560 total files, 0 altered files
util-linux: 462 total files, 0 altered files
backup file: cups: /etc/cups/subscriptions.conf (Modification time mismatch)
backup file: cups: /etc/cups/subscriptions.conf (Size mismatch)
cups: 799 total files, 3 altered files
shadow: 560 total files, 0 altered files
shadow: 560 total files, 0 altered files
shadow: 560 total files, 0 altered files
shadow: 560 total files, 0 altered files
plasma-workspace: 5199 total files, 0 altered files
lightdm: 389 total files, 0 altered files
lightdm: 389 total files, 0 altered files
lightdm: 389 total files, 0 altered files
util-linux: 462 total files, 0 altered files
lxdm: 180 total files, 0 altered files
shadow: 560 total files, 0 altered files
pambase: 8 total files, 0 altered files
shadow: 560 total files, 0 altered files
polkit: 186 total files, 0 altered files
inetutils: 56 total files, 0 altered files
inetutils: 56 total files, 0 altered files
sddm: 194 total files, 0 altered files
sddm: 194 total files, 0 altered files
sddm: 194 total files, 0 altered files
shadow: 560 total files, 0 altered files
openssh: 58 total files, 0 altered files
util-linux: 462 total files, 0 altered files
util-linux: 462 total files, 0 altered files
backup file: sudo: /etc/sudoers (Modification time mismatch)
backup file: sudo: /etc/sudoers (Size mismatch)
sudo: 184 total files, 0 altered files
pambase: 8 total files, 0 altered files
pambase: 8 total files, 0 altered files
pambase: 8 total files, 0 altered files
pambase: 8 total files, 0 altered files
pambase: 8 total files, 0 altered files
systemd: 1402 total files, 0 altered files
shadow: 560 total files, 0 altered files
shadow: 560 total files, 0 altered files
shadow: 560 total files, 0 altered files
xorg-xdm: 44 total files, 0 altered files

seth

Member

Registered: 2012-09-03

Posts: 51,165

Re: Authentication issue in KDE - su, sudo, screen unlocking

No junk in /etc/pam.d - not even potentially.

Since you've lightdm, lxdm and xdm installed: did you try those?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

sjoerd222888

Member

Registered: 2017-04-26

Posts: 15

Re: Authentication issue in KDE - su, sudo, screen unlocking

Yes, su and sudo work with XDM which has no KDE Plasma behind. lxdm with KDE plasma has the same issue. KDE plasma started with XDM from .xinitrc has the same issue.

Pure X does not have the problem. So seems rather a KDE Plasma issue than SDDM.

seth

Member

Registered: 2012-09-03

Posts: 51,165

Re: Authentication issue in KDE - su, sudo, screen unlocking

Grasping at straws:

printenv

You may redact anything you consider private there (though there should not be such), but please do so explicitly (ie. replace it with "<censored>" or so, do not just delete the entire line or value)

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

sjoerd222888

Member

Registered: 2017-04-26

Posts: 15

Re: Authentication issue in KDE - su, sudo, screen unlocking

printenv

yields

KDE_MULTIHEAD=false
GS_LIB=/home/<censored>/.fonts
KDE_FULL_SESSION=true
LANG=C
PROFILEHOME=
DISPLAY=:0
SHELL_SESSION_ID=cc86c2aa843642da8aa989855ad9b64c
COLORTERM=truecolor
MOZ_PLUGIN_PATH=/usr/lib/mozilla/plugins
XDG_VTNR=1
QT_QUICK_CONTROLS_STYLE=org.kde.desktop
XDG_SESSION_ID=c2
USER=<censored>
DESKTOP_SESSION=/usr/share/xsessions/plasma
GTK2_RC_FILES=/etc/gtk-2.0/gtkrc:/home/<censored>/.gtkrc-2.0:/home/<censored>/.config/gtkrc-2.0
PWD=/home/<censored>
HOME=/home/<censored>
XDG_SESSION_TYPE=x11
XDG_DATA_DIRS=/usr/share:/usr/share:/usr/local/share
KONSOLE_DBUS_SESSION=/Sessions/1
XDG_SESSION_DESKTOP=KDE
KONSOLE_DBUS_WINDOW=/Windows/1
GTK_MODULES=canberra-gtk-module
MAIL=/var/spool/mail/<censored>
TERM=xterm-256color
SHELL=/bin/bash
KONSOLE_DBUS_SERVICE=:1.59
XDG_SESSION_CLASS=user
XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0
XCURSOR_THEME=breeze_cursors
XDG_CURRENT_DESKTOP=KDE
KONSOLE_PROFILE_NAME=Default
XDG_SEAT=seat0
SHLVL=2
COLORFGBG=15;0
LANGUAGE=
GTK_RC_FILES=/etc/gtk/gtkrc:/home/<censored>/.gtkrc:/home/<censored>/.config/gtkrc
WINDOWID=79691782
LOGNAME=<censored>
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
XDG_RUNTIME_DIR=/run/user/1000
XAUTHORITY=/tmp/xauth-1000-_0
XDG_SESSION_PATH=/org/freedesktop/DisplayManager/Session1

seth

Member

Registered: 2012-09-03

Posts: 51,165

Re: Authentication issue in KDE - su, sudo, screen unlocking

LANG=C

Really?

I doubt, compare the outputs of

locale
locale -a
localectl status

among working sessions and KDE.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

sjoerd222888

Member

Registered: 2017-04-26

Posts: 15

Re: Authentication issue in KDE - su, sudo, screen unlocking

locale

LANG=C
LC_CTYPE="C"
LC_NUMERIC="C"
LC_TIME="C"
LC_COLLATE="C"
LC_MONETARY="C"
LC_MESSAGES="C"
LC_PAPER="C"
LC_NAME="C"
LC_ADDRESS="C"
LC_TELEPHONE="C"
LC_MEASUREMENT="C"
LC_IDENTIFICATION="C"
LC_ALL=

locale -a

C
POSIX
de_CH
de_CH.iso88591
de_CH.utf8
de_DE
de_DE.iso88591
de_DE.iso885915@euro
de_DE.utf8
de_DE@euro
deutsch
dutch
en_US
en_US.iso88591
en_US.utf8
german
nl_NL
nl_NL.iso88591
nl_NL.iso885915@euro
nl_NL.utf8
nl_NL@euro

localectl status

   System Locale: n/a
       VC Keymap: n/a
      X11 Layout: n/a

seth

Member

Registered: 2012-09-03

Posts: 51,165

Re: Authentication issue in KDE - su, sudo, screen unlocking

The interesting question is whether it's the same in KDE and working sessions (and whether that's actually intended - you seem to have a nl or german background and in any case systems are usually setup in some UTF-8 variant)

Not saying that this is necessarily the cause, but it's the only thing that immediately stands out in that environment.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

sjoerd222888

Member

Registered: 2017-04-26

Posts: 15

Re: Authentication issue in KDE - su, sudo, screen unlocking

Output is the same in both tty (where su/sudo work) and KDE.

Having not specified a local or specific key-layout should not be related to this issue, or would it? I actually like having non-localized terminal, it's easier to search for issues. Try to Google for a Dutch error message, you will not get far.

KDE then has a key-map. I did not put a key map to have terminal with default (=en-US) layout. I could also set this explicitly, I know.

Is there something wrong or I misunderstand something?

seth

Member

Registered: 2012-09-03

Posts: 51,165

Re: Authentication issue in KDE - su, sudo, screen unlocking

Output is the same in both tty (where su/sudo work) and KDE.

Dead end then - the idea was more about ".UTF-8" than "dutch" ;-)

Out-of-the-box: kwallet-pam?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

sjoerd222888

Member

Registered: 2017-04-26

Posts: 15

Re: Authentication issue in KDE - su, sudo, screen unlocking

I took some time to do a complete fresh installation. Now everything works. I don't understand, probably I have messed up something in the previous installation. I could not identify the source of the problem.

@seth: Thank you very much for your support and the time you have invested! I really appreciate it :-).