X session logon fails with pamusb: "Could not get properties: Unknown object '/org/freedesktop/login1/user/self'." #262
Comments
GameLostException
changed the title
|
Could you please set the debug option in your config, so it's active
globally without giving --debug? After that please try the "login before X
start" again. I'm curious where exactly this error appears, but I guess
it's from by loginctl.
But considering the access is granted at the end, I don't think it's the
cause of your issue and just a coincidence.
Can you provide some more details? Do you boot to the console by default
and start X manually? Or do you use some login manager?
Am Mo., 6. Jan. 2025 um 10:23 Uhr schrieb Boris ***@***.***>:
… Which version of pam_usb are you running?
0.8.5
Which distribution are you using?
Arch
Which login manager and desktop environment are you using?
Xfce 4.18
What happened?
I initially made this one change in the pam.d dir to activate pamusb as
the first way to authenticate, as instructed on the Arch Wiki
<https://wiki.archlinux.org/title/Pam_usb>: added auth sufficient
pam_usb.so into /etc/pam.d/system-auth:
#%PAM-1.0
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth sufficient pam_usb.so
-auth [success=2 default=ignore] pam_systemd_home.so
auth [success=1 default=bad] pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow
password optional pam_permit.so
-session optional pam_systemd_home.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
It was working fine until a system update a couple months ago, since then,
all my logons attempts *before* X is started fail consistently for all
the users enabled within the *pamusb* config. The following error pops
for a second or so and get me back to the login prompt:
Arch Linux 6.6.51-1-1ts (tty2)
boris-st login: boris
* Authentication request for user "boris" (login)
Could not get properties: Unknown object '/org/freedesktop/login1/user/self'.
Could not get properties: Unknown object '/org/freedesktop/login1/user/self'.
* Searching for "BKey" in the hardware database...
* Authentication device "BKey" is connected.
* Performing one time pad verification...
* Access granted.
The error is specifically Could not get properties: Unknown object
'/org/freedesktop/login1/user/self'. but journalctl does not show
anything out of the ordinary.
That being said, if I revert my /etc/pam.d/system-auth file to its
original contents, X logon is possible again. Then once in X, if I
re-enable the pamusb changes, all the pamusb authentication work fine with
the USB key (screensaver dialogs, sudo/auth CLI prompts, etc.), until the
next logout/logon when I get the issue shown above again.
Output of "pamusb-check --debug whoami"
* Authentication request for user "boris" (pamusb-check)
[src/local.c:281] Checking whether the caller (pamusb-check) is local or not...
[src/local.c:298] Checking pid 338161 (pamusb-check)...
[src/local.c:298] Checking pid 336163 (/usr/bin/zsh)...
[src/local.c:298] Checking pid 336155 (kitty)...
[src/local.c:298] Checking pid 1 (/sbin/init)...
[src/local.c:339] Using DISPLAY :0.0 for utmp search
[src/local.c:344] DISPLAY contains screen, truncating...
[src/local.c:053] No utmp entry found for tty ":0"
[src/local.c:353] Trying to get tty from display server
[src/local.c:358] Retrying with tty /dev/tty1, obtained from display server, for utmp search
[src/local.c:056] utmp entry for tty "tty1" found
[src/local.c:057] utmp->ut_pid: 1002
[src/local.c:058] utmp->ut_user: boris
[src/local.c:073] utmp check successful, request originates from a local source!
[src/local.c:441] No remote access detected, seems to be local request - allowing.* Searching for "BKey" in the hardware database...* Authentication device "BKey" is connected.* Performing one time pad verification...
[src/volume.c:105] Searching for volume with uuid 47D8-DA1A.
[src/volume.c:130] Found mount points: (null)
[src/volume.c:145] Found volume 47D8-DA1A.
[src/volume.c:044] Attempting to mount device /dev/sdb1.
[src/volume.c:058] Mounted device /dev/sdb1 to /run/media/boris/47D8-DA1A.
[src/pad.c:317] Loading device pad...
[src/pad.c:327] Loading system pad...
[src/pad.c:343] Pad match.
[src/pad.c:176] Checking whether pads are expired or not...
[src/pad.c:204] Pads were generated 6 seconds ago, not updating.
[src/volume.c:196] Attempting to unmount /dev/sdb1 from /run/media/boris/47D8-DA1A.
[src/volume.c:209] Unmount succeeded.* Access granted.
Output of "w"
17:07:46 up 1 day, 8:23, 2 users, load average: 2.05, 2.20, 2.51
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
boris Thu08 13:28 0.00s 0.37s /usr/lib/systemd/systemd --user
boris tty1 Thu08 32:23m 2:05m 0.03s xinit /etc/xdg/xfce4/xinitrc -- /etc/X11/xinit/xserverrc vt1
Output of "loginctl"
SESSION UID USER SEAT LEADER CLASS TTY IDLE SINCE
1 1000 boris seat0 1002 user tty1 yes -
2 1000 boris - 1198 manager - no -
2 sessions listed.
—
Reply to this email directly, view it on GitHub
<#262>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAZI2U437KLYNWPU7PI2SHD2JJDPNAVCNFSM6AAAAABUVG64CWVHI2DSMVQWIX3LMV43ASLTON2WKOZSG43TAMRRHEYDAOI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Thanks for your prompt reply, I've added debug to all the .so module, it gives: It looks like the pamusb module somehow doesn't "give" the pam_systemd_home.so one what it needs to mount the home dir, so I tried to keep pam_systemd_home.so first: But the error stays the exact same :/ |
|
Sorry, my description was not clear enough. I meant to enable it in your
pam_usb.conf file. If that is done you will always get the output like when
using --debug
Am Mi., 8. Jan. 2025 um 10:46 Uhr schrieb Boris ***@***.***>:
… Thanks for your prompt reply, I've added debug to all the .so module, it
gives:
# Added "auth sufficient pam_usb.so" in system-auth, user boris is configured in pamusb
Jan 08 08:43:16 boris-st pam_usb[789934]: Authentication request for user "boris" (login)
Jan 08 08:43:16 boris-st pam_usb[789934]: Searching for "BKey" in the hardware database...
Jan 08 08:43:16 boris-st pam_usb[789934]: None of the configured authentication devices is connected.
Jan 08 08:43:16 boris-st pam_usb[789934]: Access denied.
Jan 08 08:43:16 boris-st login[789934]: pam_systemd_home(login:auth): pam-systemd-homed authenticating
Jan 08 08:43:16 boris-st login[789934]: pam_systemd_home(login:auth): New sd-bus connection (system-bus-pam-systemd-home-789934) opened.
Jan 08 08:43:16 boris-st login[789934]: pam_systemd_home(login:auth): systemd-homed is not available: Could not activate remote peer 'org.freedesktop.home1': activation request failed: unknown unit
Jan 08 08:43:16 boris-st login[789934]: pam_unix(login:auth): username [boris] obtained
Jan 08 08:43:26 boris-st login[789934]: pam_unix(login:session): session opened for user boris(uid=1000) by boris(uid=0)
Jan 08 08:43:26 boris-st login[789934]: pam_unix(login:session): session closed for user boris
# Using a dummy user, foo, to login, this one is not configured to go through pamusb auth
Jan 08 08:43:28 boris-st pam_usb[789977]: No authentication device(s) configured for user "foo".
Jan 08 08:43:28 boris-st login[789977]: pam_systemd_home(login:auth): pam-systemd-homed authenticating
Jan 08 08:43:28 boris-st login[789977]: pam_systemd_home(login:auth): New sd-bus connection (system-bus-pam-systemd-home-789977) opened.
Jan 08 08:43:28 boris-st login[789977]: pam_systemd_home(login:auth): systemd-homed is not available: Could not activate remote peer 'org.freedesktop.home1': activation request failed: unknown unit
Jan 08 08:43:28 boris-st login[789977]: pam_unix(login:auth): username [foo] obtained
Jan 08 08:43:30 boris-st login[789977]: pam_unix(login:session): session opened for user foo(uid=1003) by foo(uid=0)
Jan 08 08:43:30 boris-st (systemd)[789987]: pam_warn(systemd-user:setcred): function=[pam_sm_setcred] flags=0x8002 service=[systemd-user] terminal=[] user=[foo] ruser=[<unknown>] rhost=[<unknown>]
Jan 08 08:43:30 boris-st (systemd)[789987]: pam_unix(systemd-user:session): session opened for user foo(uid=1003) by foo(uid=0)
# Using this dummy user to remove "auth sufficient pam_usb.so" from system-auth, I can logon again with user "Boris"
Jan 08 08:52:20 boris-st login[789977]: pam_unix(login:session): session closed for user foo
Jan 08 08:52:26 boris-st login[790291]: pam_unix(login:session): session opened for user boris(uid=1000) by boris(uid=0)
Jan 08 08:52:30 boris-st (sd-pam)[789989]: pam_unix(systemd-user:session): session closed for user foo
It looks like the pamusb module somehow doesn't "give" the
pam_systemd_home.so one what it needs to mount the home dir, so I tried to
keep pam_systemd_home.so first:
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth [success=3 default=ignore] pam_systemd_home.so #incremented the lines skipping as I added one underneath
auth sufficient pam_usb.so
auth [success=1 default=bad] pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
But the error stays the exact same :/
—
Reply to this email directly, view it on GitHub
<#262 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAZI2U2D6DOV4DC45UMBT6L2JTXWDAVCNFSM6AAAAABUVG64CWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZXGIZTIMJRGM>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Just noticed, this time you got another error on boris though
Jan 08 08:43:16 boris-st pam_usb[789934]: None of the configured
authentication devices is connected.
Am Mi., 8. Jan. 2025 um 17:58 Uhr schrieb Tobias Bäumer <
***@***.***>:
… Sorry, my description was not clear enough. I meant to enable it in your
pam_usb.conf file. If that is done you will always get the output like when
using --debug
Am Mi., 8. Jan. 2025 um 10:46 Uhr schrieb Boris ***@***.***
>:
> Thanks for your prompt reply, I've added debug to all the .so module, it
> gives:
>
> # Added "auth sufficient pam_usb.so" in system-auth, user boris is configured in pamusb
>
> Jan 08 08:43:16 boris-st pam_usb[789934]: Authentication request for user "boris" (login)
> Jan 08 08:43:16 boris-st pam_usb[789934]: Searching for "BKey" in the hardware database...
> Jan 08 08:43:16 boris-st pam_usb[789934]: None of the configured authentication devices is connected.
> Jan 08 08:43:16 boris-st pam_usb[789934]: Access denied.
> Jan 08 08:43:16 boris-st login[789934]: pam_systemd_home(login:auth): pam-systemd-homed authenticating
> Jan 08 08:43:16 boris-st login[789934]: pam_systemd_home(login:auth): New sd-bus connection (system-bus-pam-systemd-home-789934) opened.
> Jan 08 08:43:16 boris-st login[789934]: pam_systemd_home(login:auth): systemd-homed is not available: Could not activate remote peer 'org.freedesktop.home1': activation request failed: unknown unit
> Jan 08 08:43:16 boris-st login[789934]: pam_unix(login:auth): username [boris] obtained
> Jan 08 08:43:26 boris-st login[789934]: pam_unix(login:session): session opened for user boris(uid=1000) by boris(uid=0)
> Jan 08 08:43:26 boris-st login[789934]: pam_unix(login:session): session closed for user boris
>
> # Using a dummy user, foo, to login, this one is not configured to go through pamusb auth
>
> Jan 08 08:43:28 boris-st pam_usb[789977]: No authentication device(s) configured for user "foo".
> Jan 08 08:43:28 boris-st login[789977]: pam_systemd_home(login:auth): pam-systemd-homed authenticating
> Jan 08 08:43:28 boris-st login[789977]: pam_systemd_home(login:auth): New sd-bus connection (system-bus-pam-systemd-home-789977) opened.
> Jan 08 08:43:28 boris-st login[789977]: pam_systemd_home(login:auth): systemd-homed is not available: Could not activate remote peer 'org.freedesktop.home1': activation request failed: unknown unit
> Jan 08 08:43:28 boris-st login[789977]: pam_unix(login:auth): username [foo] obtained
> Jan 08 08:43:30 boris-st login[789977]: pam_unix(login:session): session opened for user foo(uid=1003) by foo(uid=0)
> Jan 08 08:43:30 boris-st (systemd)[789987]: pam_warn(systemd-user:setcred): function=[pam_sm_setcred] flags=0x8002 service=[systemd-user] terminal=[] user=[foo] ruser=[<unknown>] rhost=[<unknown>]
> Jan 08 08:43:30 boris-st (systemd)[789987]: pam_unix(systemd-user:session): session opened for user foo(uid=1003) by foo(uid=0)
>
> # Using this dummy user to remove "auth sufficient pam_usb.so" from system-auth, I can logon again with user "Boris"
>
> Jan 08 08:52:20 boris-st login[789977]: pam_unix(login:session): session closed for user foo
> Jan 08 08:52:26 boris-st login[790291]: pam_unix(login:session): session opened for user boris(uid=1000) by boris(uid=0)
> Jan 08 08:52:30 boris-st (sd-pam)[789989]: pam_unix(systemd-user:session): session closed for user foo
>
> It looks like the pamusb module somehow doesn't "give" the
> pam_systemd_home.so one what it needs to mount the home dir, so I tried to
> keep pam_systemd_home.so first:
>
> auth required pam_faillock.so preauth
> # Optionally use requisite above if you do not want to prompt for the password
> # on locked accounts.
> -auth [success=3 default=ignore] pam_systemd_home.so #incremented the lines skipping as I added one underneath
> auth sufficient pam_usb.so
> auth [success=1 default=bad] pam_unix.so try_first_pass nullok
> auth [default=die] pam_faillock.so authfail
> auth optional pam_permit.so
> auth required pam_env.so
> auth required pam_faillock.so authsucc
>
> But the error stays the exact same :/
>
> —
> Reply to this email directly, view it on GitHub
> <#262 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAZI2U2D6DOV4DC45UMBT6L2JTXWDAVCNFSM6AAAAABUVG64CWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZXGIZTIMJRGM>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***>
>
|
|
Thanks for the debug precision, here goes the journalctl with my comments. Note that I have removed the root user from the pamusb config (it was a mistake to add it in the first place anyway): Additionally, here is the text I see on-screen when failing to logon before X is started: About your latest comment |
|
Thanks, so we have actually have two issues - even if likely related. Let's focus on your last log for now. For your last log: So the messages really come from loginctl. Seems it's not ready on your system before X is started. Never seen behaviour like this but it can be ignored anyway since the fallback to "ttyname" worked and access was granted. What exactly happens afters, does it prompt for password (read: falls back to pam_unix) or does it "log you out" and throw you back to the login? If it throws you back to login: this was an issue earlier, but assumed to be fixed. Maybe you find some hints or rubberducking in that issue: #199 |
Right after showing this (shortening the logs using the non-debug ones): it goes back to the login prompt, in a loop: Thanks for the reference to the other issue, I had a quick look but will need more time to start diving into the code (my C is so rusty it won't be the easiest task but hey). |
|
Damn, so it is basically #199. To be honest, I don't even know where to look for reasons - all things I've expected to be the cause are fixed. I almost expected that one to be not truly solved, but I never was able to reproduce it again. Most likely this is SOME memory thingy in SOME place... This is most likely asked way to much, but would you be willing to create an DD image of your system so I can throw it into a VM for reproducing and testing? Obv. remove all your personal data before (or after) if you want, or create a test user and delete your whole user for that or like that. But I'm well aware how much hassle that would be so I don't expect you to do it 😆 But if you wanna do, I could provide the necessary upload storage. |
|
back then it could be avoided by either: a) disabling deny_remote globally (bad idea) or b) disabling deny_remote for login (better idea, but still a bad idea in VERY exotic setups) You could try that and see if it helps. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Which version of pam_usb are you running?
0.8.5
Which distribution are you using?
Arch
Which login manager and desktop environment are you using?
Xfce 4.18
What happened?
I initially made this one change in the pam.d dir to activate pamusb as the first way to authenticate, as instructed on the Arch Wiki: added
auth sufficient pam_usb.sointo/etc/pam.d/system-auth:It was working fine until a system update a couple months ago, since then, all my logons attempts before X is started fail consistently for all the users enabled within the pamusb config. The following error pops for a second or so and get me back to the login prompt:
The error is specifically
Could not get properties: Unknown object '/org/freedesktop/login1/user/self'.but journalctl does not show anything out of the ordinary.That being said, if I revert my
/etc/pam.d/system-authfile to its original contents, X logon is possible again. Then once in X, if I re-enable the pamusb changes, all the pamusb authentication work fine with the USB key (screensaver dialogs, sudo/auth CLI prompts, etc.), until the next logout/logon when I get the issue shown above again.Output of "pamusb-check --debug
whoami"Output of "w"
Output of "loginctl"
SESSION UID USER SEAT LEADER CLASS TTY IDLE SINCE 1 1000 boris seat0 1002 user tty1 yes - 2 1000 boris - 1198 manager - no - 2 sessions listed.The text was updated successfully, but these errors were encountered: