Failed to obtain auth token

[petrmanek]

Hi there!

I'm having some troubles getting pam-gnupg to work with LightDM on my arch laptop. I followed all instructions in the README, yet I'm experiencing symptoms similar to #5: after unlocking gpg-agent does not seem to have the passphrase preset, and has to ask me to enter it explicitly.

I tried running the syslog branch. The only message I seem to find in my system journal is:

lightdm[969955]: pam_gnupg(lightdm:auth): failed to obtain auth token

What am I doing wrong?

Cheers, Petr

[cruegge]

The error message is produced right at the start of the auth module and indicates that – well – we couldn't get the auth token from PAM. There's not much else that can go wrong on our side, so I assume PAM actually did not pass us the token. Do you use some password-less login mechanism? Or do you maybe have some other PAM module before pam_gnupg.so that removes the token for some reason? Can you post your /etc/pam.d/lightdm and the included files (only the auth lines are relevant)?

[petrmanek]

@cruegge Thanks for your prompt response. I haven't really played my PAM stacks until now, so there shouldn't be anything funky going on. Still, I'm at a loss as to what could be the reason why the PAM token is not obtained. Here are auth lines from my /etc/pam.d/ files.

/etc/pam.d/lightdm:

auth        include     system-login

/etc/pam.d/system-login:

auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       optional   pam_gnupg.so
auth       include    system-auth

/etc/pam.d/system-auth:

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc

Note that in a departure from the README instructions I inserted pam_gnupg-related lines into system-login, as it is included from system-local-login, system-remote-login and lightdm. Curiously, in its default installed state lightdm includes system-login rather than system-local-login. Don't know what to make of that (still a bit of a newbie to all things PAM), however I'm not confident if it should make any difference.

[cruegge]

I only partially understand PAM myself, to be honest ;) I think what happens here is the following: PAM clients, in this case lightdm, don't immediately send the auth token, but supply a callback for modules to ask in case they need it. Lightdm obtains the passphrase ahead of time from the user, because it is most likely needed anyway, but only sends it on demand. Now the module that actually requests the token in your case is pam_unix, and that's further down in the config. After that, the token gets stored in the PAM handle, and other modules can obtain it from there. So if you move your pam_gnupg-line after pam_unix, things should work.

pam_gnupg does not request the token itself. I could probably add that as an option, but I don't think it's worth it: if someone configured passwordless access, they certainly don't want to be asked anyway by some module that's not actually relevant for authentication. I should, however, remark in the README that the auth line needs to be sufficiently far down.

[petrmanek]

@cruegge Moving the pam_gnupg line past pam_unix seems to have solved the issue. Thank you, and nicely done!

For the record, here is what my journal looks like now:

lightdm[8068]: pam_gnupg(lightdm:setcred): attempting to unlock
lightdm[8068]: pam_gnupg(lightdm:setcred): running gpg-preset-passphrase, autostart=0
lightdm[8068]: pam_gnupg(lightdm:setcred): presetting keygrip XXXXXXXXXXXXXX-REDACTED-XXXXXXXXXXXXXXXX
lightdm[8068]: pam_gnupg(lightdm:setcred): waiting for subprocess
lightdm[8068]: pam_gnupg(lightdm:setcred): subprocess finished with exit status 0
lightdm[8068]: pam_gnupg(lightdm:setcred): clearing token

To elaborate on my solution, you may have observed that pam_unix and pam_gnupg did not live in the same /etc/pam.d/ file. While the former was located in system-auth, the latter was in system-login. I did not really want to move pam_gnupg to system-auth, reasoning that GnuPG keys should only be unlocked during (local or remote) login, not every single time users are authenticated which is what I imagine system-auth controls. Long story short, I left the pam_gnupg line in system-login but moved it past the include system-auth section that contains pam_unix and others.

I have verified that my GnuPG key is indeed unlocked following a successful login, even if I reloadagent prior to locking my screen. Thanks again for writing this neat little piece of software, and for helping me better understand how PAM works.

Closing the issue.

EDIT: added missing bits of the log