Doesn't work with autologin on nixos

[rasmus-kirk]

I use muttwizard, and I would like to avoid typing my password every time I update my mail. But I can't seem to get pam-gnupg to work. When I type in the command mbsync -a it requests the gnupg password. Relevant lines in my configuration.nix:

programs.gnupg.agent.pinentryFlavor = "curses";
programs.gnupg.agent.enable = true;
security.pam.services.user.gnupg.enable = true;

Where user is my username. Of course my user password is the same as the gnupg password in question.

My gpg-agent.conf:

default-cache-ttl 34560000
max-cache-ttl 34560000
allow-preset-passphrase

And my ~/.pam-gnupg file:

40-CHARACTER-KEYGRIP-HERE

I don't know what I am doing wrong, any help would be appreciated.

[cruegge]

The user part in security.pam.services.user.gnupg.enable is probably not correct. This should be the name of the PAM service for which you want to enable pam-gnupg. I haven't used it on NixOS myself, but I think it should be login for console logins, gdm and lightdm, and sddm for sddm. In all cases, you should probably also set security.pam.services.<name>.gnupg.storeOnly = true. Finally, if you use i3lock or similar, also add a corresponding line for that, but without storeOnly.

[rasmus-kirk]

I changed the relevant lines in my configuration file:

    programs.gnupg.agent.pinentryFlavor = "curses";
    programs.gnupg.agent.enable = true;

    security.pam.services.login.gnupg.enable = true;
    security.pam.services.login.gnupg.storeOnly = true;

    security.pam.services.i3lock.gnupg.enable = true;
    security.pam.services.i3lock.gnupg.storeOnly = true;

    security.pam.services.i3lock-color.gnupg.enable = true;
    security.pam.services.i3lock-color.gnupg.storeOnly = true;

Unfortunately this doesn't seem to work either. When I run mbsync -a it still prompts me for a password. I added the i3lock lines since I'm using swaywm but they shouldn't be necessary since I don't actually use the lock mechanism.

[cruegge]

The released version unfortunately does not contain any logging yet. I should probably tag a new release, but in the meantime, can your add

nixpkgs.overlays = [ (self: super: {
  pam_gnupg = super.pam_gnupg.overrideAttrs (attrs: {
    src = super.fetchFromGitHub {
      owner = "cruegge";
      repo = "pam-gnupg";
      rev = "99f1c2a3f903276c03a13692f50c292aa4b7bd37";
      sha256 = "sha256-XYEPbjuL4lUvtoIHSAtXHUdUQl63+QFj3d6cgKBf/4A=";
    };
  });
}) ];

to your configuration.nix and check if any error messages appear in journalctl when you log in? There's also a new debug option to increase logging verbosity, but NixOS does not allow you to set that via the module system. A workaround is to replace the /etc/pam.d/login symlink by a regular file with the same content after nixos-rebuild and add the debug switch to the pam_gnupg.so lines manually.

Also, do you use a non-standard GNUPGHOME or the default ~/.gnupg?

Finally, for the sake of completeness, if you ever want to use i3lock or some other locking mechanism, omit the storeOnly option, it's only useful for PAM services that open new sessions.

[rasmus-kirk]

All right I did as you asked an got an error message:

Jan 10 09:55:01 nixos systemd[978]: Started GnuPG cryptographic agent and passphrase cache.
Jan 10 09:55:01 nixos gpg-agent[5755]: gpg-agent (GnuPG) 2.2.24 starting in supervised mode.
Jan 10 09:55:01 nixos gpg-agent[5755]: using fd 3 for std socket (/run/user/1000/gnupg/S.gpg-agent)
Jan 10 09:55:01 nixos gpg-agent[5755]: listening on: std=3 extra=-1 browser=-1 ssh=-1
Jan 10 09:55:01 nixos gpg-agent[5757]: Failed to lookup password for key n/KEYGRIP-HERE with secret service: The name org.freedesktop.secrets was not provided by any .service files
Jan 10 09:55:01 nixos gpg-agent[5755]: failed to unprotect the secret key: No such file or directory
Jan 10 09:55:01 nixos gpg-agent[5755]: failed to read the secret key
Jan 10 09:55:01 nixos gpg-agent[5755]: command 'PKDECRYPT' failed: No such file or directory <Pinentry>
Jan 10 09:55:01 nixos gpg-agent[5787]: Failed to lookup password for key n/KEYGRIP-HERE with secret service: The name org.freedesktop.secrets was not provided by any .service files
Jan 10 09:55:02 nixos gpg-agent[5755]: failed to unprotect the secret key: No such file or directory
Jan 10 09:55:02 nixos gpg-agent[5755]: failed to read the secret key
Jan 10 09:55:02 nixos gpg-agent[5755]: command 'PKDECRYPT' failed: No such file or directory <Pinentry>

It seems that it can't interact with pineentry which is weird. It should be noted that this is not a problem when I have logged in and do things manually, then it is able to decrypt just fine.

[cruegge]

I think the org.freedesktop.secrets error message is produced by the pinentry, so the interaction is probably ok. You're using the curses pinentry, so can it be that it only can't ask for a passphrase because the command triggering it is running without a terminal?

In any case, the more confusing part is that there are no pam-gnupg-related log messages at all, but with debug enabled, it should log something, even if it is just a "stored passphrase" success message. What display manager are you using? Can you try logging in on a virtual console, since that should definitely trigger pam.services.login?

[rasmus-kirk]

I solved the problem. The issue turned out to be that I had auto-login enabled. After I turned auto-login off it works fine. I don't know if this is an issue elsewhere than nixos, but it might be. Thanks you, I certainly wouldn't have been able to figure it out without your help.

I'll rename the issue for clarity, go ahead and close it if you feel that auto-login should not be supported at all, although you should probably add that to the readme in that case (assuming this is a problem on other distros). I think I made mistake with the journalctl thing, I'll try again and post it in this thread shortly.

EDIT: The line on nixos that enables auto-login btw: services.getty.autologinUser = "user";

[rasmus-kirk]

Okay the journalctl doesn't record it because nixos overwrites the login file in /etc/pam.d. I don't know how to circumvent that : /

[cruegge]

It actually can't work with autologin, all the module does is to pass the entered user password to gpg-agent; if you never type it, there's nothing that can be done. I'll clarify that in the README.

Concerning changing /etc/pam.d/login: NixOS overwrites that in the activation script after nixos-rebuild switch and after reboot, but it should be possible to log in once, change it, then log out again, and the next login attempt should use the debug flag.

But it doesn't really matter now that the cause is clear.