search

cruegge / pam-gnupg

Unlock GnuPG keys on login
GNU General Public License v3.0
268 stars 12 forks source link

Key not being unlocked with slock #45

Closed JBlocklove closed 1 year ago

JBlocklove commented 1 year ago

I just switched from i3lock to slock and I can't seem to get slock to unlock my keys. So far, I've set my drop user and group to my primary group as mentioned in the README, I added the pam-auth patch, and I've added the the pam_setcred line from #34 to my slock.c file, but when I unlock I still have to separately unlock my gpg key.

Here is what my system-local-login pam file looks like:

#%PAM-1.0

auth      include   system-login
account   include   system-login
password  include   system-login
session   include   system-login
auth      optional  pam_gnupg.so store-only debug
session   optional  pam_gnupg.so debug

I believe that should be the only file I needed to modify with the pam-gnupg files, since the pam-auth patch sets the pam service to login. Is it possible I need to have that point to a different service?

Here are the slock lines from my journalctl:

Nov 28 12:22:59 shire slock[24337]: pam_systemd_home(login:auth): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Nov 28 12:22:59 shire slock[24337]: pam_gnupg(login:auth): stored passphrase
Nov 28 12:22:59 shire slock[24337]: pam_gnupg(login:setcred): store-only set, skipping

I'm not using systemd-homed and have it disabled, so I believe that warning should be ignoreable. It looks to me like the issue might be with setcred since it says store-only set, skipping but I believe that store-only should be there since it's worked fine with my other lockers and my display manager (I use ly).

My slock configuration is all up-to-date on the pam branch of my slock repo: https://github.com/JBlocklove/slock/tree/pam, but the only changes made in this branch were adding the patch, adding the pam_setcred line, and setting up my config.h to have my user and group.

I imagine I just have something configured incorrectly with pam-gnupg, especially since in #34 there were more debug messages that I'm not seeing, but I'm not sure what else to check. Any help would be greatly appreciated!

cruegge commented 1 year ago

Sorry for the late reply. I think the problem is that slock does not open a session, so it only ever calls the auth module, which is configured as store-only and therefore doesn't actually do any unlocking. I wasn't aware that the slock patch uses the login service, and I find that a rather unfortunate choice. Try creating a file /etc/pam.d/slock with contents

auth include system-auth
auth optional pam_gnupg.so debug

and patch slock to use that.

JBlocklove commented 1 year ago

Sorry for my own delayed response. That seems to have fixed it perfectly, thanks!