pam-gnupg not working with SDDM display manager

[robtekky]

I cannot get pam-gnupg to work successfully using the SDDM display manager.

I have tried both on my Gentoo box and my Artix box, with no success in any of them.

I have put the .so entries in both the sddm file and the sddm-greeter file, under /etc/pam.d/ dir.

For instance, my /etc/pam.d/sddm file looks like the following:

❯ cat /etc/pam.d/sddm-greeter
#%PAM-1.0

# Load environment from /etc/environment and ~/.pam_environment
auth        required pam_env.so

# Always let the greeter start without authentication
auth        required pam_permit.so

auth     optional  pam_gnupg.so store-only

# No action required for account management
account     required pam_permit.so

# Can't change password
password    required pam_deny.so

# Setup session
session     required pam_unix.so
session     optional pam_elogind.so

session         optional pam_gnupg.so

The gpg agent configuration file contains:

❯ cat ~/.local/share/gnupg/gpg-agent.conf
allow-preset-passphrase
max-cache-ttl 86400 

And the pam gnupg config file contains:

❯ cat ~/.config/pam-gnupg

GNUPGHOME=~/.local/share/gnupg

2D1AXXXX.....

I have tried also the following:

• setting the GNUPGHOME env variable under ~/.pam_environment
• running pam_env.so with user_readenv=1

The output of the following command does not have a 1 in the 7th column for the preset keygrip:

❯ gpg-connect-agent 'keyinfo --list' /bye
...
S KEYINFO 2D1AXXXX.... D - - - P - - -
...

Not sure what I am doing wrong. Any help would be highly appreciated.

Basically, I would expect that, after entering the password in the SDDM greeter, the pam module passes it to the gnupg agent so that I do not have to enter the passphrase everytime I access the encrypted credentials .... But that is not happening.

[cruegge]

First of all, setting GNUPGHOME=~/.local/... is not correct, you should simply put the path on a separate line, ~/.local/.... But I don't think that's the issue here, the line should simply be ignored, and since you set the variable in pam_env, it should work nevertheless.

I don't think that /etc/pam.d/sddm-greeter ist the relevant file, it's used for the greeter itself afaict. Can you post the contents of /etc/pam.d/sddm?

[robtekky]

First of all, setting GNUPGHOME=~/.local/... is not correct, you should simply put the path on a separate line, ~/.local/....

When you say "put the path on a separate line" ... do you mean putting just the path on a separate line in the same file? Or ... is there any other file that has to include that line?

I have tried something like the following, with no success:

❯ more .config/pam-gnupg
~/.local/share/gnupg

2D1AXXXX.....

However, I have finally got it working putting the env variable in ~/.pam_environment and running pam_env.so with user_readenv=1 :

❯ cat .pam_environment
GNUPGHOME=~/.local/share/gnupg 

It seems I had not tried that combination before.

Is there any way of getting rid of .pam_environment file?

If possible, I would prefer to keep my home dir as clean as possible.

Note. It also works fine if I set the GNUPGHOME env variable in /etc/environment, but I am looking for something under user config dir ....

Thanks a lot.

[cruegge]

~/.local/share/gnupg

2D1AXXXX.....

The config file looks okay. I don't quite understand why using the (incorrect) GNUPGHOME= and pam_env didn't work. That way, the setting in the pam-gnupg file should have been ignored, but pam_env alone should have been sufficient.

Anyway, using pam_env should not be needed if you start the agent properly. There are basically two and a half options:

• Use the session optional pam_gnupg.so line without no-autostart and let pam-gnupg start the agent. It should start with the home dir as configured in the pam-gnupg file. You still need to export GNUPGHOME in your .profile, .bash_profile, .xprofile, or whatever init file is relevant for your session (or use your desktop to configure it).

• Add no-autostart, and start the agent in some other way before the pam-gnupg module runs. You will have to make sure to start it with the correct GNHPGHOME, and probably also export that from your init file.

• The half option (a special case of the former): systemd socket activation is a bit tricky, since the socket location for non-standard GNUPGHOME contains a hash of the home dir (listed under gpgconf -L --homedir ~/.local/share/gnupg). The various systemd socket units (gpg-agent.socket, gpg-agent-ssh.socket, gpg-agent-browser.socket and gpg-agent-extra.socket) need to be adjusted accordingly. You also need to add the --homedir ... option to gpg-agent.service, and again export GNUPGHOME from your init file.

But my assumption is that currently, your systemd listens on the standard socket paths (if at all), therefore doesn't play a role for your setup, and you effectively start the agent from pam-gnupg. If that's okay for you, you probably only need to export GNUPGHOME from your init file, and can get rid of pam_env.

[robtekky]

@cruegge. Option 1 worked OK

Actually, it only worked on my Artix box, not on my Gentoo box. Not sure why .... It seems both are configured exactly the same way.

In Gentoo, I can see in the /var/log/auth.log file, that it still tries to get the environment from /etc/environment file:

Mar 30 09:36:13 gentoo-openrc sudo: pam_env(sudo:setcred): Unable to open env file: /etc/environment: No such file or directory

So, it only works well there when I have that file containing the content: GNUPGHOME=~/.local/share/gnupg

I do not use systemd on my machines. I run runit in Artix and openrc in Gentoo.

Anyway, it is ok.

Thanks a lot for your help.

Feel free to close this issue.

P.S. I am still surprised about the format of pam-gnupg file..... Never saw before something like that, but ....

[cruegge]

Does your Gentoo use version 0.4? That version added configurable GNUPGHOME.

Concerning the file format: the reason is basically that I'm too lazy to write a proper parser, and want to keep the code as simple as possible. Also, supporting GNUPGHOME was kind of an afterthought, after pam_env devs announced to remove support for user_readenv. I don't intend to add any other config options, and using only the path on a line by itself makes the file a lot easier to parse: if the line starts with / or ~, it sets GNUPGHOME, otherwise it's a keygrip.

Anyway, I'll close this issue.

[robtekky]

Does your Gentoo use version 0.4? That version added configurable GNUPGHOME.

That explains things:

❯ eix -I pam-gnupg [I] sys-auth/pam-gnupg [1] Available versions: (~)0.3{xpak} Installed versions: 0.3{xpak}(01:37:36 PM 03/27/2023) Homepage: https://github.com/cruegge/pam-gnupg Description: Unlock GnuPG keys on login

I presume I can clone and compile the latest source code manually .....

Concerning the file format: the reason is basically that I'm too lazy to write a proper parser, and want to keep the code as simple as possible. Also, supporting GNUPGHOME was kind of an afterthought, after pam_env devs announced to remove support for user_readenv. I don't intend to add any other config options, and using only the path on a line by itself makes the file a lot easier to parse: if the line starts with / or ~, it sets GNUPGHOME, otherwise it's a keygrip.

Fair enough .... :-)

Thanks a lot for all the help.