search

xyb3rt / physlock

Lightweight linux console locking tool
GNU General Public License v2.0
303 stars 36 forks source link

res=failed in journal #91

Open x70b1 opened 4 years ago

x70b1 commented 4 years ago

I have the following line in my journal:

Jan 24 15:33:22 foo kernel: audit: type=1100 audit(1579876402.043:98): pid=40521 uid=1000 auid=1000 ses=1 msg='op=PAM:authentication grantors=pam_unix acct="x70b1" exe="/usr/bin/physlock" hostname=foo addr=? terminal=tty2 res=success'
Jan 24 15:33:22 foo kernel: audit: type=1110 audit(1579876402.043:99): pid=40521 uid=1000 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_unix acct="x70b1" exe="/usr/bin/physlock" hostname=foo addr=? terminal=tty2 res=success'
Jan 24 15:33:22 foo kernel: audit: type=1109 audit(1579876402.043:100): pid=40521 uid=1000 auid=1000 ses=1 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/bin/physlock" hostname=foo addr=? terminal=tty2 res=failed'

My PAM config /etc/pam.d/physlock:

#%PAM-1.0
auth        required    pam_unix.so
account     required    pam_unix.so
password    required    pam_unix.so
session     required    pam_unix.so

I am just asking myself what the third line is about. It seems like an error. But I couldn't find a solution.

i3lock only prints one line, while physlock writes 3 lines log.

Is there anything known about this? Regardless of this, everything works.

xyb3rt commented 4 years ago

I do not know what's causing the bad_ident message. If you're running the current HEAD then the second log message seems to be right, because physlock now calls pam_setcred. Can you please post i3lock's PAM config?

x70b1 commented 4 years ago

It's the default config:

#
# PAM configuration file for the i3lock screen locker. By default, it includes
# the 'system-auth' configuration file (see /etc/pam.d/login)
#

auth include system-auth

My system-auth:

#%PAM-1.0

auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_permit.so

I changed my config to:

#%PAM-1.0
auth        required    pam_unix.so try_first_pass nullok
account     required    pam_unix.so
password    required    pam_unix.so try_first_pass nullok sha512 shadow
session     required    pam_unix.so

But the error log is still the same. If I put auth include system-auth in my config the error is in the log too.