Bug 211424 - x11/xscreensaver Pam failure on FreeBSD 11
Summary: x11/xscreensaver Pam failure on FreeBSD 11
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Niclas Zeising
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-28 18:21 UTC by Roberto de Iriarte
Modified: 2020-04-01 20:36 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (zeising)


Attachments
Patch to enable PAM by default (352 bytes, patch)
2020-02-19 22:28 UTC, Jason W. Bacon
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Roberto de Iriarte 2016-07-28 18:21:40 UTC
Xscreensaver seems unable to use PAM on FreeBSD 11-BETA2

After recompiling the port with PAM support, i have been unable to get it to use any form of pam authentication whatsoever

Enabling debug on the authentication method produces the following log

Jul 27 23:41:13 t420s xscreensaver: in openpam_dispatch(): calling pam_sm_authenticate() in /usr/lib/pam_unix.so.6
Jul 27 23:41:13 t420s xscreensaver: in openpam_get_option(): entering: 'auth_as_self'
Jul 27 23:41:13 t420s xscreensaver: in openpam_get_option(): returning NULL
Jul 27 23:41:13 t420s xscreensaver: in pam_get_user(): entering
Jul 27 23:41:13 t420s xscreensaver: in pam_get_item(): entering: PAM_USER
Jul 27 23:41:13 t420s xscreensaver: in pam_get_item(): returning PAM_SUCCESS
Jul 27 23:41:13 t420s xscreensaver: in pam_get_user(): returning PAM_SUCCESS
Jul 27 23:41:13 t420s xscreensaver: in pam_sm_authenticate(): Got user: roberto
Jul 27 23:41:13 t420s xscreensaver: in pam_sm_authenticate(): Doing real authentication
Jul 27 23:41:13 t420s xscreensaver: in pam_get_authtok(): entering
Jul 27 23:41:13 t420s xscreensaver: in pam_get_item(): entering: PAM_RHOST
Jul 27 23:41:13 t420s xscreensaver: in pam_get_item(): returning PAM_SUCCESS
Jul 27 23:41:13 t420s xscreensaver: in pam_get_item(): entering: PAM_OLDAUTHTOK
Jul 27 23:41:13 t420s xscreensaver: in pam_get_item(): returning PAM_SUCCESS
Jul 27 23:41:13 t420s xscreensaver: in openpam_get_option(): entering: 'try_first_pass'
Jul 27 23:41:13 t420s xscreensaver: in openpam_get_option(): returning ''
Jul 27 23:41:13 t420s xscreensaver: in pam_get_item(): entering: PAM_AUTHTOK
Jul 27 23:41:13 t420s xscreensaver: in pam_get_item(): returning PAM_SUCCESS
Jul 27 23:41:13 t420s xscreensaver: in openpam_get_option(): entering: 'use_first_pass'
Jul 27 23:41:13 t420s xscreensaver: in openpam_get_option(): returning NULL
Jul 27 23:41:13 t420s xscreensaver: in openpam_get_option(): entering: 'authtok_prompt'
Jul 27 23:41:13 t420s xscreensaver: in openpam_get_option(): returning NULL
Jul 27 23:41:13 t420s xscreensaver: in pam_get_item(): entering: PAM_AUTHTOK_PROMPT
Jul 27 23:41:13 t420s xscreensaver: in pam_get_item(): returning PAM_SUCCESS
Jul 27 23:41:13 t420s xscreensaver: in openpam_subst(): entering: 'Password:'
Jul 27 23:41:13 t420s xscreensaver: in openpam_subst(): returning PAM_SUCCESS
Jul 27 23:41:13 t420s xscreensaver: in openpam_get_option(): entering: 'echo_pass'
Jul 27 23:41:13 t420s xscreensaver: in openpam_get_option(): returning NULL
Jul 27 23:41:13 t420s xscreensaver: in pam_vprompt(): entering
Jul 27 23:41:13 t420s xscreensaver: in pam_get_item(): entering: PAM_CONV
Jul 27 23:41:13 t420s xscreensaver: in pam_get_item(): returning PAM_SUCCESS
Jul 27 23:41:26 t420s xscreensaver: in pam_vprompt(): returning PAM_SUCCESS
Jul 27 23:41:26 t420s xscreensaver: in pam_set_item(): entering: PAM_AUTHTOK
Jul 27 23:41:26 t420s xscreensaver: in pam_set_item(): returning PAM_SUCCESS
Jul 27 23:41:26 t420s xscreensaver: in pam_get_item(): entering: PAM_AUTHTOK
Jul 27 23:41:26 t420s xscreensaver: in pam_get_item(): returning PAM_SUCCESS
Jul 27 23:41:26 t420s xscreensaver: in pam_get_authtok(): returning PAM_SUCCESS
Jul 27 23:41:26 t420s xscreensaver: in pam_sm_authenticate(): Got password
Jul 27 23:41:26 t420s xscreensaver: in openpam_get_option(): entering: 'no_warn'
Jul 27 23:41:26 t420s xscreensaver: in openpam_get_option(): returning ''
Jul 27 23:41:26 t420s xscreensaver: in openpam_dispatch(): /usr/lib/pam_unix.so.6: pam_sm_authenticate(): authentication error

pam_fprintd.so fails in the same manner

All the other pam-aware applications work perfectly on my setup so i am confident that the problem is in xscreensaver. It used to work on FreeBSD 10.3-RELEASE, however
Comment 1 Tobias Kortkamp freebsd_committer 2018-03-14 06:42:10 UTC
Is this still a problem? It works fine for me on 11.1-RELEASE.
Comment 2 Tobias Kortkamp freebsd_committer 2018-03-14 09:36:05 UTC
(In reply to Tobias Kortkamp from comment #1)
Nevermind. It does not work.  So to answer my own question: Yes, it's still a problem.
Comment 3 Jason W. Bacon freebsd_committer 2020-02-19 22:28:24 UTC
Created attachment 211769 [details]
Patch to enable PAM by default


If I install from source with the PAM option checked, it works fine for me on 12.1-RELEASE.  I haven't tested on 11.x.

Can we enable PAM support by default?  Patch attached.

I manage some desktop systems in a campus environment where people authenticate via AD and need PAM support in order to unlock their screens with their campus password.

I can build from source of course, but then if "pkg upgrade" installs a new version/revision, it will lose PAM support and people won't be able to unlock their screens.

I can do the commit myself with maintainer approval.
Comment 4 Niclas Zeising freebsd_committer 2020-02-23 19:07:06 UTC
(In reply to Jason W. Bacon from comment #3)

I'm a bit worried, because of the reports on FreeBSD 11.  However, a lot has changed since 11.1.

Jason, do you think there will be issues in case PAM is not in use?
Comment 5 Jason W. Bacon freebsd_committer 2020-02-24 14:35:16 UTC
I think it would be a pretty eggregious upstream bug if simply enabling PAM support broke the use of local passwords, if that's what you're saying.  Adding PAM support should not take anything else away.

In any case, to test you could just

    make clean config deinstall reinstall

and select PAM support.

I just did this on a desktop system at home (where I use only local passwords), restarted the daemon for good measure, and everything still works fine.
Comment 6 commit-hook freebsd_committer 2020-04-01 20:36:08 UTC
A commit references this bug:

Author: zeising
Date: Wed Apr  1 20:29:43 UTC 2020
New revision: 530240
URL: https://svnweb.freebsd.org/changeset/ports/530240

Log:
  x11/xscreensaver: Update to 5.44

  Update x11/xscreensaver to 5.44
  Enable PAM by default [1]

  Changelog:
  https://www.jwz.org/xscreensaver/changelog.html

  PR:		212830, 211424 [1]

Changes:
  head/x11/xscreensaver/Makefile
  head/x11/xscreensaver/distinfo
  head/x11/xscreensaver/pkg-plist