Bug 270595 - security/plasma5-kscreenlocker: PAM error
Summary: security/plasma5-kscreenlocker: PAM error
Status: Closed Not A Bug
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: amd64 Any
: --- Affects Some People
Assignee: freebsd-kde (group)
URL:
Keywords: needs-qa
Depends on:
Blocks:
 
Reported: 2023-04-02 07:14 UTC by Colin Percival
Modified: 2023-05-18 18:27 UTC (History)
5 users (show)

See Also:
bugzilla: maintainer-feedback? (kde)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Colin Percival freebsd_committer freebsd_triage 2023-04-02 07:14:20 UTC 
Getting this logged to the console and /var/log/messages:

> kscreenlocker_greet[$PID]: in _pam_exec(): pam_sm_setcred: pam_get_authtok(): authentication token not available

Started after upgrading the package from 5.24.7 to 5.27.1 on FreeBSD 13.1-RELEASE.
Comment 1 Graham Perrin freebsd_committer freebsd_triage 2023-04-02 12:34:29 UTC 
I see the same on 14.0-CURRENT, I'm not yet aware of any impact. 

% pkg iinfo security/plasma5-kscreenlocker
plasma5-kscreenlocker-5.27.3_1
% uname -aKU
FreeBSD mowa219-gjp4-8570p-freebsd 14.0-CURRENT FreeBSD 14.0-CURRENT #36 main-n261767-508aee968143: Sat Mar 25 23:33:05 GMT 2023     grahamperrin@mowa219-gjp4-8570p-freebsd:/usr/obj/usr/src/amd64.amd64/sys/GENERIC-NODEBUG amd64 1400084 1400084
%
Comment 2 CraigW 2023-05-12 04:01:01 UTC 
Me too

uname -aKU
FreeBSD hostname 13.2-RELEASE FreeBSD 13.2-RELEASE releng/13.2-n254617-525ecfdad597 BEASTIE amd64 1302001 1302001


plasma5-kscreenlocker-5.27.4_1 Plasma5 secure lock screen architecture

May 11 22:31:15 hostname kscreenlocker_greet[1856]: in _pam_exec(): pam_sm_setcred: pam_get_authtok(): authentication token not available


I'm also trying to figure out why my display won't suspend.
But that is another ticket
Comment 3 Andriy Gapon freebsd_committer freebsd_triage 2023-05-13 06:41:55 UTC 
Just an observation that the message seems to come from a piece of code added to lib/libpam/modules/pam_exec/pam_exec.c in commit base b75e0eed345d2ab047a6b1b00a9a7c3bf92e992c, almost a year ago.
Comment 4 Andriy Gapon freebsd_committer freebsd_triage 2023-05-13 06:53:06 UTC 
I suspect that the following line in /usr/local/etc/pam.d/kde is related to the message:

auth    sufficient      pam_exec.so     return_prog_exit_status expose_authtok /usr/local/libexec/unix-selfauth-helper

FWIW, /usr/local/etc/pam.d/xscreensaver has a similar line and I have been seeing the same complaint with xscreensaver for a long time now.  E.g.:

Nov  7 19:13:25 xxxxx xscreensaver-auth[19942]: in _pam_exec(): pam_sm_setcred: pam_get_authtok(): authentication token not available
Comment 5 Felix Palmen freebsd_committer freebsd_triage 2023-05-13 08:29:51 UTC 
(In reply to Andriy Gapon from comment #4)
> I suspect that the following line in /usr/local/etc/pam.d/kde is related to the
> message:

> auth    sufficient      pam_exec.so     return_prog_exit_status expose_authtok /usr/local/libexec/unix-selfauth-helper

Indirectly, yes. As far as I understood, pam_exec always attempts to obtain an already existing authtok in pam_sm_setcred() when the expose_authtok argument is given. Before the bugfix, it just segfaulted when there was none, now it returns a PAM system error instead.

I didn't fully understand that fix back then (e.g. why it returns an error in that case), but it was reviewed/approved by des@.

Anyways, that error is completely harmless (and expected when no other PAM module already set an authtok previously).
Comment 6 Gleb Popov freebsd_committer freebsd_triage 2023-05-18 06:29:00 UTC 
(In reply to Felix Palmen from comment #5)
But how kscreenlocker/xscreenlocker authentication succeeds, then?
Comment 7 Felix Palmen freebsd_committer freebsd_triage 2023-05-18 09:01:10 UTC 
(In reply to Gleb Popov from comment #6)
pam_sm_authenticate() succeeds (pam_exec correctly exposes the authtok obtained in the PAM dialog for that). pam_sm_setcred() just isn't needed in this scenario.