The manual page for pam_zfs_key is missing, so not many people are testing it. I spotted at least 2 flaws in this module: 1. The password has to be typed twice when the module is enabled, console login looks like below FreeBSD/amd64 (chmura) (ttyu1) login: mzar Password: Password: Last login: Mon Oct 14 00:36:31 from.... 2. If something goes wrong (it's most likely a failed attempt to unload the key), then "3" is written to the file /var/run/pam_zfs_key/$uid which prevents further loading keys until the file gets cleared. 3. I was neither able to configure this module to work with SSH (though the stage of double password typing was achieved) nor with a graphical login manager (tried with x11/slim). All the tests were done on the most recent stable/14 and/or recent CURRENT.
Created attachment 254218 [details] working configuration used for tests on cosole Please see working /etc/pam.d/login attached. Similar changes were made to /etc/pam.d/sshd and /usr/local/etc/pam.d/slim.
Created attachment 255176 [details] working configuration Reordering modules fixed the issue. Now pam_zfs_key works as intended, including X11 auth done by x11/slim (slim pam.d file not included here, but its syntax follows included "login" file).
I am closing this PR since everything works as intended.