Bugzilla – Bug 1133808
pam-kwallet cause sudo stop working
Last modified: 2023-04-06 15:26:35 UTC
Yesterday I had a problem with sudo. The password was not accepted. kdesu and su were still working. I had pam-kwallet installed. I did a fresh install and sudo worked again, but it stopped working after installing pam-kwallet. Removing pam-kwallet restored sudo again. I have not made changes to the pam of sudo setups.
I can confirm this. I normally don't use "sudo", so I had not checked until seeing this bug report. When I use "sudo", it always says that the password is wrong. I uninstalled pam_kwallet and logged out and logged back in. And now sudo worked. So I reinstalled pam_kwallet, and it stopped working once again. I tested this in both Gnome and Icewm. I did not test in KDE. I also checked Tumbleweed, and "sudo" works as expected there. Testing was done in KVM virtual machines (Leap 15.0 host).
Is pam_kwallet installed by default?
No, it is not installed by default. The error occurred recently, sometime in the past days. I just updated another 15.1 system, that work with pam-kwallet before the update, but stopped having a working sudo after.
I can also confirm what Cor Blom says. I just checked a system that I updated on Sunday (at 6:30 pm Chicago time, or 23:30 UTC). And "sudo" works just fine there. But it fails on systems that I updated on Monday. So the problem appears to first show up in Build 463.2 .
It is not only sudo that is broken with pam-kwallet, also some dialogue windows that ask for the root password. This is happening with Discover, but it is not happening with YaST. The windows look different, so I guess a different mechanism is used to ask for the root password. pkexec is also not working with pam-kwallet.
*** Bug 1134929 has been marked as a duplicate of this bug. ***
Created attachment 805793 [details] journalctl output relating to pam_kwallet errors Also ran into this issue while upgrading from 15.0 to 15.1. Attaching a log file of some journalctl output that might help with diagnosing the issue.
I did an upgrade from Leap 15.0 to 15.1 yeasterday and also encountered the issue of not being able to run sudo anymore while su works. I had the package pam_kwallet working fine on Leap 15.0, but after the upgrade it's broken. So I had to remove pam_kwallet. I tried reinstalling the package but whenever I do, I can't use sudo in Konsole anymore. Is there any information I might collect that might help narrow down the issue here?
(In reply to Timo Sigurdsson from comment #8) > Is there any information > I might collect that might help narrow down the issue here? Not really. Somebody needs to debug the problem and find out what goes wrong exactly. I just upgraded my system to 15.1 and can reproduce it, so I'll have a look... I find it interesting that the exact same pam_kwallet version works fine in 15.0 though (I'm using the latest one from KDE:Frameworks5 here), so it must be triggered by a change somewhere else. Btw, a workaround might be to add something like "only_if sddm" to the pam_kwallet entry in /etc/pam.d/common-session, similar to what is done for gnome-keyring-pam. I haven't tested that though.
(In reply to Wolfgang Bauer from comment #9) > I find it interesting that the exact same pam_kwallet version works fine in > 15.0 though (I'm using the latest one from KDE:Frameworks5 here), so it must > be triggered by a change somewhere else. It's caused by a change in libgcrypt20 it seems. Installing the package from 15.0 fixes the problem...
If this bug is not in pam-kwallet, should we not change the assignee then, so that the right people see this? Although I don't know who that would be.
It seems to be related to libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch, if I rebuild libgcrypt without it the problem is fixed. I suppose that means it's somehow caused by the call to _gcry_fips_run_selftests (0);. I think the libgcrypt maintainer(s) should have a look at this, reassigning to the person who added that patch.
Reassigning to Jason who is handling the FIPS-related stuff.
*** Bug 1137578 has been marked as a duplicate of this bug. ***
Its pretty certainly related to libgcrypt20 1.8.4-3.1 update. (As menioned, broken patch) It broke sudo for me aswell. If I hold it back, it will keep working fine for me.
Just hit the same problem after upgrading to LEAP 15.1 and libgcrypt20-1.8.2-lp151.8.1. Exact commands to downgrade to v 1.8.2-lp150.5.3.1 and lock the broken version can be found here: https://forums.opensuse.org/showthread.php/536344-SOLVED-After-upgrade-from-15-0-sudo-not-working-(su-and-kdesu-works)?p=2905218#post2905218
If you are unsure about the patch causing this, maybe I can help narrow this down: After spending 5 hours on selective zypper updates and constant snapper rollbacks, this update breaks sudo: libgcrypt20 1.8.4-2.4 -> 1.8.4-3.2 libgcrypt20-hmac 1.8.4-2.4 -> 1.8.4-3.2 My pam_kwallet version is 5.16.0-1.1. I will do yet another snapper rollback and lock libgcrypt20 1.8.4-2.4 to prevent further updating until a fix is released. Thanks for your work on fixing this bug!
(In reply to Bunte Katze from comment #17) > If you are unsure about the patch causing this, maybe I can help narrow this > down: No, that's clear already IMHO, but thanks anyway. FYI, this bug is being worked on, see bug#1137716 (or bug#1137307), there just wasn't a comment here yet.
(In reply to Wolfgang Bauer from comment #18) > (In reply to Bunte Katze from comment #17) > > If you are unsure about the patch causing this, maybe I can help narrow this > > down: > No, that's clear already IMHO, but thanks anyway. See also comment#12...
(In reply to Wolfgang Bauer from comment #18) > FYI, this bug is being worked on, see bug#1137716 (or bug#1137307), there > just wasn't a comment here yet. good to know, thanks for the update!
(In reply to Wolfgang Bauer from comment #12) > It seems to be related to libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch, if I > rebuild libgcrypt without it the problem is fixed. > > I suppose that means it's somehow caused by the call to > _gcry_fips_run_selftests (0);. > That it is. Our move to have the fips self-tests occur in two steps has caused bugs to pop up in odd places. This was one of them. Thank you for your help. Fix submitted.
*** Bug 1139242 has been marked as a duplicate of this bug. ***
I upgraded to 1.8.4-4.1 and everything is working alright, thanks a lot!
Is there an ETA for the update arriving in the 15.1 repos now there is a fix?
*** Bug 1140594 has been marked as a duplicate of this bug. ***
SUSE-RU-2019:1808-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1133808 CVE References: Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): libgcrypt-1.8.2-8.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): libgcrypt-1.8.2-8.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Swamp Workflow Management from comment #27) > SUSE-RU-2019:1808-1: An update that has one recommended fix can now be > installed. > > Category: recommended (moderate) > Bug References: 1133808 > CVE References: > Sources used: > SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 > (src): libgcrypt-1.8.2-8.3.1 > SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): > libgcrypt-1.8.2-8.3.1 > > NOTE: This line indicates an update has been released for the listed > product(s). At times this might be only a partial fix. If you have questions > please reach out to maintenance coordination. So the SLE update is out, but I do not see any pending request for openSUSE. Assigning to maintenance.
(In reply to Fabian Vogt from comment #28) > So the SLE update is out, but I do not see any pending request for openSUSE. > Assigning to maintenance. There's a release request for Leap 15.1 now: https://build.opensuse.org/request/show/715284 It does look a bit weird though, losing some changes. @jsikes: Is ^ intentional?
(In reply to Fabian Vogt from comment #29) > (In reply to Fabian Vogt from comment #28) > > So the SLE update is out, but I do not see any pending request for openSUSE. > > Assigning to maintenance. > > There's a release request for Leap 15.1 now: > https://build.opensuse.org/request/show/715284 > > It does look a bit weird though, losing some changes. > @jsikes: Is ^ intentional? That was not intentional. "libgcrypt-1.8.4-allow_FSM_same_state.patch" should remain. "allow_FSM_same_state.patch" is needed by libotr and probably others. That looks like a mistake I made. Please revoke 715284. I'll fix it later today.
Is there any status update on this? Something that can be tested? I have four affected machines ...
(In reply to Thomas Rother from comment #34) > Is there any status update on this? Something that can be tested? Sure, the update is in the update test repo meanwhile: https://download.opensuse.org/update/leap/15.1-test/
(In reply to Wolfgang Bauer from comment #35) > (In reply to Thomas Rother from comment #34) > > Is there any status update on this? Something that can be tested? > Sure, the update is in the update test repo meanwhile: > https://download.opensuse.org/update/leap/15.1-test/ Just a question: Did I get that right, the patch is in libgcrypt, not in pam_kwallet? So I have to re-install pam_kwallet and patch libgcrypt?
(In reply to Thomas Rother from comment #36) > (In reply to Wolfgang Bauer from comment #35) > > (In reply to Thomas Rother from comment #34) > > > Is there any status update on this? Something that can be tested? > > Sure, the update is in the update test repo meanwhile: > > https://download.opensuse.org/update/leap/15.1-test/ > > Just a question: Did I get that right, the patch is in libgcrypt, not in > pam_kwallet? The patch is in libgcrypt20, yes.
Back to maintenance now: https://build.opensuse.org/request/show/717869 Looks like openQA tests fail.
Is there still activity on this so that the version from test (1.8.2-lp151.9.4.1) can be released for Leap 15.1?
(In reply to Thomas Rother from comment #39) > Is there still activity on this so that the version from test > (1.8.2-lp151.9.4.1) can be released for Leap 15.1? I have a new submission in the pipeline... https://build.suse.de/request/show/198272 ...that should fix this and fix the problem I created with my previous submission.
This is an autogenerated message for OBS integration: This bug (1133808) was mentioned in https://build.opensuse.org/request/show/722012 15.1 / libgcrypt
openSUSE-RU-2019:1850-1: An update that solves one vulnerability and has two fixes is now available. Category: recommended (important) Bug References: 1097073,1133808,1138939 CVE References: CVE-2019-12904 Sources used: openSUSE Leap 15.1 (src): libgcrypt-1.8.2-lp151.9.4.1
(In reply to Swamp Workflow Management from comment #42) > openSUSE-RU-2019:1850-1: An update that solves one vulnerability and has two > fixes is now available. > > Category: recommended (important) > Bug References: 1097073,1133808,1138939 > CVE References: CVE-2019-12904 > Sources used: > openSUSE Leap 15.1 (src): libgcrypt-1.8.2-lp151.9.4.1 Should be fixed now, finally.