Skip to content

Comments

login: fix empty password softlock#1698

Merged
brianmcgillion merged 1 commit intotiiuae:mainfrom
kajusnau:empty-password-fix
Jan 26, 2026
Merged

login: fix empty password softlock#1698
brianmcgillion merged 1 commit intotiiuae:mainfrom
kajusnau:empty-password-fix

Conversation

@kajusnau
Copy link
Collaborator

@kajusnau kajusnau commented Jan 22, 2026
edited
Loading

Description of Changes

What appears to happen (at least to my understanding) is that pam_systemd_home sends a PAM_AUTHTOK_ERR to the next pam module in the stack.

when pam_unix is not present, it goes straight to pam_deny , and the chain is restarted properly
when pam_unix is present, it goes to pam_unix , which has the flags likeauth nullok try_first_pass , and for some reason it hangs
if we add the use_first_pass flag to pam_unix , it tries the empty password and fails properly

The only concern is that if we add this use_first_pass by default, it might break authentication with pam_sss , if as Manuel suggested, it needs a password from a previous pam module

So the stack atm is like so, if I understand it correctly

pam_systemd_home
pam_unix
[pam_sss]
pam_deny

With this patch we force use_first_pass for pam_unix , so it will never prompt for a password

Thanks to Everton and Manuel for their help debugging 🫡 🚀

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

  1. Verify empty password no longer causes a softlock on normal images
  2. Verify AD functionality is not affected
  3. (optional) Check behavior AD login behavior with an empty password

@kajusnau kajusnau self-assigned this Jan 22, 2026
@mbssrc
Copy link
Collaborator

mbssrc commented Jan 22, 2026

works with AD by setting to !config.ghaf.services.sssd.enable

@kajusnau
login: fix empty password softlock
b877118 
Signed-off-by: Kajus Naujokaitis <kajus.naujokaitis@unikie.com>
@kajusnau kajusnau added the Needs Testing CI Team to pre-verify label Jan 23, 2026
@Gaya-03
Copy link
Collaborator

Gaya-03 commented Jan 23, 2026

Tested on Darter Pro and Lenovo X1 , working well with empty password entry . No more authentication stuck at the login screen observed.
Testing pending - AD enabled test scenario to be checked on Monday from office Network.

@Gaya-03
Copy link
Collaborator

Gaya-03 commented Jan 26, 2026

Completed the tests with AD login with empty password . All good

@Gaya-03 Gaya-03 added Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon Tested on System76 and removed Needs Testing CI Team to pre-verify labels Jan 26, 2026
@brianmcgillion brianmcgillion merged commit 2eda060 into tiiuae:main Jan 26, 2026
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianmcgillion brianmcgillion brianmcgillion approved these changes

@mbssrc mbssrc mbssrc approved these changes

@everton-dematos everton-dematos Awaiting requested review from everton-dematos

Assignees

@kajusnau kajusnau

Labels

Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon Tested on System76

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kajusnau @mbssrc @Gaya-03 @brianmcgillion