gnome-screensaver does not work with pam_unix2.so

Thank you for your bug. What version of Ubuntu do you use?

I have the same problem, and I use feisty.

The reason I found this is because I'm experimenting with my fingerprint-reader, and since try_first_pass is unrecognized in standard pam_unix in feisty, I need to use pam_unix2

Disregard the thing about try_first_pass not working. Turns out try_fist_pass is the string that fails :-)

Sorry for that.

I've traced the bug in the pam_unix2.so module.

The call to getspnam_r() in pam_sm_authenticate() (file unix_auth.c:280) sets errno to 13 (EACCESS) when called from gnome-screensaver.
A normal login does return the entry in you shadow file.

I've not enough experience with pam and the system interna to trace the bug further at the moment, so could someone enlighten me or find a solution for this bug?

Is this in some way related to http://bugzilla.gnome.org/show_bug.cgi?id=370847 ?

Addon: I've tried changing the rights on /etc/shadow to rwrr and authentication works fine. So it definitly is an access violation. Is the gnome-screensaver process in group shadow in ubuntu?

Hi there
Thank you for taking the time to report this bug and helping to make Ubuntu better. You reported this bug a while ago and there hasn't been any activity in it recently. We were wondering is this still an issue for you? Can you try with the development version of Ubuntu, Hardy Heron?

Thanks in advance.

The problem still exists and there is no way to use better password
security than md5 in gutsy with working screensavers. (also in hardy and
debian sid/experimental)

There has been some activity in fedora, and I think they have
implemented sha256 in glibc, but this is still not usable with the
normal userland tools (passwd, etc), but maybe I'm wrong :)
(https://bugzilla.redhat.com/show_bug.cgi?id=173002)

It would be great, if the next (or hardy+1) version would come with some
adequate hashing algorithm, as the password is now used for many things
beside usual login (think gnome-keyring, pam_mount with encrypted
drives, etc)

I checked the current status of Fedora 8.

They now provide <sha256> and <sha512> password hashing.
This is implemented in the glibc crypt routines and works with the standard <pam_unix.so> module.
The only change necessary is to replace the <md5> string in the pam config file with eigther <sha256> or <sha512>.

They use glibc (2.7) and pam(0.99.8.1). As hardy is already using a glibc 2.7, it may be as simple as providing a backport for the pam modules
to get the new password hashes.

I will try that myself and report back.

Thanks, i'll wait for you feedback.

Tried backporting of the current pam (0.99.10.0), but they need some debian / ubuntu specific patches (@include directives, etc.)
I was not successful in adapting them for this version.

Eighter the @include of the pam config files does not work, or after trying to adapt the patch, pam_foreground.so does not exist and the login fails.

If someone with a little bit more experience with the package could help, I'd appreciate it, but for now I won't be able to get it working in acceptable time.

The bug is still there in Ubuntu 8.04.1. I am using pam_unix2.so as here we use md5 passwords over NIS, and pam_unix.so fails to update this type of passwords (no way of using passwd instead of yppasswd, and this one only does the old des crypt). In /var/log/auth.log the following line can be found when trying to unlock the screen:

Jul 15 10:09:27 lslpc50 gnome-screensaver-dialog: pam_unix2(gnome-screensaver:auth): conversation failed

For now I will probably try to use pam_unix.so for auth and pam_unix2.so for password changing, disabling all the password types that pam_unix.so couldn't understand (e.g., Blowfish).