Systemd-Homed - First login attempt is unsuccessful. Second attempt always works

Ask Fedora
, ,
1

I have created a few users with Systemd-Homed, but they all seem to encounter the same issue: when I submit the login password into GDM, the first submission is ignored. By “ignored” I mean that the password field resets and I do not receive any error messages. Regardless if I submit an incorrect password on the first attempt, the field resets, and I do not get any error feedback.

The second attempt always works. I suspect it is related to a PAM configuration, but I am not having any luck identifying a solution. After I am logged in, everything works fine. Home-folder mounts and I have correct permissions to my files.

Steps to create users:

authselect enable-feature with-systemd-homed
homectl create barnabas --uid=1000 --real-name=Barnabas --member-of=wheel --storage=luks

The first user above was an account that I migrated. So, afterward, I used homectl with foobar -- rsync ... to sync files over.

Afterward, I have created additional user accounts for the sake of debugging. These user’s encounter the same issues.

Logs

In the logs below, the following actions are taken:

  • Boot Silverblue
  • Attempt login with “barnabas”
    • First login attempt is ignored/reset without any error feedback (typical!)
    • Second login is successful
-- Boot 62485cc820014bcea6bdcb10c5ef42d1 --
Jun 04 13:58:51 fw0 systemd[1]: Starting systemd-homed.service - Home Area Manager...
Jun 04 13:58:51 fw0 systemd-homed[1331]: Successfully loaded private key pair.
Jun 04 13:58:51 fw0 systemd-homed[1331]: Watching /home.
Jun 04 13:58:51 fw0 systemd-homed[1331]: User record testuser.identity is signed only by us, accepting.
Jun 04 13:58:51 fw0 systemd-homed[1331]: Added registered home for user testuser.
Jun 04 13:58:51 fw0 systemd-homed[1331]: User record barnabas.identity is signed only by us, accepting.
Jun 04 13:58:51 fw0 systemd-homed[1331]: Added registered home for user barnabas.
Jun 04 13:58:51 fw0 systemd[1]: Started systemd-homed.service - Home Area Manager.
Jun 04 13:59:40 fw0 systemd-homed[1331]: barnabas: changing state inactive → activating-for-acquire
Jun 04 13:59:40 fw0 systemd-homework[2488]: None of the supplied plaintext passwords unlock the user record's hashed passwords.
Jun 04 13:59:40 fw0 systemd-homed[1331]: Activation failed: Password for home barnabas is incorrect or not sufficient for authentication.
Jun 04 13:59:40 fw0 systemd-homed[1331]: barnabas: changing state activating-for-acquire → inactive
Jun 04 13:59:40 fw0 systemd-homed[1331]: Got notification that all sessions of user barnabas ended, deactivating automatically.
Jun 04 13:59:40 fw0 systemd-homed[1331]: Home barnabas already deactivated, no automatic deactivation needed.
Jun 04 13:59:48 fw0 systemd-homed[1331]: barnabas: changing state inactive → activating-for-acquire
Jun 04 13:59:48 fw0 systemd-homework[2494]: Provided password unlocks user record.
Jun 04 13:59:48 fw0 systemd-homework[2494]: Successfully locked image file '/home/barnabas.home'.
Jun 04 13:59:48 fw0 systemd-homework[2494]: Allocated additional 72G.
Jun 04 13:59:48 fw0 systemd-homework[2494]: Setting up loopback device /dev/loop0 completed.
Jun 04 13:59:49 fw0 systemd-homework[2494]: Setting up LUKS device /dev/mapper/home-barnabas completed.
Jun 04 13:59:49 fw0 systemd-homework[2494]: Provided password unlocks user record.
Jun 04 13:59:49 fw0 systemd-homework[2494]: Probing file system completed (found btrfs).
Jun 04 13:59:49 fw0 systemd-homework[2494]: File system check completed.
Jun 04 13:59:49 fw0 systemd-homework[2494]: Mounting file system completed.
Jun 04 13:59:49 fw0 systemd-homework[2494]: Image size already matching, skipping operation.
Jun 04 13:59:49 fw0 systemd-homework[2494]: Read embedded .identity file.
Jun 04 13:59:49 fw0 systemd-homework[2494]: Provided password unlocks user record.
Jun 04 13:59:49 fw0 systemd-homework[2494]: Reconciling user identities completed (host and header version were identical).
Jun 04 13:59:49 fw0 systemd-homework[2494]: Reconciling embedded user identity completed (host and embedded version were identical).
Jun 04 13:59:49 fw0 systemd-homework[2494]: Recursive changing of ownership not necessary, skipped.
Jun 04 13:59:49 fw0 systemd-homework[2494]: Synchronized disk.
Jun 04 13:59:49 fw0 systemd-homework[2494]: Moving to final mount point /home/barnabas completed.
Jun 04 13:59:49 fw0 systemd-homework[2494]: Activation completed.
Jun 04 13:59:49 fw0 systemd-homework[2494]: Image size is 118.8G, file system size is 118.8G, file system payload size is 118.8G, file system free is 72G.
Jun 04 13:59:49 fw0 systemd-homed[1331]: Home barnabas is signed exclusively by our key, accepting.
Jun 04 13:59:49 fw0 systemd-homed[1331]: barnabas: changing state activating-for-acquire → active

I have read a few forums with similar issues described. They suggested changes to /etc/pam.d/system-auth, however, I have not had any luck yet. However, considering that authselect already configured my PAM “correctly” I am at a loss. Feedback appreciated.

1 Like
2

Hi.

I’m also facing same issue. I think it might be caused by “incorrect order” or options in the PAM configs, but I’m not competent enough to troubleshoot PAM.

Regards
ArturasB

3

This is very helpful feedback, thanks! Can you confirm that you used the same 2 steps (ie, used authselect and then used homectl create).

If you dont mind, could your review your journalctl -u systemd-homed logs and confirm that you see similar errors. I am curious if your error message is the same.

Below is my system-auth. Do you mind confirming that your PAM config is the same too?

sudo cat /etc/pam.d/system-auth

# Generated by authselect
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_fprintd.so
auth        sufficient                                   pam_unix.so nullok
auth        sufficient                                   pam_systemd_home.so
auth        required                                     pam_deny.so

account     sufficient                                   pam_systemd_home.so
account     required                                     pam_unix.so

password    sufficient                                   pam_systemd_home.so
password    requisite                                    pam_pwquality.so
password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
session     optional                                     pam_systemd_home.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so

Based on other forum posts, I had attempted to swap the auth [...] pam_unix.so and
auth [...] pam_systemd_home.so but I have not had any luck. After I complete my testing, I always reset it with sudo authselect apply-changes.

4

Here it goes:


# Generated by authselect
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_fprintd.so
auth        sufficient                                   pam_unix.so nullok
auth        sufficient                                   pam_systemd_home.so
auth        required                                     pam_deny.so

account     sufficient                                   pam_systemd_home.so
account     required                                     pam_unix.so

password    sufficient                                   pam_systemd_home.so
password    requisite                                    pam_pwquality.so
password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
# Generated by authselect
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_fprintd.so
auth        sufficient                                   pam_unix.so nullok
auth        sufficient                                   pam_systemd_home.so
auth        required                                     pam_deny.so

account     sufficient                                   pam_systemd_home.so
account     required                                     pam_unix.so

password    sufficient                                   pam_systemd_home.so
password    requisite                                    pam_pwquality.so
password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
session     optional                                     pam_systemd_home.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
session     optional                                     pam_systemd_home.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so

I used authselect to enable systemd-homed authentication. But my user is a bit more complicated as I created it on Framework’s storage module in order to have whole block device dedicated for user’s home. I also install flatpak apps to --user instead of --system in order to contain as much as possible to user’s home on external storage. Actually it worked just fine on Silverblue 41. This “double login” issue appeared only in version 42. What’s interesting that I can use/activate homed-managed user from another user account just fine by entering the passphrase only once. Should be something related to gdm, IMHO…

5

Very cool.

Are you referring to homectl activate testuser? I noticed that I can activate on first attempt too.

However, if the user is inactive and I attempt to login only via shell, ie su - testuser, I still have to enter the password twice. So I am not entirely convinced it is a gdm issue.

6

Yes.

What I meant by “this could be gdm issue” is that gdm/PAM config might be the cause. Again, I’m not competent regarding PAM/gdm, just guessing.

1 Like
7

This has happened to me before.
I just upgraded now and reboot my system and successfully logged in on my first attempt. I though that maybe it happens after suspend, but I was able to log in on my first try.

journalctl -b -u systemd-homed

Jun 05 18:34:57 fedora systemd[1]: Starting systemd-homed.service - Home Area Manager...
Jun 05 18:34:57 fedora systemd-homed[1117]: Successfully loaded private key pair.
Jun 05 18:34:57 fedora systemd-homed[1117]: Watching /home.
Jun 05 18:34:57 fedora systemd-homed[1117]: User record richiedaze.identity is signed only by us, accepting.
Jun 05 18:34:57 fedora systemd-homed[1117]: Added registered home for user richiedaze.
Jun 05 18:34:57 fedora systemd[1]: Started systemd-homed.service - Home Area Manager.
Jun 05 18:35:59 fedora systemd-homed[1117]: richiedaze: changing state inactive → activating-for-acquire
Jun 05 18:35:59 fedora systemd-homework[2160]: Provided password unlocks user record.
Jun 05 18:35:59 fedora systemd-homework[2160]: Setting up loopback device /dev/sda1 completed.
Jun 05 18:36:01 fedora systemd-homework[2160]: Setting up LUKS device /dev/mapper/home-richiedaze completed.
Jun 05 18:36:01 fedora systemd-homework[2160]: Provided password unlocks user record.
Jun 05 18:36:01 fedora systemd-homework[2160]: Probing file system completed (found btrfs).
Jun 05 18:36:01 fedora systemd-homework[2160]: File system check completed.
Jun 05 18:36:01 fedora systemd-homework[2160]: Mounting file system completed.
Jun 05 18:36:01 fedora systemd-homework[2160]: Read embedded .identity file.
Jun 05 18:36:01 fedora systemd-homework[2160]: Provided password unlocks user record.
Jun 05 18:36:01 fedora systemd-homework[2160]: Reconciling user identities completed (host and header version were identical).
Jun 05 18:36:01 fedora systemd-homework[2160]: Reconciling embedded user identity completed (host and embedded version were identical).
Jun 05 18:36:01 fedora systemd-homework[2160]: Recursive changing of ownership not necessary, skipped.
Jun 05 18:36:01 fedora systemd-homework[2160]: Synchronized disk.
Jun 05 18:36:01 fedora systemd-homework[2160]: Moving to final mount point /home/richiedaze completed.
Jun 05 18:36:01 fedora systemd-homework[2160]: Activation completed.
Jun 05 18:36:01 fedora systemd-homework[2160]: Image size is 232.9G, file system size is 232.9G, file system payload size is 232.9G, file system free is 138G.
Jun 05 18:36:01 fedora systemd-homed[1117]: Home richiedaze is signed exclusively by our key, accepting.
Jun 05 18:36:01 fedora systemd-homed[1117]: richiedaze: changing state activating-for-acquire → active
Jun 05 18:37:29 fedora systemd-homed[1117]: richiedaze: changing state active → authenticating-for-acquire
Jun 05 18:37:29 fedora systemd-homework[6531]: Provided password unlocks user record.
Jun 05 18:37:30 fedora systemd-homework[6531]: Discovered used LUKS device /dev/mapper/home-richiedaze, and validated password.
Jun 05 18:37:30 fedora systemd-homework[6531]: Successfully re-activated LUKS device.
Jun 05 18:37:30 fedora systemd-homework[6531]: Provided password unlocks user record.
Jun 05 18:37:30 fedora systemd-homework[6531]: Discovered used loopback device /dev/sda1.
Jun 05 18:37:30 fedora systemd-homework[6531]: Read embedded .identity file.
Jun 05 18:37:30 fedora systemd-homework[6531]: Provided password unlocks user record.
Jun 05 18:37:30 fedora systemd-homework[6531]: Reconciling user identities completed (host and header version were identical).
Jun 05 18:37:30 fedora systemd-homework[6531]: Reconciling embedded user identity completed (host and embedded version were identical).
Jun 05 18:37:49 fedora systemd-homework[6531]: Everything completed.
Jun 05 18:37:49 fedora systemd-homed[1117]: richiedaze: changing state authenticating-for-acquire → active

sudo cat /etc/pam.d/system-auth

[sudo] password for richiedaze: 
# Generated by authselect
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_unix.so nullok
auth        sufficient                                   pam_systemd_home.so
auth        required                                     pam_deny.so

account     sufficient                                   pam_systemd_home.so
account     required                                     pam_unix.so

password    sufficient                                   pam_systemd_home.so
password    requisite                                    pam_pwquality.so
password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
session     optional                                     pam_systemd_home.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so

Yours says you entered the wrong password

Jun 04 13:59:40 fw0 systemd-homed[1331]: Activation failed: Password for home barnabas is incorrect or not sufficient for authentication.

Maybe the mechanism for receiving the password is at fault.

8

By the way, systemd-homed users should not use regular system UID’s, in your case 1000.

userdbctl

┌─ ↓ begin systemd-homed users ↓  regular          60001       - First systemd-homed user     -                             - 
   richiedaze                     regular          60001 60001 -                              /home/richiedaze              /bin/bash
└─ ↑ end systemd-homed users ↑    regular          60513       - Last systemd-homed user      -                             -

Also, your PAM file seems a mess compared to mines. It has two different configurations.

What profile are you using?
sudo authselect current

This is my current profile

Profile ID: local
Enabled features:
- with-systemd-homed
- with-silent-lastlog
9

Thanks for feedback. It is very positive to hear confirmation that it is working for other users!

I just compared the PAM config I provided with your config. They appear to be the same except that mine includes a “pam_fprintd.so” item, which is related to the fingerprint reader. Out of curiosity, I just tried removing that line, but it didn’t make a difference.

The issue occurs when the home-disk is first “inactive” and then becomes “active”, therefore, I do not encounter the issue after a Suspend. I only encounter it on a fresh login.

You observation is accurate, the message reads: Password ... is incorrect or not sufficient for authentication. From my observation (as well as a little bit of guessing) I suspect that the first submission is being sent through the PAM stack, but is dropped by the time it reaches the systemd-homed.so auth mechanism, thereby being submitted as an empty payload.

In regards to UID’s, this guide suggests that using traditional UIDs is acceptable, though it is not the default path. Nonetheless, all my other testusers I have created have been created with default UIDs (ie, +6000), however, all my users have this login issue.

Example of my other test user that has same login issue:

homectl create testuser --storage=luks

Profile info:
sudo authselect current

Profile ID: local
Enabled features:
- with-silent-lastlog
- with-mdns4
- with-fingerprint
- with-systemd-homed

I just tried making my authselect like yours (below), but unfortunately, that did not help.

Profile ID: local
Enabled features:
- with-systemd-homed
- with-silent-lastlog
10

Reset your profile (remove --nobackup for backup)
authselect select local --force --nobackup

Add the features you want (I didn’t need the others)
authselect enable-feature with-systemd-homed
authselect enable-feature with-silent-lastlog

Restart system, and let me know if anything changes.

11

Thank you for suggestion! I just tried that reset process, however, it did not help.

I enabled debug logging, and then did a login attempt with my testuser and was able to confirm what I suspected earlier:

Jun 05 19:12:42 fw0 systemd-homed[26890]: Sending to worker: {"binding":{"35b0f041902041b89d85739af6217669":{"blobDirectory":"/var/cache/systemd/home/testuser","fileSystemType":"btrfs","fileSystemUuid":"3e0cc8e7-06bc-458a-a886-eaa7f537161c","gid":60271,"homeDirectory":"/home/testuser","imagePath":"/home/testuser.home","luksCipher":"aes","luksCipherMode":"xts-plain64","luksUuid":"5b70f4c3-8251-4f47-ac93-eaf25ff447c7","luksVolumeKeySize":32,"partitionUuid":"c595939c-60ae-4795-94e2-2790f7252368","storage":"luks","uid":60271}},"disposition":"regular","enforcePasswordPolicy":false,"lastChangeUSec":1748989457921895,"lastPasswordChangeUSec":1748989428871012,"perMachine":[{"diskSize":660248350720,"fileSystemType":"btrfs","matchMachineId":"35b0f041902041b89d85739af6217669","rebalanceWeight":0,"storage":"luks"}],"privileged":{"hashedPassword":["REMOVE"]},"realName":"testuser","signature":[{"data":"REMOVE"}],"userName":"testuser","status":{"35b0f041902041b89d85739af6217669":{"badAuthenticationCounter":14,"goodAuthenticationCounter":13,"lastBadAuthenticationUSec":1749168085628571,"lastGoodAuthenticationUSec":1749168089549382,"rateLimitBeginUSec":1749168762224579,"rateLimitCount":1}},"secret":{}}
Jun 05 19:12:42 fw0 systemd-homed[26890]: Successfully forked off '(sd-homework)' as PID 27647.
Jun 05 19:12:42 fw0 systemd-homed[26890]: testuser: changing state inactive → activating-for-acquire
Jun 05 19:12:42 fw0 systemd-homework[27647]: Loaded 'libcryptsetup.so.12' via dlopen()
Jun 05 19:12:42 fw0 systemd-homework[27647]: User record has no recovery keys, plaintext passwords not tested against it.
Jun 05 19:12:42 fw0 systemd-homework[27647]: None of the supplied plaintext passwords unlock the user record's hashed passwords.
Jun 05 19:12:42 fw0 systemd-homed[26890]: Got notify message lacking both ERRNO= and SYSTEMD_LUKS_LOCK_FD= field, ignoring.
Jun 05 19:12:42 fw0 systemd-homed[26890]: Worker reported error code ENOKEY.
Jun 05 19:12:42 fw0 systemd-homed[26890]: Activation failed: Password for home testuser is incorrect or not sufficient for authentication.
Jun 05 19:12:42 fw0 systemd-homed[26890]: Sent message type=error sender=n/a destination=:1.984 path=n/a interface=n/a member=n/a cookie=12 reply_cookie=4 signature=s error-name=org.freedesktop.home1.BadPassword error-message=Password for home testuser is incorrect or not sufficient for authentication.
Jun 05 19:12:42 fw0 systemd-homed[26890]: testuser: changing state activating-for-acquire → inactive
Jun 05 19:12:42 fw0 systemd-homed[26890]: Got notification that all sessions of user testuser ended, deactivating automatically.
Jun 05 19:12:42 fw0 systemd-homed[26890]: Home testuser already deactivated, no automatic deactivation needed.

If you look at the end of the first line, “Sending to worker”, on my first login attempt, I see:
"secret":{}

However, on the second attempt, this payload has a password-string in plaintext. It appears that systemd-homed does not receive a payload on the first attempt.