OK folks, so today PAM finally landed in Slackware.
What does that mean? Not much actually. Your Slackware will keep functioning as before. The new functionality offered by the Pluggable Authentication Modules is not directly visible. Let me simply copy the ChangeLog.txt announcement verbatim:
Wed Feb 12 05:05:50 UTC 2020 Hey folks! PAM has finally landed in /testing. Some here wanted it to go right into the main tree immediately, and in a more normal development cycle I'd have been inclined to agree (it is -current, after all). But it's probably better for it to appear in /testing first, to make sure we didn't miss any bugs and also to serve as a warning shot that we'll be shaking up the tree pretty good over the next few weeks. I'd like to see this merged into the main tree in a day or two, so any testing is greatly appreciated. Switching to the PAM packages (or reverting from them) is as easy as installing all of them with upgradepkg --install-new, and if reverting then remove the three leftover _pam packages. After reverting, a bit of residue will remain in /etc/pam.d/ and /etc/security/ which can either be manually deleted or simply ignored. While there are many more features available in PAM compared with plain shadow, out of the box about the only noticable change is the use of cracklib and libpwquality to check the quality of a user-supplied password. Hopefully having PAM and krb5 will get us on track to having proper Active Directory integration as well as using code paths that are likely better audited these days. The attack surface *might* be bigger, but it's also a lot better scrutinized. Thanks to Robby Workman and Vincent Batts who did most of the initial heavy lifting on the core PAM packages as a side project for many years. Thanks also to Phantom X whose PAM related SlackBuilds were a valuable reference. And thanks as well to ivandi - I learned a lot from the SlackMATE build scripts and was even occasionally thankful for the amusing ways you would kick my ass on LQ. ;-) You're more than welcome to let us know where we've messed up this time. The binutils and glibc packages in /testing were removed and are off the table for now. I'm not seeing much upside to heading down that rabbit hole at the moment. Next we need to be looking at Xfce 4.14 and Plasma 5.18 LTS and some other things that have been held back since KDE4 couldn't use them. Cheers! :-)
Also today, I uploaded a fresh batch of Plasma5 packages to my ‘ktown’ repository. This time, the ‘latest‘ and ‘testing‘ versions of the repository are different!
The regular aka ‘latest’ repository content is meant for an up-to-date Slackware-current without PAM. The ‘testing’ repository on the other hand is compiled against a pam-ified Slackware and can be used if you have added the new ‘testing’ PAM packages of Slackware-current to your system.
The packages that picked up PAM support are: kscreenlocker and plasma-workspace (in the ‘plasma’ directory), and sddm-qt5 (in ‘plasma-extra’). A new package has been introduced as well: kwallet-pam (in the ‘plasma’ directory).
I expect that Plasma5 gets folded into the distro soon after PAM moves out of testing and into the core distro.
The new KDE-5_20.02 batch is now available for download from my ‘ktown‘ repository. As always, please remove KDE4 first (check the README for instructions if you still need those). These packages will not work on Slackware 14.2.
What else is new in the February 2020 release
This month’s KDE Plasma5 for Slackware contains the KDE Frameworks 5.67.0, Plasma 5.18.0 and Applications 19.12.2. All this on top of Qt 5.13.2.
Deps:
This month no updates to the ‘deps’ section (except in ‘testing’ where I removed cracklib and libpwquality since those are now part of the Slackware PAM related packages).
Frameworks:
Frameworks 5.67.0 is an incremental stability release, see: https://www.kde.org/announcements/kde-frameworks-5.67.0.php.
Plasma:
Plasma 5.18.0 is the first release of 5.18 LTS (Long Term Support). The focus for this new release cycle has been on improving the notification system, a much improved audio-volume systray widget, streamlining the desktop settings (no more ‘cashew’ menu in the top right) and a much better integration of GTK+ based applications with the Plasma desktop theme, through the use of client-side decorations. Also, the graphical performance has been tweaked with less graphical glitches and Nvidia GPU statistics displayed in KSysGuard. See https://www.kde.org/announcements/plasma-5.18.0.php for the full announcement including several video’s portraying the strong points of KDE’s desktop environment.
Plasma-extra;
In plasma-extra I updated latte-dock and rebuilt sddm-qt5.
Applications;
Applications 19.12.2 is a stability and bugfix update for the 19.12 cycle. Remember that I still call this ‘Applications‘ but KDE folk prefer the new name ‘Releases‘. See https://kde.org/announcements/releases/2020-02-apps-update/
Applications-extra:
In applications-extra I updated kdevelop-pg-qt, kdevelop, kdev-php, and kdev-python..
Telepathy:
KDE Telepathy is no longer part of my ‘ktown’ distribution of KDE Plasma5.
Where to get it
Download the KDE-5_20.02 from the usual location at https://slackware.nl/alien-kde/current/ or one of its mirrors like http://slackware.uk/people/alien-kde/current/ .
Check out the README file in the root of the repository for detailed installation or upgrade instructions.
Development of Plasma5 is tracked in git: https://git.slackware.nl/ktown/ .
A new Plasma5 Live ISO is going to be available soon at https://slackware.nl/slackware-live/latest/ (rsync://slackware.nl/mirrors/slackware-live/latest/) with user/pass being “live/live” as always. I am still working on an improved ‘setup2hd‘ and depending on the amount of work (and setbacks) I may decide to leave the ‘old’ setup2hd script in the ISO for now.
Have fun! Eric
Hi Eric,
Thanks for the update. Is kwallet-pam a replacement or of the kwallet package or an addition to it?
Greets
Lioh
I have examined the content of kwallet-pam and have noticed that it just contains the pam module for kwallet, so it’s an addition.
I have now set up all necessary packages from the testing branch and installed kwallet-pam. My kwallet Password is the same as the login password. Still I am prompted for entering the password to unlock the wallet. Is there anything I have missed? Do I have to set up a completely new wallet in order to make it work?
I have no idea, so I will let you figure it out and report back here…
But does it work on your setup?
I am not behind my own computers today.
Thank you Eric! Everything runs great so far here.
I just saw the font settings of my GTK look and feel setup changed. Now I cannot use a separate font setting for GTK apps. Progress, they call it.
I’m using the PAM enabled (testing) version, and so far no problems and good functionality. Thanks!
It seems that the GTK Theme settings are gone completely. Or have you find an alternative settings dialog? The font issue is a little bit ugly. E.g. if I am not able to change the font settings, Thunderbird cuts the lower part of the letters like ‘g’ or ‘y’ in message lists and displays them when you hover an entry with the mouse, which leads to continuous screen flickering. I think I am going to open an issue on that. In the meanwhile it would be good to know if there is still an alternative way to set fonts for GTK apps.
From the announcement: ” GTK apps now also automatically inherit Plasma’s settings for fonts, icons, mouse cursors and more.”
Yes, and this is the part which does not really work. I have filed an issue on that: https://bugs.kde.org/show_bug.cgi?id=417568
What’s even worse is that at least on my machine it’s no longer possible to change any KDE font settings at all. The apply button is always grayed out, even after changing some settings. If anyone else experiences this as well, I am willed to file another request on that as well.
I can confirm that the Apply button in Font Settings remains greyed out. If I return to another tab in Systemsettings I also do not get asked what to do with my changes, and when I return to Font Settings I see the original configuration has been restored. My test system at the moment is a PAM-ified Slackware Live. Did you install the PAM packages Lioh?
Yes, I am using the testing packages with PAM (where I also face the kwallet issue)
I am having the same issue (can’t change fonts in system settings) with the “latest” build of Plasma 5. Otherwise Plasma 5 is running great! Thank you Eric!
The Thunderbird issue is gone after applying the fixed packages, changing one value in the fonts dialog and changing it back afterwards.
Eric, I did not find the new emoji selector announced as part of 5.18. Was it left out on purpose?
Looks like the emoji popup requires ibus since the missing binary is called “ibus-ui-emojier-plasma”.
I do not ship ibus since Slackware already has scim, but perhaps that needs some consideration.
Thanks for the info Eric.
pam version installed here, without problem, for the moment, ‘sip’need update, (4.19.21 in current), ‘kpmcore’ and ‘partitionmanager’ are available in new (4.1.0) version.
thanks, Eric. 😉
Hi Eric, Just updated two machines with the non-PAM version (I’ll wait for Slackware for that!). All seems to be working, but both machines have flagged up a warning (Bell icon in the panel). Message reads:
“Error loading QML file: file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/main.qml:108:37: Type CompactRepresentation unavailable
file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/CompactRepresentation.qml:27:1: module “org.kde.quickcharts” is not installed”
Quickcharts??? I thought I had everything installed!
—
Pete
From way back in december – https://alien.slackbook.org/blog/x-mas-plasma5-december-19-release-of-ktown-for-slackware/ :
“Frameworks 5.65.0 is an incremental stability release, see: https://www.kde.org/announcements/kde-frameworks-5.65.0.php but the developers added a new Framework this time: kquickcharts.”
I’m very happy to hear of PAM making it into Slackware. I’ve been maintaining PAM and related packages (e.g., shadow, openssh, etc.) for 14.2 in order support two-factor authentication. This will certainly help lower the maintenance burden for us in Slackware versions going forward.
Thanks Eric! My mistake, I must have missed that!
—
Pete
Btw congrats Eric, Slackware-Live was selected as Live Distribution of the Year:
https://www.linuxquestions.org/questions/linux-news-59/2019-linuxquestions-org-members-choice-award-winners-4175669458/
Slackware-Live surely doth rock.
New Plasma5 update working fine. It may be a little quicker than before. I didnt try the PAM thing yet. Congratulations on Plasma5 getting embodied in Slackware. Thanks for your work and consideration. I notices you mentioned scim. I used scim a few years and although it can be irritating I was used to it. I had transitioned from scim to fcitx a few weeks ago. Fcitx works ok but is easily broken whereas scim was fairly robust to a changing environment. scim’s problem now is no qt5 support. There seems to be something wrong with the setup of fcitx and perhaps some changing of the environment keeps messing with fcitx. certainly the install instructions for fcitx are somewhat faulty but i can make it work. I will work on it more as time permits and will report back if i learn anything
Thanks Eric for the new packages.
I smoothly updated to ‘latest’ (no PAM testing). I do confirm that the “Apply” button is greyed out for Font configuration even in ‘latest’ (I couldn’t reply in the relevant thread as there was no “reply” button on the last two posts from you and Lioh).
Cosmetic point: as of time of writing, this link is now working https://kde.org/announcements/releases/19.12.2/ (Not found)
Thanks, I fixed the link in the main article, it is https://kde.org/announcements/releases/2020-02-apps-update/
There’s a bug report for the “Apply” button issue in Font configuration : https://bugs.kde.org/show_bug.cgi?id=416358
type error in my previous comment: the link to application release announcement is NOT working.
I am building a new plasma-desktop package with the patch from that bug report applied and if that solves the issue I’ll upload that to the repository.
Yep, bug fixed. I am re-generating the repository metadata and will upload the fix afterwards.
Thanks Eric for quick fix.
I do confirm that the issue is solved with the updated package (using ‘latest’)
When I make a change in any setting and don’t press the “Apply” button, I don’t have a warning message when I quit the setting. I can’t remember if there has ever been such a warning message in KDE 5. Anyway no big deal if I forget to apply a change, I can always come back and do it again.
The warning that you’re about to discard your changes has always been there.
I am now also going to upload the plasma-desktop fix package for the ‘testing’ repository.
This is why most often, I wait at least a few days to allow others to walk on point during the patrol so others can do the heavy lifting wrt bugsquashing 😉
I’m such a pussy sometimes lolz.
I installed the PAM version. Great job!
(I’m having problems with pam_limits, though: jack2 cannot be run in real time mode anymore, at least not locally — works over ssh; I’m trying to understand why)
Just a note: maybe you should change the last two lines in /etc/pam.d/sddm-greeter (sddm-qt5) to:
-session optional pam_systemd.so
-session optional pam_elogind.so
at least for the time being…;-)
Thanks for your work!
andrea
Hi Andrea,
may I ask you if you have been able to get kwallet/gnome-keyring to work with SDDM and PAM to automatically unlock the keyring on Login?
Greets
Lioh
no, I didn’t even try, since I was busy with the pam_limits stuff (I found the problem and a fix, and posted on LQ).
Just thinking aloud, but I wonder if it may be related to the fact the ConsoleKit is compiled without polkit support… I rebuilt it with that flag and I’m going to test it soon (but I’m not an expert on this stuff).
andrea
I had a closer look at pam_kwallet5 and it has a few issues:
1. PAM is looking for modules in /lib/securty, whereas pam_kwallet sits in /usr/lib64/securitty (there is also pam_cifscreds.so from the cirs_utils package, sitting there);
2. it requires socat: this is hidden in /usr/lib64/pam_kwallet_init, but without it there’s no way for kwalletd5 to get to know the password.
3. on my system it keeps failing with ” pam_kwallet5: open_session called without kwallet5_key”
I tried to force it to launch kalletd5 but it didn’t unlock the wallet… I’ll try to have a closer look and see if I can find a fix (my daughter is using it, but not me)…
Best,
andrea
Thanks andrea for all this debugging work. I will see what I can do with that.
I have a solution: will post it in a few minutes (I’m doing some checks).
andrea
I posted the solution on LQ, easier to edit..;-)
https://www.linuxquestions.org/questions/slackware-14/how-to-use-pam-to-unlock-the-kde-wallet-in-plasma-4175669657/
Its a pleasure to help!
andrea
I have suggested Pat that he changes /lib/security to /lib64/security for 64bit Slackware. Distros like Fedora and Arch also make this directory architecture dependent.
And indeed I will also have to build a ‘socat’ package.
Dear Andrea, Dear Eric,
thanks for taking care about this. I can confirm that everything now works as expected.
Greets
Lioh
Maybe this is not the right place, but just a couriosity. Is there any specific reason for not using Qt 5.14.1 and not including wayland support in slackware current?
I just did not have the time to check all the packages depending on Qt5 to see if they are compatible with 5.14. In the beginning there was a lot of breakage. Pat is assimilating the ktown repository ‘as-is’ because it works. Going forward, I expect he will adopt his own update policy which will certainly be different from mine.
And wayland? You have to ask Pat about that, I do not think he wants to go there.
You installed pam, Eric, I don’t believe it 😉
it’s a joke 😉
I have internally been pushing for PAM to be included for the last two years…Pat decided on an implementation order where PAM would come before Plasma5.
This should come as a welcome announcement to KikiNovak, who lamented his migration to CentOS because of difficulties of not having PAM rolled into the distro. Maybe he’ll come back in full force and migrate everything back to Slackware once again 🙂
Sometimes Slackware is the very very first (MariaDB, followed by SuSE’s adoption as the default), and sometimes it lags (to the chagrin of some), but when it’s soup, it is served and always stable. What bothers me are the snipes by some who are always publicly and sometimes vitriolically disgruntled because they feel they can’t have it their way, yet truth be told, nothing has prevented anyone from integrating PAM or anything else in their own installed boxes if it was something they really wanted.
Can’t say I was ever disatisfied with Slackware since I adopted it in the early nineties. Well, yah, I was stubborn at one point when so-called standards for multi-media PCs was a big thing and CDROM players were tied to soundblaster 16 cards, and Patrick started releasing Slackware on CDs, but that’s on me for being stubborn, and like anything else, wouldn’t want to ever go back to making and swapping out boot/root/and disks for SCSI drivers in the days of old lolz…
Great work on everything you do for the community Eric, and although I don’t do much with bleeding edge WM/DEs I know all the hoops you jump through to bring your Ktown rolls to everyone and endure complaints from ungrateful folks who just like to complain about things only shows what an asset you truly are to Patrick and our community.
Thank you for all you do, all you’ve endured, and your commitment to excellence!
Kindest regards,
Bradley
.
Sorry, Eric, I thought you didn’t like ‘pam’. 😉
I do not like systemd.
But I do think pam is a welcome and useful enhancement for Slackware. I have not been outspoken in public about pam, because if I would share my opinion, that could have beeen seen as authoritative for Slackware’s future direction. And I really needed Pat to make that call in public.
In my work I have been using PAM for 18 years now, and the only times that PAM did not work was when I had made a configuration error.
As Pat said, the code paths involving shadow and/or pam will nowadays be better audited when pam is involved. You will have to look hard to find modern environments that do not use pam, so regression tests of new code is pretty hard if developers do not have ready access to non-pam systems.
Eric,
can we safely replace your qt5 package with the new official one without breaking Plasma?
I will find out myself soon, because I have removed the SDL_sound, OpenAL, libxkbcommon and qt5 packages from ktown locally and will update my slackware64-current installation today.
Do not forget to install all the new packages in Slackware -current, that includes openal-soft which is the new name in Slackware for my OpenAL package.
Yep everything still works -)
That’s awesome, thanks 🙂
Shall we also drop the cracklib and libpwquality packages from ktown, in a pam testing installation?
LoneStar, the ‘testing’ repository of ktown does not contain cracklib or libpwquality packages. The ones in Slackware’s /testing area should be used instead.
My issues with fcitx were fixed by rebuilding and reinstalling it . Now it looks different than before but has full function. Unrelated is that sometimes plasma5 gets confused about what open windows should be displayed in the panel Shift-Alt-F12 resets it and puts every thing back right. Sometimes the clock also gets stuck and the same Shift-Alt-F12 refreshes everything back to ok again.
I have added a ‘socat’ package to my ‘ktown’ repository and Pat has moved /lib/security to /lib64/security in Slackware-current. That hopefully helps getting the KDE Wallet system to work with PAM as intended.
you also have to change kwallet-pam so that it will drop pam_kwallet5.so in /lib64/security (and not in /usr/lib64/security as it presently does), and change /etc/pam.d/sddm in sddm-qt5 so that the first line is:
auth substack login
this is crucial: without substack pam_kwallet5 and pam_gnome_keyring will not run during the authorization process and will not set some data. this is the reason why you would get a /var/log/secure error otherwise:
“pam_kwallet5: open_session called without kwallet5_key”
by doing so both kwallet and gnome-keyring work smoothly here… (and my daughter is very happy not to have to type her password three times before getting plasma, skype and chromium started….;-).
andrea
In my desktop, after login I still have to type the kdewallet password once (for the first application that wants to open the wallet) after each login. After that all other applications won’t ask again for a password.
Is this different in your case? I.e. after login, do you no longer get a “enter password for wallet ‘kdewallet'”?
In my daughter’s desktop she types the login password in sddm and then kwallet will get unlocked by pam_kwallet5: no need to type a password when the first application wants to open the wallet, since it is already opened during login (before switching to PAM chromium would ask for the kde wallet password at the first start — not anymore).
in your desktop pam_kwallet5 is not working.
(the same for skype and gnome-keyring)
It works now, with the kwallet-pam and sddm-qt5 packages that I just uploaded.
OK… forgot to move the kwallet-pam library to the correct location. I need to fix that still.
… and now it all works properly. I will upload a new kwallet-pam and sddm-qt5 package to the ‘testing’ repository.
post install script for kscreenlocker needs PAM check like in plasma-workspace
Done, thanks.
hi,
wayland is out in slackware-current
Any updates on how to install plasma, I am sure some commands have to be changed.
Cheers
Pritvi
Why do you think it changes the way you install Plasma5? It changes nothing,
Wayland will do nothing for Plasma5 until I recompile the packages and explicitly enable Wayland support.
Thanks for the info.
I did not test wayland + plasma5 + slackware-current.
I thought it was just removing or adding some other/new packages.
Wayland support in Plasma 5 (basically in kwin_wayland) seems to be only possible if Slackware would add systemd-logind or else elogind (which is the standalone logind component of the systemd code but without any dependency on systemd).
It’s going to be a journey to get this done, but it starts with having Wayland in Slackware and the core packages (mesa, xorg-server and qt5) compiled with Wayland support. Luckily Pat Volkerding did just that.
Hi Eric,
I’m not familiar with Wayland and I’m in no hurry to get into it. But when I wanted to add the new Slackware packages wayland and wayland-protocols, I found out that these packages were already installed via ktown repository (/deps). Shouldn’t those packages be now removed from ktown repository?
Yes, wayland and wayland-protocols will be removed from my repository. But I am busy at the moment.
Hi Eric,
I installed Plasma 5.18.1 available today and noticed the system tray is throwing an error: Error loading QML file: file:///usr/share/ Is there something I can do to regenerate the system tray entries or is it best to wait for a Plasma update?
Thanks!
Same here, getting
“Error loading QML file: file:///usr/share/plasma/plasmoids/org.kde.plasma.private.systemtray/contents/ui/main.qml:386:19: Type ExpandedRepresentation unavailable file:///usr/share/plasma/plasmoids/org.kde.plasma.private.systemtray/contents/ui/ExpandedRepresentation.qml:134:9: PlasmoidPopupsContainer is not a type”
Same question as here: https://www.linuxquestions.org/questions/slackware-14/all-things-kde5-plasma-for-slackware-users-4175670109/#post6093321
The cause is that I re-packaged the plasma-workspace package (explodepkg, followed by an edit of the ‘startkwayland’ script, followed by makepkg) and since I did that on my Slackware 14.2 server I ran into a tar bug. Due to the bug, files in the tarball get truncated to 100 characters if they are 101 characters long.
I was bitten by this last year as well. Back then I noticed before uploading the affected package.
I need to run the explodepkg/makepkg on a -current computer where the bug does not occur.
I am currently rebuilding that package and will upload the fixed version later today.
The quick fix if you do not want to wait for the new package:
# mv /usr/share/plasma/plasmoids/org.kde.plasma.private.systemtray/contents/ui/PlasmoidPopupsContainer.qm{,l}
This other file is affected as well, so not just the one above:
/usr/share/plasma/look-and-feel/org.kde.breeze.desktop/contents/windowdecoration/WindowDecoration.qm is missing the “l” at the end.
Hi Eric,
I would like to request that if possible you could include the emoji selector in an upcoming refresh of ktown. Thanks for everything.
The answer was already given a bit higher up:
Emoji popup selector requires ibus. I do not ship ibus with my ‘ktown’ packages because Slackware already has scim,
I maintain two s*64-current installs (one with Plasma/KDE5 and my main development branch still using KDE4). I haven’t upgraded either since early February – so they are both pre-pam. I will start with the KDE4 install which I have backed up in anticipation of encountering issues. I have read most of the threads here but before I try this I will also post on LQ soliciting any precautions or package order dependencies.
In theory I should be able to just run slackpkg and everything will just go smoothly but I have backed up my /root and /usr partitions just in case.
Eric – Do you have any advise about package order (or any other dependencies that slackpkg won’t account for) before I give this a go? I have installed several Slackbuild packages that I really don’t wish to break.
Just be sore to first install all the new packages (slackpkg install-new) before you start upgrading existing packages. And afterwards, before reboot, do not forget “slackpkg new-config” to move any PAM related init script modifications into place.
As for 3rd party applications, they should not be relevant for a switch to PAM and everything should keep running.
Thanks a lot. Will do Eric.
Hi Eric,
I chickened out here…
Instead of attempting a complete upgrade on my development box (still running KDE4) I decided to first give this a go on an older laptop system (Lenovo ThinkPad) running KDE5/Plasma. I’m not exactly sure which version of KDE5 it was but it looks like it dated back to Dec 2019. Like I said. Old. I carefully followed your README (regarding removing ConsoleKit2 package etc.) and I now have the system up and a couple questions regarding the new Plasma. Since this is Plasma related and not PAM related I will post them under your latest Plasma announcement thread.