https://bugs.kde.org/show_bug.cgi?id=521776
Aaron <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |WAITINGFORINFO Status|RESOLVED |VERIFIED --- Comment #10 from Aaron <[email protected]> --- Confirming this bug on CachyOS with krdp 6.7.1-1.1. The NoNewPrivileges=true directive in the systemd user service file app-org.kde.krdpserver.service prevents PAM authentication from functioning for system users. Environment: - Distro: CachyOS (latest, as of June 26, 2026) - Kernel: Linux 7.1.1-2-cachyos - KDE Plasma: 6.7.1 - KRdp: 6.7.1-1.1 (cachyos-extra-v4) - Display: Wayland - PAM authentication: system-auth (pam_unix + pam_faillock) - Client tested: aRDP on Android, xfreerdp on Linux Steps to Reproduce: 1. Enable "Remote Desktop" in KDE System Settings with "System User" authentication enabled 2. Connect via any RDP client using the system username and password 3. Observe connection fail immediately after authentication attempt Server-side logs (syslog/journalctl): krdpserver[PID]: New client connected: Unspecified platform Unspecified version krdpserver[PID]: pam_unix(login:auth): authentication failure; logname=<user> uid=1000 euid=1000 tty= ruser= rhost= user=<user> krdpserver[PID]: pam_authenticate failure: Authentication service cannot retrieve authentication info krdpserver[PID]: [ERROR] [rdp_peer_handle_state_active]: PostConnect for peer 0x... failed krdpserver[PID]: [ERROR] [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1] After repeated failures, pam_faillock locks the account: krdpserver[PID]: pam_faillock(login:auth): Consecutive login failures for user <user> account temporarily locked krdpserver[PID]: pam_authenticate failure: Authentication failure Root Cause: The file /usr/lib/systemd/user/app-org.kde.krdpserver.service contains: [Service] NoNewPrivileges=true This prevents pam_unix from spawning unix_chkpwd (a setuid binary) to verify the user's password against /etc/shadow. As a result, every PAM authentication attempt fails regardless of whether the password is correct. Workaround: Create a systemd user service override: mkdir -p ~/.config/systemd/user/app-org.kde.krdpserver.service.d cat > ~/.config/systemd/user/app-org.kde.krdpserver.service.d/override.conf << 'EOF' [Service] NoNewPrivileges=false EOF systemctl --user daemon-reload systemctl --user restart app-org.kde.krdpserver.service This restores correct PAM login behavior. The override persists across service file updates since it resides in the user's local config directory. Verification: After applying the workaround, connecting via RDP succeeds immediately with the correct system password. Logs show successful authentication and a stable session. Notes: - The password itself is correct — it works for sudo and console login. Only krdp authentication fails. - After clearing the pam_faillock counter and applying the override, connections succeed on the first attempt. - This was reported on Gentoo (Bug 521776) and I am confirming it also affects Arch-based distributions (CachyOS) with the same krdp 6.7.x version. The fix is identical. - Note: I'm a real person submitting this bug report but I did have hermes-agent (an AI tool) discover the problem, fix it and write this bug report for me on my PC. -- You are receiving this mail because: You are watching all bug changes.
