https://bugs.kde.org/show_bug.cgi?id=521776

Aaron <[email protected]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |WAITINGFORINFO
             Status|RESOLVED                    |VERIFIED

--- Comment #10 from Aaron <[email protected]> ---
Confirming this bug on CachyOS with krdp 6.7.1-1.1. The NoNewPrivileges=true
directive in the systemd user service file app-org.kde.krdpserver.service
prevents PAM authentication from functioning for system users.

    Environment:

    - Distro: CachyOS (latest, as of June 26, 2026)
    - Kernel: Linux 7.1.1-2-cachyos
    - KDE Plasma: 6.7.1
    - KRdp: 6.7.1-1.1 (cachyos-extra-v4)
    - Display: Wayland
    - PAM authentication: system-auth (pam_unix + pam_faillock)
    - Client tested: aRDP on Android, xfreerdp on Linux

    Steps to Reproduce:

    1. Enable "Remote Desktop" in KDE System Settings with "System User"
authentication enabled
    2. Connect via any RDP client using the system username and password
    3. Observe connection fail immediately after authentication attempt

    Server-side logs (syslog/journalctl):


    krdpserver[PID]: New client connected: Unspecified platform Unspecified
version
    krdpserver[PID]: pam_unix(login:auth): authentication failure;
logname=<user> uid=1000 euid=1000 tty= ruser= rhost=  user=<user>
    krdpserver[PID]: pam_authenticate failure: Authentication service cannot
retrieve authentication info
    krdpserver[PID]: [ERROR] [rdp_peer_handle_state_active]: PostConnect for
peer 0x... failed
    krdpserver[PID]: [ERROR] [transport_check_fds]: transport_check_fds:
transport->ReceiveCallback() - STATE_RUN_FAILED [-1]


    After repeated failures, pam_faillock locks the account:


    krdpserver[PID]: pam_faillock(login:auth): Consecutive login failures for
user <user> account temporarily locked
    krdpserver[PID]: pam_authenticate failure: Authentication failure


    Root Cause:

    The file /usr/lib/systemd/user/app-org.kde.krdpserver.service contains:


    [Service]
    NoNewPrivileges=true


    This prevents pam_unix from spawning unix_chkpwd (a setuid binary) to
verify the user's password against /etc/shadow. As a result, every PAM
authentication attempt fails regardless of whether the password is correct.

    Workaround:

    Create a systemd user service override:


    mkdir -p ~/.config/systemd/user/app-org.kde.krdpserver.service.d
    cat > ~/.config/systemd/user/app-org.kde.krdpserver.service.d/override.conf
<< 'EOF'
    [Service]
    NoNewPrivileges=false
    EOF
    systemctl --user daemon-reload
    systemctl --user restart app-org.kde.krdpserver.service


    This restores correct PAM login behavior. The override persists across
service file updates since it resides in the user's local config directory.

    Verification:

    After applying the workaround, connecting via RDP succeeds immediately with
the correct system password. Logs show successful authentication and a stable
session.

    Notes:

    - The password itself is correct — it works for sudo and console login.
Only krdp authentication fails.
    - After clearing the pam_faillock counter and applying the override,
connections succeed on the first attempt.
    - This was reported on Gentoo (Bug 521776) and I am confirming it also
affects Arch-based distributions (CachyOS) with the same krdp 6.7.x version.
The fix is identical.
     - Note: I'm a real person submitting this bug report but I did have
hermes-agent (an AI tool) discover the problem, fix it and write this bug
report for me on my PC.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to