Alle diskussioner > Steam-fora > Hardware and Operating Systems > Trådoplysninger
karl***** 2. juli kl. 23:13
RESOLVED (comment#7): KDE screen saver on SteamOS 3.8/SteamDeck: "Unlocking failed" after entering correct password
Short version: the user deck is prohibited from accessing the account by /etc/shadow.
Extended version including resolution: https://steamhost.cn/steamcommunity_com/discussions/forum/11/601908863574268018/#c601908863574349342

Dear community,
after having used Steam for quite some time on Windows I recently started to enjoy my Steam Deck and very much so - both as gaming console and as computer.

I plan on using it as desktop replacement and therefore followed Alberto Garcia's instructions (https://gitlab.steamos.cloud/holo/dirlock/-/wikis/Enabling-disk-encryption-on-the-Steam-Deck ) recently to encrypt the home directory, because I wouldn't want to have my personal data on the SD unprotected in case of loss/theft.
The encryption worked like a charm and the SD is running fine, except for one major nuisance.
Using a password protected screensaver (which I deem necessary to achieve my goals of protecting personal data) effectively locks me out of the SD.
I have set a password. And I'm sure to type in the right one by letting the input prompt show the password.
Trying '/usr/lib/kscreenlocker_greet --testing' creates the same issue. The error message reads "Unlocking failed" and the screen shakes.
I'm not versed enought with Linux to do the troubleshooting on my own, because searching for "(Arch) KDE" related issues with screen saver produced no helpful resultes, even less so, when coupled with "Steam Deck".

Here's info about my system:
Operating System: SteamOS 3.8 Build: 20250623.1000
KDE Plasma Version: 6.2.5
KDE Frameworks Version: 6.9.0
Qt Version: 6.8.1
Kernel Version: 6.11.11-valve19-1-neptune-611-g88b36d49a5e3 (64-bit)
Graphics Platform: X11
Partition: A
Processors: 8 × AMD Custom APU 0932
Memory: 14.5 GiB of RAM
Graphics Processor: AMD Custom GPU 0932
Manufacturer: Valve
Product Name: Galileo
System Version: 1

Searching for issues related to KDE screen savers (on Arch or in general) brought up nothing that helped me solve the issue.
I fear I'm not well-versed enough to troubleshoot this on my own.
Does anyone have an idea and can point me into the right direction?

Kind regards
Sidst redigeret af karl*****; 4. juli kl. 5:42
< >
Viser 1-7 af 7 kommentarer
Omega 3. juli kl. 1:37 
Having a password on the device does very little to protect your data. The Deck's disk is not encrypted, anyone can pull out the drive or boot from a USB device and have full access to the disk.

Set a user password, then reboot the device to ensure this change has applied properly.

Open the terminal and type `passwd`, it will allow you to change your user password.

Make sure you are typing the password properly, ideally use an external keyboard instead of the touch ones, they can be unreliable.
#1
Bad 💀 Motha 3. juli kl. 1:41 
Possible the password was entered as something other then what you think you set it as? Maybe caps lock is on, or was on during password set originally.

So you share the device with others? Otherwise what's the point. Can just toggle the login screen and it requires user pw to enter the desktop again and this also puts the screen to sleep automatically after a short period of being on this screen.

If you want to better protect the data and device, use a BIOS password or password required after the system POST. Then also encrypt your OS drive and any other drive that has sensitive data.

Not sure about Linux but on any WinOS cracking the user password is super simple and easy it the device was stolen and I wanted to get into the user account to see files and not just wipe the drives clean.
Sidst redigeret af Bad 💀 Motha; 3. juli kl. 1:43
#2
Omega 3. juli kl. 2:05 
Oprindeligt skrevet af Bad 💀 Motha:
Not sure about Linux but on any WinOS cracking the user password is super simple and easy it the device was stolen and I wanted to get into the user account to see files and not just wipe the drives clean.
On Linux it is litterally a text file, you can just edit it to change or remove the password hash. But you'll have to pull the drive or use an external boot media to access it.
#3
Bad 💀 Motha 3. juli kl. 3:24 
Yea seriously pointless. Don't share your PC, plain and simple.
Anything actually important should be on external drive, never the OS drive.
BIOS password + Drive encryption
#4
karl***** 3. juli kl. 4:39 
Oprindeligt skrevet af *****:
[...]followed Alberto Garcia's instructions (https://gitlab.steamos.cloud/holo/dirlock/-/wikis/Enabling-disk-encryption-on-the-Steam-Deck ) recently to encrypt the home directory, [...]
I have set a password. And I'm sure to type in the right one by letting the input prompt show the password.[...]

The relevant part of the disk is encrypted (I'm looking forward to having more than "just" home encrypted, though) and the password is the right one, because otherwise I'd be unable to sudo commands in the shell, which I can.
I don't share my SD with other people. I just want to protect my data (-> desktop replacement) in case of theft/loss, which not sharing doesn't accomplish.
The issue seems to be entirely screen saver related, but I don't know where to start looking.
Sidst redigeret af karl*****; 3. juli kl. 4:52
#5
karl***** 4. juli kl. 4:36 
I did some more digging. I still don't understand how it should work, but I can definitely point to logs of what happens after I enter the _correct_ password at the lock screen, which is that 'unix_chkpwd' fails the password check and 'pam_unix' reports an authentication failure:
journalctl -f Jul 04 12:23:39 steamdeck unix_chkpwd[51235]: password check failed for user (deck) Jul 04 12:23:39 steamdeck kscreenlocker_greet[51114]: pam_unix(kde:auth): authentication failure; logname=deck uid=1000 euid=1000 tty= ruser= rhost= user=deck

Using sudo with the same password works, but apparently then the password is checked via 'pam_unix' and 'unix_chkpwd' is not involved:
journalctl -f Jul 04 12:24:11 steamdeck sudo[51202]: pam_unix(sudo:session): session opened for user root(uid=0) by deck(uid=1000) Jul 04 12:24:11 steamdeck sudo[51202]: pam_unix(sudo:session): session closed for user root

To narrow it down I tried an alternative means of locking the screen and installed 'xlock'.
Yet the scheme is similar - 'unix_chkpwd' fails the password check and 'pam_unix' reports an authentication failure:
journalctl -f Jul 04 13:22:49 steamdeck unix_chkpwd[54640]: password check failed for user (deck) Jul 04 13:22:49 steamdeck xlock[54614]: pam_unix(xlock:auth): authentication failure; logname=deck uid=1000 euid=1000 tty=:0 ruser= rhost= user=deck

So I wonder: is 'unix_chkpwd' doing a bad job or is something missing to get the password checked by it successfully?
And if so, what is missing?
Am I really the only one with a screen saver on the SteamDeck in desktop mode that can't be unlocked by typing in the correct password?

A quite suitable workaround is to switch to a different virtual terminal and disable the lock screen from there. That requires a physical keyboard, but that should be available when using the SD in desktop mode.
It still bugs me that something as trivial as the screen saver isn't working like it should.
Sidst redigeret af karl*****; 4. juli kl. 5:36
#6
karl***** 4. juli kl. 5:35 
Wow, it's so simple once you know what's wrong.
The user 'deck' wasn't allowed to log in according to:

cat /etc/shadow | grep deck deck:*:20270:0:99999:7:::

The asterisk instead of a hashed and salted password means that no password can be used to access the account.
This usually occurs in daemon accounts that an ordinary user can’t access.
Well, in this case I want to have a password to access the account deck and sadly the 'passwd' command doesn't enter the password into /etc/shadow.

So I created a password and put it manually into /etc/shadow.

If you want to do the same, open a terminal on your SteamDeck and run (replace "randomString" and "yourPassword" before you do):
openssl passwd -6 -salt randomString yourPassword

Then
sudo nano /etc/shadow
and replace the asterisk with the complete string that's provided by openssl.
After that run
/usr/lib/kscreenlocker_greet --testing
and test the password. If it works, you should be fine and can use the lock screen to protect your SteamDeck.
Additionally you can activate the lock after waking from sleep:
System settings -> Security & Privacy -> Screen Locking -> check the box at "Lock after waking from sleep"

Be aware that a screen lock can only protect any data on your SteamDeck if you encrypted at least your home directory.
I did so with: https://gitlab.steamos.cloud/holo/dirlock/-/wikis/Enabling-disk-encryption-on-the-Steam-Deck
Also be aware that both the encryption and tinkering with /etc/shadow are not without risk, but a necessary evil, if you want your data and logins on your SteamDeck be protected from abuse after loss or theft of the SteamDeck.

Have fun!
#7
< >
Viser 1-7 af 7 kommentarer
Per side: 1530 50

Alle diskussioner > Steam-fora > Hardware and Operating Systems > Trådoplysninger
Dato opslået: 2. juli kl. 23:13
Indlæg: 7
Start en ny diskussion

Diskussionsregler og retningslinjer