Kicksecure and LMDE, MX KDE and Sparky KDE / SDDM Problems

Support
1

Hi!

Anyone tried to install Kicksecure on top of Linux Mint Debian Edition?
The recently released version of LMDE 5 is based on Debian 11 Bullseye.
Is there a chance it will work properly?

2

Created the following wiki page to address this just now:

4

I installed Kicksecure on Mint LMDE! If Plymouth conflicts - just remove it (remove, purge, autoremove). Everything works great. You can also install separate Kicksecure tools - grub-live and security-misc!

5

Kicksecure works well in LMDE, MX Linux and Sparky Linux. BUT security-misc conflicts with SDDM at system startup (SDDM may hang) - autologin solves this problem. This problem does not occur at logout and screen lock. I use kicksecure in KDE Plasma on Debian, MX and LMDE - I have not noticed any problems or errors for over a month

6

:partying_face: :white_check_mark:

7

There is a hang of LightDM and SDDM in Cinnamon and KDE Plasma after latest update security-misc - LightDM endlessly requires password, SDDM freezes after entering password. Use autologin! These errors are only at system startup - locking screen and changing user do not cause these errors then after desktop boots.
And sleep mode hangs up on those desktops ā€“ use screen lock instead of sleep!
These errors are in Debian, LMDE, MX and Sparky

8

If these error are happening on Debian without Kicksecure being involved, please report bugs against Debian.

If these error are happening on Kicksecure, please report bugs as per Bug Reports, Software Development, and Feature Requests.

9

I have not seen these problems in xfce. Only in Cinnamon and Kde Plasma. These problems are related to security-misc - removing package fixes these problems.
I just shared observations for those who want to install a other desktop or another OS with Kicksecure

10

If these should be fixed, please report a bug.

11

kernel: Low-power S0 idle used by default for system suspend
kernel: nvme 0000:04:00.0: platform quirk: setting simple suspend
kded5[2685]: kscreen.kded: PowerDevil SuspendSession action not available!
systemd-logind[1521]: The system will suspend now!
ModemManager[1606]: [sleep-monitor-systemd] system is about to suspend
systemd[1]: Starting systemd-suspend.service - System Suspendā€¦
systemd-sleep[4816]: Entering sleep state ā€˜suspendā€™ā€¦
kernel: PM: suspend entry (s2idle)
kernel: printk: Suspending console(s) (use no_console_suspend to debug)
kernel: amdgpu_device_suspend+0x53/0x150 [amdgpu]
kernel: pci_pm_suspend+0x78/0x170
kernel: __device_suspend+0xf1/0x470
kernel: async_suspend+0x1a/0x80
kernel: queueing ieee80211 work while going to suspend
kernel: amd_pmc AMDI0009:00: Last suspend didnā€™t reach deepest state
kernel: PM: suspend exit
systemd[1]: systemd-suspend.service: Deactivated successfully.
systemd[1]: Finished systemd-suspend.service - System Suspend.
systemd[1]: Reached target suspend.target - Suspend.
systemd[1]: Stopped target suspend.target - Suspend.
systemd-logind[1521]: The system will suspend now!
ModemManager[1606]: [sleep-monitor-systemd] system is about to suspend
systemd[1]: Starting systemd-suspend.service - System Suspendā€¦
systemd-sleep[8743]: Entering sleep state ā€˜suspendā€™ā€¦
kernel: PM: suspend entry (s2idle)
kernel: printk: Suspending console(s) (use no_console_suspend to debug)
kernel: amdgpu_device_suspend+0x53/0x150 [amdgpu]
kernel: pci_pm_suspend+0x78/0x170
kernel: __device_suspend+0xf1/0x470
kernel: async_suspend+0x1a/0x80
kernel: amd_pmc AMDI0009:00: Last suspend didnā€™t reach deepest state
kernel: PM: suspend exit
systemd[1]: systemd-suspend.service: Deactivated successfully.
systemd[1]: Finished systemd-suspend.service - System Suspend.
systemd[1]: Reached target suspend.target - Suspend.
systemd[1]: Stopped target suspend.target - Suspend.
systemd-logind[1521]: The system will suspend now!
ModemManager[1606]: [sleep-monitor-systemd] system is about to suspend
systemd[1]: Starting systemd-suspend.service - System Suspendā€¦
systemd-sleep[11869]: Entering sleep state ā€˜suspendā€™ā€¦
kernel: PM: suspend entry (s2idle)

my friendā€™s journal. he has the most interesting situation in debian kde plasma - system does not want to go into sleep mode, desktop reboots only. then system started sleep mode and hung. He said he didnot notice any other errors in journal. but sleep mode error goes away immediately if you delete security-misc and reboot

12

System freezes on startup after entering login and password

polkit-agent-helper-1[4010]: pam_exec(polkit-1:auth): usr/libexec/security-misc/pam_faillock_not_if_x failed: exit code 1
pam_wheel(polkit-1:auth): Ignoring access request ā€˜userā€™ for ā€˜userā€™

sddm [1940] authentication information: "usr/libexec/security-misc/pam-info: WARNING: 1 failed login attempt
sddm [1940] authentication information: ā€œLogin will be blocked after 50 attemptsā€
sddm-helper-[4089]: pam_exec(sddm:auth): usr/libexec/security-misc/pam_faillocl_not_if_x failed: exit code 1
sddm[1940]: Existing authentication ongoing, aborting

13

Youā€™ll have to give more specific steps for how to reproduce this. Iā€™ve just attempted to reproduce the issue using Debian 12 + KDE Plasma, on a UEFI-based virt-manager machine. The exact steps taken are:

  • Create a new virtual machine, specify that a Debian 12.7.0 netinst ISO should be used
  • Set RAM to 4 GB, disk space to 20 GB
  • Check ā€œCustomize configuration before installingā€ on the final screen of the VM creation wizard
  • Set firmware to UEFI (specifically OVMF_CODE_4M.fd)
  • Begin installation
  • Configure as follows:
    • Full Name: User
    • Username: user
    • Disk configuration:
      • Partition 1: EFI System Partition, 300 MB
      • Partition 2: ext4 mounted at /, use all remaining disk space
    • Desktop environment: KDE Plasma
    • Timezone and locale settings set appropriately
  • Once installation is complete, reboot
  • Carefully follow instructions at Install Kicksecure inside Debian to morph the distribution into Kicksecure, some notes as to how I followed the instructions:
    • When given the option of using extrepo or manual configuration for initially adding the Kicksecure repository, I chose manual configuration.
    • Signing key was downloaded using TLS.
    • ā€œClearnet Rep.ā€ settings were used for manually configuring the Kicksecure repo.
    • The Kicksecure metapackage I installed was kicksecure-cli-host, to avoid pulling in XFCE
    • Before following post-installation steps, I rebooted, tested login via SDDM with both Plasma X11 and Plasma Wayland sessions, confirmed it worked, and confirmed security-misc was installed using dpkg-query -s security-misc (it came back as install ok installed)
    • In the post-installation steps, I used sudo rm /etc/apt/sources.list rather than sudo mv /etc/apt/sources.list ~/ for getting rid of the original sources.list file, it contained nothing important

With this setup, Kicksecure is installed, security-misc is installed, and SDDM login works just fine, both with Wayland and X11 options. I did not test sleep since this is a virtual machine and getting a virt-manager VM out of sleep can be really hard, but I would expect it to work. EDIT: Just tested sleep too, works without issues, even with security-misc installed.

Some things about your configuration that you may want to double-check that may be the source of some of the issues:

  • Did you install kicksecure-cli-host or kicksecure-xfce-host? Doing the latter on a machine with another desktop environment already will end up installing XFCE on the machine, which could conflict with your existing desktop environment in interesting ways.
  • Is your user account named user? There are some subsystems in Kicksecure that only allow an account named user to take certain actions. Itā€™s possible (though unlikely) that the inability to take those actions with another account could be causing the issue.

Iā€™ve not yet tested with the Cinnamon desktop, or with Debian derivatives such as Sparky or Mint.

1 Like
14

me and my friends used standard morphing installation. i would be grateful if you wrote installation for kde plasma and cinnamon. what commands to enter instead of sudo apt install --no-install-recommends kicksecure-xfce-host. But i also installed separate packages - grub-live, security-misc, tirdad and sdwdate - this also led to login hang. Perhaps there are nuances on the virtual machine, so there are no records of sleep mode and sddm. but i have not yet seen a host system that would not have sddm hang after last security-misc update. in some computers sddm hangs only after an incorrect password. in other computers (and mine) when entering any password. but sleep mode does not hang on my computer and on the computer of one friend, but on two other friends sleep mode always hangs - removing security-misc solved this problem. Even installing only one security-misc package on cde plasma and cinnamon caused freezes. I thought the conflict was only with cde plasma, but recently my friendā€™s LMDE also froze Lightdm

in old versions of security-misc, these problems were not there. only problem was the wrong password entry in sddm at startup. but sleep mode worked well for everyone. If you install kicksecure xfce morph and remove security-misc, then there are no problems and errors - this has been tested on all the OSes I mentioned

15

kk, Iā€™ll give it another shot with physical hardware and installing kicksecure-xfce-host instead.

1 Like
16

I have now tested distro morphing Debian 12 Cinnamon into Kicksecure on physical hardware (my main development machine). I used kicksecure-xfce-host this time since it sounded like thatā€™s what you were using. I still canā€™t reproduce the issue - the install works just fine, security-misc is present, LightDM doesnā€™t freeze whether I feed it good passwords or bad passwords, sleep works out of the box.

If you and your friend are both running into issues, itā€™s likely to be the result of one of the following:

  • What youā€™re calling Debian is not what Iā€™m calling Debian. Iā€™m using the official Debian 12 (Bookworm) netinstaller, which gives me a vanilla Debian installation. This is what Kicksecure supports, so itā€™s expected to work. If your ā€œDebianā€ is Debian 11 (Bullseye) or Debian Testing (Trixie at the time of this writing), that could be the problem.
  • You and your friend happen to use the same third-party repository on your systems, and that repository is incompatible with Kicksecure in some way.
  • Both of you are shockingly unlucky when it comes to what hardware you ended up with. (Hardware-specific issues like this are relatively rare nowadays so I wouldnā€™t expect this to be the case.)

I donā€™t know for sure if any of the above apply here, this is just what comes to mind initially. If thereā€™s any further data you can give about how youā€™re reproducing this (what software versions youā€™re using, what steps youā€™re taking, even hardware info might come in handy), that might help debug this. Currently though I canā€™t get it to break.

1 Like
17

We use standard debian. I dont even know where to find other debian repositories. According to cinnamon, problem was only in LMDE.
But problems with kde plasma were on all computers and in all systems - debian, lmde, mx, sparky. The main problem with sddm is precisely at startup (if autologin is disabled, which kicksecure launches by default). I also had this problem. It cannot be reproduced when changing user or ending session - only when starting. Sleep mode hung on 3 computers of which there are 5 - on debian and 2 on mx. Solution to problems has always been one - removing security-misc.
This topic is dedicated to other linuxes and is listed on the site as a discussion of kicksecure in other OS. Thatā€™s why I shared my experience here. But, once again, debian kde plasma had all same problems. I helped friends to log debian 2 weeks ago, when sddm did not let them in after updating security-misc, They launched console mode and deleted security-misc - problem disappeared. Maybe it is a hardware issue. BUT it was also on old laptops and on new ones from 5 different companies

18

Same installation steps but happening on some computers but not on others?

Instead of deleting all of security-misc, finding the offending setting in security-misc might be useful. Itā€™s most likely a kernel parameter hardening setting.

For that purpose, security-misc, Debugging has been written now.

19

It would have been helpful to know this a few comments ago :sweat_smile: I spent an hour testing on physical hardware with Cinnamon last night thinking that was the most efficient way to test things, since I had been led to believe the issue was reproducible on Debian with the Cinnamon desktop earlier:

Anyway, no hard feelings, but when reporting issues, itā€™s better to give more details early on.

Sure, I get that and I respect that. But at the same time, it sounded like you had done experimentation on unsupported but still likely-to-work platforms, and ran into problems on a fully supported platform (i.e. distro-morphing vanilla Debian). Naturally this is concerning, so we did some bug hunting to see if we could reproduce the issue the same way.

Before I go and try to install Debian with KDE Plasma, could you please tell me which release of Debian are you using? You can find out by running cat /etc/os-release in a terminal. Please share the entire VERSION variable shown in the commandā€™s output.

20

PRETTY_NAME=ā€œDebian GNU/Linux 12 (bookworm)ā€
NAME=ā€œDebian GNU/Linuxā€
VERSION_ID=ā€œ12ā€
VERSION=ā€œ12 (bookworm)ā€
VERSION_CODENAME=bookworm
ID=debian
I respect you very much. I recommend kicksecure os or kicksecure packages to everyone who works on any debian. and recommend whonix :slight_smile:
if we talk about debian 12, then errors only in kde plasma. I noticed same errors (sddm, sleep) in sparky (debian trixie) in VM.

21

Okay. I will try on debian and mx kde