How to use PAM authentication with local or LDAP credentials

27 views
Skip to first unread message

Abdullah YILDIZ

unread,
Oct 11, 2025, 4:59:38 PMOct 11
to TigerVNC User Discussion/Support
Hi,

I installed TigerVNC server (version 1.14.1) on AlmaLinux OS 9 as instructed here.

After the installation, PAM configuration file tigervnc is available at /etc/pam.d/ with the following content:

#%PAM-1.0

# THIS IS AN EXAMPLE CONFIGURATION
# MODIFY AS NEEDED FOR YOUR DISTRIBUTION

# pam_selinux.so close should be the first session rule
-session   required     pam_selinux.so close
session    required     pam_loginuid.so
-session   required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    required     pam_limits.so
-session   optional     pam_systemd.so
session    required     pam_unix.so
-session   optional     pam_reauthorize.so prepare

I also copied the user VNC settings into ~/.vnc/config as follows:

session=xfce
plainusers=srv-admin
securitytypes=tlsplain
geometry=800x600
pam_service=tigervnc

However, using the local credentials of the srv-admin does not work. Could you please help me with this?

Regards,

Pierre Ossman

unread,
Oct 14, 2025, 6:47:33 AMOct 14
to Abdullah YILDIZ, TigerVNC User Discussion/Support
On 11/10/2025 22:59, Abdullah YILDIZ wrote:
>
> I also copied the user VNC settings into *~/.vnc/config* as follows:
>
> session=xfce
> plainusers=srv-admin
> securitytypes=tlsplain
> geometry=800x600
> pam_service=tigervnc
>
> However, using the local credentials of the srv-admin does not work. Could
> you please help me with this?
>

Using PAM for authentication is currently not terribly robust,
unfortunately. It often requires you to run the server as root. That is
definitely the case when using pam_unix, but may not be required when
using pam_sss.

The second issue here is that the PAM configuration you used was only
written with the goal of starting sessions. It lacks the necessary lines
for authentication.

I would recommend using something like "remote" as the PAM service name
instead.

Regards,
--
Pierre Ossman Software Development
Cendio AB https://cendio.com
Teknikringen 8 https://twitter.com/ThinLinc
583 30 Linköping https://facebook.com/ThinLinc
Phone: +46-13-214600

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Abdullah YILDIZ

unread,
Oct 15, 2025, 4:29:33 AMOct 15
to TigerVNC User Discussion/Support
Hi,

Thank you for your feedback and support.

I updated the config file as follows; however, I am still not be able to log in with my local credentials:

session=xfce
plainusers=srv-admin
securitytypes=tlsplain
geometry=800x600
pam_service=remote

I also disabled SELinux in case it blocks the PAM service.

Is there any other issue that could cause this?

Regards,

Pierre Ossman

unread,
Oct 24, 2025, 1:56:08 AM (14 days ago) Oct 24
to Abdullah YILDIZ, TigerVNC User Discussion/Support
On 15/10/2025 10:29, Abdullah YILDIZ wrote:
>
> Is there any other issue that could cause this?
>

If you are still using pam_unix and not running as root, then that is
likely the next issue.

Have you checked what your system logs say when the user tries to
authenticate? They should state why the user is denied.

Regards,
--
Pierre Ossman Software Development
Cendio AB http://cendio.com
Teknikringen 8 http://twitter.com/ThinLinc
583 30 Linköping http://facebook.com/ThinLinc

Abdullah YILDIZ

unread,
Oct 25, 2025, 9:38:32 AM (12 days ago) Oct 25
to TigerVNC User Discussion/Support
Hi,

Here are my observations from the system logs:

/var/log/messages
Oct 25 15:52:08 localhost vncsession[1076]: ~/.vnc is deprecated, please consult 'man vncsession' for paths to migrate to.

.vnc/localhost.localdomain\:1.log

Sat Oct 25 16:03:07 2025
Connections: accepted: 192.168.69.6::62759
SConnection: Client needs protocol version 3.8
SConnection: Client requests security type VncAuth(2)

Sat Oct 25 16:03:10 2025
SConnection: AuthFailureException: Authentication failure
VNCSConnST: closing 192.168.69.6::62759: Authentication failure
EncodeManager: Framebuffer updates: 0
EncodeManager: Total: 0 rects, 0 pixels
EncodeManager: 0 B (1:-nan ratio)
Connections: closed: 192.168.69.6::62759
ComparingUpdateTracker: 0 pixels in / 0 pixels out
ComparingUpdateTracker: (1:-nan ratio)
Xlib: extension "DPMS" missing on display ":1.0".
Xlib: extension "DPMS" missing on display ":1.0".
Xlib: extension "DPMS" missing on display ":1.0".
Xlib: extension "DPMS" missing on display ":1.0".

I also noticed that the use of .vnc/config is deprecated and for this reason, I moved config file to .config/tigervnc/.

After that I see the following as the running VNC processes:

srv-a+    1073  0.0  0.1   4144  2304 ?        S    16:09   0:00 xinit /etc/X11/xinit/Xsession startxfce4 -- /usr/bin/Xvnc :1 -geometry 800x600 -pam_service remote -plainusers srv-admin -securitytypes tlsplain -auth /home/srv-admin/.Xauthority -desktop localhost.localdomain:1 (srv-admin) -fp catalogue:/etc/X11/fontpath.d -pn -rfbauth /home/srv-admin/.config/tigervnc/passwd -rfbport 5901
srv-a+    1089  0.1  3.4 226168 68736 ?        S    16:09   0:00 /usr/bin/Xvnc :1 -geometry 800x600 -pam_service remote -plainusers srv-admin -securitytypes tlsplain -auth /home/srv-admin/.Xauthority -desktop localhost.localdomain:1 (srv-admin) -fp catalogue:/etc/X11/fontpath.d -pn -rfbauth /home/srv-admin/.config/tigervnc/passwd -rfbport 5901

With this configuration, the VNC connection request is automatically rejected according to .vnc/localhost.localdomain\:1.log

Sat Oct 25 16:24:58 2025
Connections: accepted: 192.168.69.6::62806
SConnection: Client needs protocol version 3.8
VNCSConnST: closing 192.168.69.6::62806: Clean disconnection

I also get the following message on VNC client:

Screenshot 2025-10-25 at 16.36.17.png
Reply all
Reply to author
Forward
0 new messages