Your message dated Thu, 25 Feb 2021 22:50:20 +0000
with message-id <[email protected]>
and subject line Bug#982530: fixed in pam 1.4.0-5
has caused the Debian Bug report #982530,
regarding libpam-modules: unable to login when using pam_tally2 after upgrade
to libpam-modules >1.4.0
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
982530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982530
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-modules
Version: 1.4.0-4
Severity: normal
Tags: patch upstream
X-Debbugs-Cc: [email protected]
Dear Maintainer,
with libpam-modules 1.4.0 the old and deprecated modules pam_tally and
pam_tally2 were removed from the upstream package. However a lot of
hardening guides and benchmarks recommend using these for enforcing
lockout of users when there are failed password attempts. When upgrading
the package to version >1.4.0 this configurations will break and the
users will no longer be able to login, because pam will fail if modules
are not found.
This leeds to massive problems for anyone using this kind of
configuration. The only solution for not running into problems is to
remove the affected pam modules before upgrading the package. So I think
the most sensible solution would be to block the update in a preinstall
script and offer the user a chance to modify their pam configuration. I
don't think that we should/could autofix that in any other way.
The best fix I came up with, is including a check in the update process.
A Patch is attached.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.13-arch1-1 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_SOFTLOCKUP
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages libpam-modules depends on:
ii debconf [debconf-2.0] 1.5.74
ii libaudit1 1:3.0-2
ii libc6 2.31-9
ii libcrypt1 1:4.4.17-1
ii libdb5.3 5.3.28+dfsg1-0.6
ii libnsl2 1.3.0-2
ii libpam-modules-bin 1.4.0-4
ii libpam0g 1.4.0-4
ii libselinux1 3.1-2+b2
ii libtirpc3 1.3.1-1
libpam-modules recommends no packages.
libpam-modules suggests no packages.
-- Configuration Files:
/etc/security/faillock.conf changed [not included]
-- debconf information:
* libpam-modules/deprecate-tally:
libpam-modules/disable-screensaver:
diff -Naur pam-1.4.0/debian/libpam-modules.preinst
pam-1.4.0_patched/debian/libpam-modules.preinst
--- pam-1.4.0/debian/libpam-modules.preinst 2021-02-11 09:50:27.252360810
+0000
+++ pam-1.4.0_patched/debian/libpam-modules.preinst 2021-02-08
18:19:34.034894746 +0000
@@ -4,6 +4,16 @@
. /usr/share/debconf/confmodule
+if dpkg --compare-versions "$2" lt-nl 1.4.0; then
+ db_version 2.0
+
+ if grep -rq pam_tally /etc/pam.d/ /usr/share/pam/
/usr/share/pam-configs/ >/dev/null; then
+ db_input critical libpam-modules/deprecate-tally || true
+ db_go || true
+ exit 2
+ fi
+fi
+
if dpkg --compare-versions "$2" lt-nl 1.4.0-2; then
db_version 2.0
diff -Naur pam-1.4.0/debian/libpam-modules.templates
pam-1.4.0_patched/debian/libpam-modules.templates
--- pam-1.4.0/debian/libpam-modules.templates 2021-02-11 09:50:35.209027702
+0000
+++ pam-1.4.0_patched/debian/libpam-modules.templates 2021-02-08
18:05:16.304870558 +0000
@@ -7,3 +7,10 @@
authenticate to these programs. You should arrange for these programs
to be restarted or stopped before continuing this upgrade, to avoid
locking your users out of their current sessions.
+
+Template: libpam-modules/deprecate-tally
+Type: error
+_Description: you are using pam_Tally or pam_tally2 in your configuration
+ these two modules have been removed from libpam-modules and you need to
+ remove every refference to these two modules from your configuration
+ before you continue, or you will no longer be able to login to your system
--- End Message ---
--- Begin Message ---
Source: pam
Source-Version: 1.4.0-5
Done: Sam Hartman <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <[email protected]> (supplier of updated pam package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 25 Feb 2021 15:48:22 -0500
Source: pam
Architecture: source
Version: 1.4.0-5
Distribution: unstable
Urgency: low
Maintainer: Steve Langasek <[email protected]>
Changed-By: Sam Hartman <[email protected]>
Closes: 982295 982297 982530 982898
Changes:
pam (1.4.0-5) unstable; urgency=low
.
* Remove profiles containing pam_tally or pam_tally2 since we no longer
build them.
* Also, fail to permit profiles to be selected that include pam_tally
once the new pam-auth-update is installed
* Check for any user-added references to pam_tally and halt the upgrade,
Closes: #982530
* Handle services with systemd units but no init scripts, Closes: #982295
* Register md5sum for new common-password template, Closes: #982898
* After reading pam-auth-update source, I agree with Lucas Nussbaum
that common-session is intended only for interactive sessions.
Otherwise pam-auth-update should not duplicate module configurations
between common-session-noninteractive and common-session, so update
the documentation, Closes: #982297
Checksums-Sha1:
265b8531e387e85313a0bf71783aa22a3ab75736 2169 pam_1.4.0-5.dsc
49bee881a7a2420cca12539b6decb922028e574a 115176 pam_1.4.0-5.debian.tar.xz
60582e88e05220dfedf1ab1a0619a8a18b9719ef 5808 pam_1.4.0-5_source.buildinfo
Checksums-Sha256:
7ad47a5ee73815b483b509532836fe22a369ad6a366c913c1170284614bd9862 2169
pam_1.4.0-5.dsc
719f3067f23a092a01b59d971fdc4f2dbe6e32cdf86d4d22f3c23358b0e9a693 115176
pam_1.4.0-5.debian.tar.xz
856e3e61f71e60f7f7b019f5f4cfc779f91bc42fcd1830d22d378c41920ddea0 5808
pam_1.4.0-5_source.buildinfo
Files:
f6e624bff24c8f685ccf5ec8626de9e5 2169 libs optional pam_1.4.0-5.dsc
c62d0eb7a4ba0c2cbfcc59f50b5580c9 115176 libs optional pam_1.4.0-5.debian.tar.xz
71ab5d2eaefe8c2a9339a15335759738 5808 libs optional
pam_1.4.0-5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE9Li3nMNy++OFgPTCQe7SUh/WssoFAmA4IvkACgkQQe7SUh/W
sspSuQf/Q6RnK7A/pSFn+fEq67wF7zo5Lzb4HcWF53J2Z0WXcedt6WqeKHsDx2cH
r9hv1nyWpLtOAjcihqnPDvILMJapv9w6KL5ZzgVjJSdafmEQym+I/cxj3kXSTXbN
+hACd7+Ng9prdzCQaBi3YSbUSX6ijNOn4shaD9TMROBRvvb5eYypLvoxdAKz8inu
QM4kIlQ7b2wAlMwSMh0XRa2K+xOD+5kyPuJEo8C5qbdkp/OWk6mk1NvVPtaV5oYt
uI3UwXAXy1clv5DLi5LaVIiwoURBJff1FBw6JtY/XsvcwPId2EHobCTGsc2GJ2sD
cfZlFchf6MsJ9+NNMYY92ZNLxq5zaQ==
=TteA
-----END PGP SIGNATURE-----
--- End Message ---
