Steve Langasek <[EMAIL PROTECTED]> writes: > On Wed, Jan 24, 2007 at 07:44:35PM -0600, Jacques Normand wrote:
>> I am trying to change the bug #383889 to serious and make it release >> critical. I have explained in it why I want it RC and the document at >> http://release.debian.org/etch_rc_policy.txt lists that >> * makes unrelated software on the system (or the whole system) >> break >> is a reason for rc-bug. In this case, the whole desktop locks and there >> is no easy way to unlock it. (Which is effectively breaking the system). >> So how do I do that? > You seem to have gotten your answer on the procedure, but your rationale > for upgrading this particular bug is flawed. The package doesn't render > the system unusable, it's your misconfiguration of PAM that does so. You cannot enable verify_ap_req_nofail unless everything that's going to do PAM configuration can read the system keytab file. Most of the screen savers run as a normal user and can't read the keytab unless it's readable by the user running the screen saver. Later versions of pam-krb5 will support configuring it to look at a different keytab so that you can provide a lower-privilege world-readable keytab for this purpose. Until then, you either want to leave the Kerberos library default, which will verify the tickets if the keytab is readable and otherwise skip that step, or make the system keytab readable by any user who may run the screen saver. For more information, see: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=399002> The support alluded to in that bug is already implemented in the upstream version of pam-krb5, but I also incorporated PKINIT support and the code has been rather unstable. I'm holding off upgrading the Debian package until after the etch release. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
