Hi folks, A new version of PAM (0.99.7.1-1) has been packaged and uploaded to experimental. This is intended to replace 0.79-4. However, because there have been quite a number of upstream changes, and all the Debian-specific patches against the old one were painstakingly re-diffed and updated by hand, and because a broken PAM means a rather broken system, this new version needs some wider testing before it is suitable for unstable.
The work for this was done by myself and Jan Christoph Nordholz, who rewrote the @include patch, fixing a memory leak in the current code, as well as doing a lot of testing, building and general reviewing of the PAM packaging. It's thanks to Jan that it's ready for wider review, since I did all the rediffing back in April, but lacked time to squash the last few bugs. If anyone could take the time to install it, test all the services using PAM for authentication/authorisation still work as expected, and report any defects, that would be much appreciated. If you want to avoid breaking your system, it is advisable to install into a chroot. However, we have tested that basic functionality does work (su and passwd in particular), so it should be safe to install for real (but no guarantees are given). Additionally, all of the packages which Build-Depend, Depend or Recommend PAM packages should be tested against the new packages. A complete list is given below, and the maintainer's Bcc'd with this message. If you do hack on the PAM sources, note that the dpatch patch order is important--later patches do rely on earlier patches being present. Also, you need to run "debian/rules patch|unpatch" by hand, due to the need to re-bootstrap the autotools. To do that "debian/rules bootstrap" will do everything consistently, providing the patches are applied. Some bits which need wider review and discussion: Several of the Debian-specific patches should probably be removed. For example, the @include (Debian-specific) syntax should be replaced by the include mechanism added by upstream; we should make this a release goal for Lenny IMO. Maintaining Debian-specific hacks imposes a real burden on the PAM maintainers--it took over 15 man hours to do the main re-diffing, and the same again to get it working, which is ridiculous and error-prone. We could easily be introducing Debian-specific security bugs by doing so. Some checks such as the obscure checks for pam_unix and chroot limits for pam_limits should be dropped (who uses this functionality)? The obsure checks appear to predate PAM, but should cracklib not be the replacement? This non-standard stuff should really be deprecated, obsoleted, then dropped. What do other people think about this? The remaining patches should then really be pushed upstream, which possible now we are synched with their latest stable release. One other note: upstream now default to enabling cracklib in pam_unix (in addition to pam_cracklib), which causes passwd to do all the extra checks cracklib does. This has been disabled for now after discussion with Jan, because it brings in quite a few dependencies into base, and may not be generally wanted. It also breaks passwd if you don't have cracklib-runtime *and* a wordlist *and* run update-cracklib, so this needs some fixing of dependencies and coordination to do properly. It might be worth re-adding, if there was consensus for that. I'm not yet sure how this differs from the pam_cracklib functionality, however. Regards, Roger Laszlo Boszormenyi (GCS) <[EMAIL PROTECTED]> gradm2 Stefan Hornburg (Racke) <[EMAIL PROTECTED]> courier courier-authlib pure-ftpd Richard A Nelson (Rick) <[EMAIL PROTECTED]> libnss-ldap libpam-ldap Marco Presi (Zufus) <[EMAIL PROTECTED]> linesrv Krzysztof Krzyzaniak (eloy) <[EMAIL PROTECTED]> popa3d Russ Allbery <[EMAIL PROTECTED]> libpam-afs-session Sebastien Bacher <[EMAIL PROTECTED]> libgnomesu Carlos Barros <[EMAIL PROTECTED]> tac-plus Dima Barsky <[EMAIL PROTECTED]> python-pam Vincent Bernat <[EMAIL PROTECTED]> xrdp Michael Biebl <[EMAIL PROTECTED]> partimage Laurent Bigonville <[EMAIL PROTECTED]> pam-keyring Blars Blarson <[EMAIL PROTECTED]> nntp Primoz Bratanic <[EMAIL PROTECTED]> pam-pgsql Joachim Breitner <[EMAIL PROTECTED]> poldi Adrian Bridgett <[EMAIL PROTECTED]> dante Chris Butler <[EMAIL PROTECTED]> wu-ftpd Rubén Porras Campo <[EMAIL PROTECTED]> libpam-encfs Pierre Chifflier <[EMAIL PROTECTED]> nufw wzdftpd Adam Conrad <[EMAIL PROTECTED]> poppassd Christopher Cramer <[EMAIL PROTECTED]> usermode Debian CUPS Maintainers <[EMAIL PROTECTED]> cupsys Debian Cyrus SASL Team <[EMAIL PROTECTED]> cyrus-sasl2 cyrus-sasl2-heimdal Debian Cyrus Team <[EMAIL PROTECTED]> cyrus-imapd-2.2 Debian Edu Developers <[EMAIL PROTECTED]> debian-edu Debian GNOME Maintainers <[EMAIL PROTECTED]> gdm Debian Kolab Maintainers <[EMAIL PROTECTED]> kolab-cyrus-imapd Debian Multimedia Team <[EMAIL PROTECTED]> jack-audio-connection-kit Debian OpenOffice Team <[EMAIL PROTECTED]> openoffice.org Debian OpenSSH Maintainers <[EMAIL PROTECTED]> openssh Debian PHP Maintainers <[EMAIL PROTECTED]> php5 Debian Qt/KDE Maintainers <[EMAIL PROTECTED]> kdeadmin kdebase Debian Samba Maintainers <[EMAIL PROTECTED]> samba Debian VoIP Team <[EMAIL PROTECTED]> bayonne Debian X Strike Force <[EMAIL PROTECTED]> xdm Debian buildd-tools Developers <[EMAIL PROTECTED]> schroot Eric Dorland <[EMAIL PROTECTED]> pam-p11 Paul Dwerryhouse <[EMAIL PROTECTED]> kannel Peter Eisentraut <[EMAIL PROTECTED]> pgpool Rene Engelhard <[EMAIL PROTECTED]> away Exim4 Maintainers <[EMAIL PROTECTED]> exim4 Gerfried Fuchs <[EMAIL PROTECTED]> francine Luigi Gangitano <[EMAIL PROTECTED]> squid squid3 Bdale Garbee <[EMAIL PROTECTED]> sudo Matthew Garrett <[EMAIL PROTECTED]> libpam-foreground Thomas Goirand <[EMAIL PROTECTED]> dtc Stephen Gran <[EMAIL PROTECTED]> freeradius Debian QA Group <[EMAIL PROTECTED]> pexts Yu Guanghui <[EMAIL PROTECTED]> qpopper Guido Guenther <[EMAIL PROTECTED]> libpam-ccreds Pierre Habouzit <[EMAIL PROTECTED]> ldapscripts Christian Hammers <[EMAIL PROTECTED]> quagga Sam Hartman <[EMAIL PROTECTED]> libpam-krb5 openafs pam Tollef Fog Heen <[EMAIL PROTECTED]> pam-passwdqc pam-tmpdir pam-umask Henrique de Moraes Holschuh <[EMAIL PROTECTED]> fcron Simon Horman <[EMAIL PROTECTED]> heartbeat perdition Alberto Gonzalez Iniesta <[EMAIL PROTECTED]> linux-ftpd netkit-rsh openvpn Joerg Jaspert <[EMAIL PROTECTED]> muddleftpd Arthur de Jong <[EMAIL PROTECTED]> nss-ldapd Guillem Jover <[EMAIL PROTECTED]> inetutils lockvc Stephan Kaufhold <[EMAIL PROTECTED]> libpam-pwgen Bastian Kleineidam <[EMAIL PROTECTED]> libpam-mount Ivan Kohler <[EMAIL PROTECTED]> libpam-unix2 Anand Kumria <[EMAIL PROTECTED]> pam-http Oliver Kurth <[EMAIL PROTECTED]> pam-dotfile Aurelien Labrosse <[EMAIL PROTECTED]> libpam-ssh Asheesh Laroia <[EMAIL PROTECTED]> alpine Simon Law <[EMAIL PROTECTED]> lsh-utils wvstreams Jeff Licquia <[EMAIL PROTECTED]> diald John Lightsey <[EMAIL PROTECTED]> apt-watch Francesco Paolo Lovergine <[EMAIL PROTECTED]> proftpd-dfsg yardradius Robert Luberda <[EMAIL PROTECTED]> solid-pop3d super Dovecot Maintainers <[EMAIL PROTECTED]> dovecot OHURA Makoto <[EMAIL PROTECTED]> xemacs21 Jordi Mallach <[EMAIL PROTECTED]> mailutils Roland Mas <[EMAIL PROTECTED]> gforge Peter Mathiasson <[EMAIL PROTECTED]> pam-devperm Martin Maurer <[EMAIL PROTECTED]> fireflier Rene Mayrhofer <[EMAIL PROTECTED]> openswan strongswan Steve McIntyre <[EMAIL PROTECTED]> cvs Matthijs Mohlmann <[EMAIL PROTECTED]> libpam-heimdal Ryan Murray <[EMAIL PROTECTED]> at Jaakko Niemi <[EMAIL PROTECTED]> sfs Fabio M. Di Nitto <[EMAIL PROTECTED]> libpam-radius-auth Jan Christoph Nordholz <[EMAIL PROTECTED]> screen Greg Norris <[EMAIL PROTECTED]> libpam-pwdfile Alvaro Lopez Ortega <[EMAIL PROTECTED]> cherokee Erlang Packagers <[EMAIL PROTECTED]> yaws Peter Palfrader <[EMAIL PROTECTED]> uucp vlock Eloy A. Paris <[EMAIL PROTECTED]> ncpfs Jose Parrella <[EMAIL PROTECTED]> libpam-rsa libpam-usb Guilherme de S. Pastore <[EMAIL PROTECTED]> gnome-screensaver Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]> cron libpam-chroot Christian Perrier <[EMAIL PROTECTED]> calife Martin Pitt <[EMAIL PROTECTED]> postgresql-8.1 postgresql-8.2 Cai Qian <[EMAIL PROTECTED]> linux-ftpd-ssl Florian Ragwitz <[EMAIL PROTECTED]> libauthen-pam-perl Ganesan Rajagopal <[EMAIL PROTECTED]> ipsec-tools Sebastian Rittau <[EMAIL PROTECTED]> netatalk Jose Luis Rivas <[EMAIL PROTECTED]> xscreensaver Ghe Rivero <[EMAIL PROTECTED]> libuser Piotr Roszatycki <[EMAIL PROTECTED]> libapache2-mod-auth-pam Ludovic Rousseau <[EMAIL PROTECTED]> muscleframework Giuseppe Sacco <[EMAIL PROTECTED]> hylafax Riccardo Setti <[EMAIL PROTECTED]> aolserver4-nsimap Shadow package maintainers <[EMAIL PROTECTED]> shadow Vladimir Shakhov <[EMAIL PROTECTED]> wdm Guus Sliepen <[EMAIL PROTECTED]> rsh-redone Jonas Smedegaard <[EMAIL PROTECTED]> libmail-cclient-perl uw-imap Roger So <[EMAIL PROTECTED]> im-sdk Manoj Srivastava <[EMAIL PROTECTED]> policycoreutils refpolicy Riccardo Stagni <[EMAIL PROTECTED]> qingy Michael Stone <[EMAIL PROTECTED]> libpam-opie opie xlockmore Debian Shishi Team <[EMAIL PROTECTED]> shishi Andreas Tscharner <[EMAIL PROTECTED]> cvsnt Utopia Maintenance Team <[EMAIL PROTECTED]> network-manager Matej Vela <[EMAIL PROTECTED]> vsftpd Jelmer Vernooij <[EMAIL PROTECTED]> pam-krb5-migrate Paweł Więcek <[EMAIL PROTECTED]> pam-mysql Carsten Wolff <[EMAIL PROTECTED]> php-auth-pam Marco d'Itri <[EMAIL PROTECTED]> inn2 ppp -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
pgplNlVrXEhJZ.pgp
Description: PGP signature
