~alpine/devel

2 2

PAM 1.4

Rasmus Thomsen <oss@cogitri.dev>
Details
Message ID
<902cce83b8dd4155c8664cdf1ebf1ca6abd99c56.camel@cogitri.dev>
DKIM signature
missing
Download raw message
Hello list,

I recently opened a MR for PAM 1.4: 
https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/11862 .
PAM deprecated pam_tally{,2}.so with the 1.4 release and doesn't build
it by default anymore (it was replaced with pam_faillock.so) and also
doesn't build pam_lastlog.so any more on platforms without logwtmp (so
musl). I've patched the .pamd files of linux-pam and GDM to account
that, but PAM files of other packages may still try to use these
modules like so:

auth     required  pam_tally.so onerr=succeed file=/var/log/faillog

Having something like this in a login file will make the login fail. As
such I'd appreciate if you could grep for tally and lastlog in your
/etc/pam.d and comment on the MR if any other packages use these PAM
modules so we can avoid breaking anyone's login with this upgrade.

Thanks,

Rasmus Thomsen
Details
Message ID
<20200829192134.5d1cdf92@enterprise>
In-Reply-To
<902cce83b8dd4155c8664cdf1ebf1ca6abd99c56.camel@cogitri.dev> (view parent)
DKIM signature
missing
Download raw message
On Sun, 30 Aug 2020 00:19:01 +0200
Rasmus Thomsen <oss@cogitri.dev> wrote:

> Hello list,
> 
> I recently opened a MR for PAM 1.4: 
> https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/11862 .
> PAM deprecated pam_tally{,2}.so with the 1.4 release and doesn't build
> it by default anymore (it was replaced with pam_faillock.so) and also
> doesn't build pam_lastlog.so any more on platforms without logwtmp (so
> musl). I've patched the .pamd files of linux-pam and GDM to account
> that, but PAM files of other packages may still try to use these
> modules like so:
> 
> auth     required  pam_tally.so onerr=succeed file=/var/log/faillog
> 
> Having something like this in a login file will make the login fail.
> As such I'd appreciate if you could grep for tally and lastlog in your
> /etc/pam.d and comment on the MR if any other packages use these PAM
> modules so we can avoid breaking anyone's login with this upgrade.
> 
> Thanks,
> 
> Rasmus Thomsen

Hello.

$ rg 'tally|lastlog' /etc/pam.d/ -l 
/etc/pam.d/gdm-smartcard
/etc/pam.d/gdm-fingerprint
/etc/pam.d/system-login

Regards
Leo
Bart Ribbers <bribbers@disroot.org>
Details
Message ID
<6ce788c7-2527-0667-9895-d6273cbd25e8@disroot.org>
In-Reply-To
<902cce83b8dd4155c8664cdf1ebf1ca6abd99c56.camel@cogitri.dev> (view parent)
DKIM signature
missing
Download raw message
On 2020-08-30 00:19, Rasmus Thomsen wrote:
> Hello list,
> 
> I recently opened a MR for PAM 1.4:
> https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/11862 .
> PAM deprecated pam_tally{,2}.so with the 1.4 release and doesn't build
> it by default anymore (it was replaced with pam_faillock.so) and also
> doesn't build pam_lastlog.so any more on platforms without logwtmp (so
> musl). I've patched the .pamd files of linux-pam and GDM to account
> that, but PAM files of other packages may still try to use these
> modules like so:
> 
> auth     required  pam_tally.so onerr=succeed file=/var/log/faillog
> 
> Having something like this in a login file will make the login fail. As
> such I'd appreciate if you could grep for tally and lastlog in your
> /etc/pam.d and comment on the MR if any other packages use these PAM
> modules so we can avoid breaking anyone's login with this upgrade.
> 
> Thanks,
> 
> Rasmus Thomsen
> 

Hey,

On my KDE-based system I have the following:

✔︎ ~ rg 'tally|lastlog' /etc/pam.d/ -l
/etc/pam.d/sddm-autologin
/etc/pam.d/system-login

Best regards,
Bart
Reply to thread Export thread (mbox)