Hello list,
I recently opened a MR for PAM 1.4:
https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/11862 .
PAM deprecated pam_tally{,2}.so with the 1.4 release and doesn't build
it by default anymore (it was replaced with pam_faillock.so) and also
doesn't build pam_lastlog.so any more on platforms without logwtmp (so
musl). I've patched the .pamd files of linux-pam and GDM to account
that, but PAM files of other packages may still try to use these
modules like so:
auth required pam_tally.so onerr=succeed file=/var/log/faillog
Having something like this in a login file will make the login fail. As
such I'd appreciate if you could grep for tally and lastlog in your
/etc/pam.d and comment on the MR if any other packages use these PAM
modules so we can avoid breaking anyone's login with this upgrade.
Thanks,
Rasmus Thomsen
On Sun, 30 Aug 2020 00:19:01 +0200
Rasmus Thomsen <oss@cogitri.dev> wrote:
> Hello list,> > I recently opened a MR for PAM 1.4: > https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/11862 .> PAM deprecated pam_tally{,2}.so with the 1.4 release and doesn't build> it by default anymore (it was replaced with pam_faillock.so) and also> doesn't build pam_lastlog.so any more on platforms without logwtmp (so> musl). I've patched the .pamd files of linux-pam and GDM to account> that, but PAM files of other packages may still try to use these> modules like so:> > auth required pam_tally.so onerr=succeed file=/var/log/faillog> > Having something like this in a login file will make the login fail.> As such I'd appreciate if you could grep for tally and lastlog in your> /etc/pam.d and comment on the MR if any other packages use these PAM> modules so we can avoid breaking anyone's login with this upgrade.> > Thanks,> > Rasmus Thomsen
Hello.
$ rg 'tally|lastlog' /etc/pam.d/ -l
/etc/pam.d/gdm-smartcard
/etc/pam.d/gdm-fingerprint
/etc/pam.d/system-login
Regards
Leo
On 2020-08-30 00:19, Rasmus Thomsen wrote:
> Hello list,> > I recently opened a MR for PAM 1.4:> https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/11862 .> PAM deprecated pam_tally{,2}.so with the 1.4 release and doesn't build> it by default anymore (it was replaced with pam_faillock.so) and also> doesn't build pam_lastlog.so any more on platforms without logwtmp (so> musl). I've patched the .pamd files of linux-pam and GDM to account> that, but PAM files of other packages may still try to use these> modules like so:> > auth required pam_tally.so onerr=succeed file=/var/log/faillog> > Having something like this in a login file will make the login fail. As> such I'd appreciate if you could grep for tally and lastlog in your> /etc/pam.d and comment on the MR if any other packages use these PAM> modules so we can avoid breaking anyone's login with this upgrade.> > Thanks,> > Rasmus Thomsen>
Hey,
On my KDE-based system I have the following:
✔︎ ~ rg 'tally|lastlog' /etc/pam.d/ -l
/etc/pam.d/sddm-autologin
/etc/pam.d/system-login
Best regards,
Bart