Package: libpam-modules
Version: 1.4.0-4
Severity: normal
Tags: patch upstream
X-Debbugs-Cc: debian-b...@drachen-server.de
Dear Maintainer,
with libpam-modules 1.4.0 the old and deprecated modules pam_tally and
pam_tally2 were removed from the upstream package. However a lot of
hardening guides and benchmarks recommend using these for enforcing
lockout of users when there are failed password attempts. When upgrading
the package to version >1.4.0 this configurations will break and the
users will no longer be able to login, because pam will fail if modules
are not found.
This leeds to massive problems for anyone using this kind of
configuration. The only solution for not running into problems is to
remove the affected pam modules before upgrading the package. So I think
the most sensible solution would be to block the update in a preinstall
script and offer the user a chance to modify their pam configuration. I
don't think that we should/could autofix that in any other way.
The best fix I came up with, is including a check in the update process.
A Patch is attached.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.13-arch1-1 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_SOFTLOCKUP
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages libpam-modules depends on:
ii debconf [debconf-2.0] 1.5.74
ii libaudit1 1:3.0-2
ii libc6 2.31-9
ii libcrypt1 1:4.4.17-1
ii libdb5.3 5.3.28+dfsg1-0.6
ii libnsl2 1.3.0-2
ii libpam-modules-bin 1.4.0-4
ii libpam0g 1.4.0-4
ii libselinux1 3.1-2+b2
ii libtirpc3 1.3.1-1
libpam-modules recommends no packages.
libpam-modules suggests no packages.
-- Configuration Files:
/etc/security/faillock.conf changed [not included]
-- debconf information:
* libpam-modules/deprecate-tally:
libpam-modules/disable-screensaver:
diff -Naur pam-1.4.0/debian/libpam-modules.preinst
pam-1.4.0_patched/debian/libpam-modules.preinst
--- pam-1.4.0/debian/libpam-modules.preinst 2021-02-11 09:50:27.252360810
+0000
+++ pam-1.4.0_patched/debian/libpam-modules.preinst 2021-02-08
18:19:34.034894746 +0000
@@ -4,6 +4,16 @@
. /usr/share/debconf/confmodule
+if dpkg --compare-versions "$2" lt-nl 1.4.0; then
+ db_version 2.0
+
+ if grep -rq pam_tally /etc/pam.d/ /usr/share/pam/
/usr/share/pam-configs/ >/dev/null; then
+ db_input critical libpam-modules/deprecate-tally || true
+ db_go || true
+ exit 2
+ fi
+fi
+
if dpkg --compare-versions "$2" lt-nl 1.4.0-2; then
db_version 2.0
diff -Naur pam-1.4.0/debian/libpam-modules.templates
pam-1.4.0_patched/debian/libpam-modules.templates
--- pam-1.4.0/debian/libpam-modules.templates 2021-02-11 09:50:35.209027702
+0000
+++ pam-1.4.0_patched/debian/libpam-modules.templates 2021-02-08
18:05:16.304870558 +0000
@@ -7,3 +7,10 @@
authenticate to these programs. You should arrange for these programs
to be restarted or stopped before continuing this upgrade, to avoid
locking your users out of their current sessions.
+
+Template: libpam-modules/deprecate-tally
+Type: error
+_Description: you are using pam_Tally or pam_tally2 in your configuration
+ these two modules have been removed from libpam-modules and you need to
+ remove every refference to these two modules from your configuration
+ before you continue, or you will no longer be able to login to your system
