Control: reassign -1 libpam-ssh Control: affects -1 src:pam Control: tags -1 - moreinfo unreproducible
On Thu, Jan 13, 2022 at 10:31:31AM +0100, Vincent-Xavier JUMEL wrote: > The steps are : > I've quickly reproduce the bug. You can follow these steps : > 1. install debian stable in a vm > 2. install libpam-ssh > 3. upgrade it to debian sid Ok, this is also reproducible by directly installing the unstable version of the libpam-ssh package. (I had attempted to do this before but missed that my sources were out of date, so I was installing the stable version.) /usr/share/pam-config/ssh-pwd declares an 'Additional' module and uses 'success=end'. This is undefined behavior in pam-auth-update, which only defines 'success=end' for 'Primary' module configs. The pam package could potentially improve handling of this undefined behavior, but in this case it's primarily a bug in libpam-ssh shipping a broken config. > Le 13 janv. à 10:06 Vincent-Xavier JUMEL a écrit > > Hello, > > > > I've quickly reproduce the bug. You can follow these steps : > > 1. install debian stable in a vm > > 2. upgrade it to debian sid > > > > The mentionned line appears then in the /etc/pam.d/common-auth file > > > > Le 13 janv. à 00:18 Steve Langasek a écrit > > > Control: tags -1 moreinfo unreproducible > > > > > > On Wed, Jan 12, 2022 at 06:28:45PM +0100, Vincent-Xavier JUMEL wrote: > > > > Package: libpam-runtime > > > > Version: 1.4.0-11 > > > > Severity: critical > > > > Justification: breaks the whole system > > > > > > > Dear Maintainer, > > > > > > > > * Upgrade to the unstable version of libpam-runtime_1.14.0_11_all > > > > with > > > > ``` > > > > auth [success=0 default=ignore] pam_ssh.so use_first_pass > > > > ``` > > > > * Login then failed > > > > * I've modified "success=0" -> "success=1" to get back the login. > > > > > > So where does this 'success=0' come from? It doesn't come from > > > /usr/share/pam-configs/ssh. Installing libpam-ssh in unstable does not > > > result in a config containing this line. I'm not sure 'success=0' is > > > valid, > > > and if it is, it means 'on success, process the next module' so your bug > > > report, by slicing your config file to only show the single pam_ssh line, > > > does not show what happens afterward that actually fails the stack. > > > > > > -- > > > Steve Langasek Give me a lever long enough and a Free OS > > > Debian Developer to set it on, and I can move the world. > > > Ubuntu Developer https://www.debian.org/ > > > slanga...@ubuntu.com vor...@debian.org > > > > > > > > -- > > Vincent-Xavier JUMEL Id: 0xBC8C2BAB14ABB3F2 https://blog.thetys-retz.net > > > > Société Libre, Logiciel Libre http://www.april.org/adherer > > Parinux, logiciel libre à Paris : http://www.parinux.org > > -- > Vincent-Xavier JUMEL Id: 0xBC8C2BAB14ABB3F2 https://blog.thetys-retz.net > > Société Libre, Logiciel Libre http://www.april.org/adherer > Parinux, logiciel libre à Paris : http://www.parinux.org > -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature
