FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 04-19-2012, 10:39 PM
walt
 
Default pambase/shadow warning

On 04/19/2012 02:51 PM, Neil Bothwick wrote:
> On Thu, 19 Apr 2012 13:58:42 -0700, walt wrote:
>
>>> I upgraded to sys-auth/pambase-20120417 and sys-apps/shadow-4.1.5-r1
>>> and found I couldn't login to a new session or use su. Rebooting only
>>> made the problem permanent, I had to SSH in to revert to
>>> sys-auth/pambase-20101024-r2 and sys-apps/shadow-4.1.5.
>>
>> I've never been clear on how ssh authenticates a new login. Why would
>> your ssh login be accepted? Did you ssh in as a user and su to root?
>
> That would have failed on su. It works because I have key authentication
> for SSH. Otherwise I'd have been screwed.

That seems like a (possibly) helpful clue. When you downgraded,
did you do etc-update again, or were you asked to? Did you run
it after the original upgrade?

I see that almost all of /etc/pam.d/* have today's date on them,
the only exceptions being samba, sshd, imap, sudo, polkit-1, and
start-stop-daemon.
 
Old 04-19-2012, 11:41 PM
Neil Bothwick
 
Default pambase/shadow warning

On Thu, 19 Apr 2012 15:39:25 -0700, walt wrote:

> > That would have failed on su. It works because I have key
> > authentication for SSH. Otherwise I'd have been screwed.
>
> That seems like a (possibly) helpful clue. When you downgraded,
> did you do etc-update again, or were you asked to? Did you run
> it after the original upgrade?

No, no and no.

> I see that almost all of /etc/pam.d/* have today's date on them,
> the only exceptions being samba, sshd, imap, sudo, polkit-1, and
> start-stop-daemon.

Same here, and some of them have moved between the two packages.


--
Neil Bothwick

An unemployed Court Jester is nobody's fool.
 
Old 04-20-2012, 12:12 AM
walt
 
Default pambase/shadow warning

On 04/19/2012 04:41 PM, Neil Bothwick wrote:
> On Thu, 19 Apr 2012 15:39:25 -0700, walt wrote:
>
>>> That would have failed on su. It works because I have key
>>> authentication for SSH. Otherwise I'd have been screwed.
>>
>> That seems like a (possibly) helpful clue. When you downgraded,
>> did you do etc-update again, or were you asked to? Did you run
>> it after the original upgrade?
>
> No, no and no.

Just to confirm, are you saying that you did *not* run etc-update
after the original upgrade? I remember clearly from this morning
that etc-update asked me to replace some files in /etc/pam.d, and
I said yes to all. (I don't understand pam well enough to disobey
orders
 
Old 04-20-2012, 06:54 AM
Hinnerk van Bruinehsen
 
Default pambase/shadow warning

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Before etc-update severaly login-related things didn't work for me (su
not possible for example). After running etc-update everything seems
to work fine for me (e.g. selinux and gnome3).
I must confess that I didn't use sshd on my laptop so I can't say
anything about that.

With kind regards,
Hinnerk

On 20.04.2012 02:12, walt wrote:
> On 04/19/2012 04:41 PM, Neil Bothwick wrote:
>> On Thu, 19 Apr 2012 15:39:25 -0700, walt wrote:
>>
>>>> That would have failed on su. It works because I have key
>>>> authentication for SSH. Otherwise I'd have been screwed.
>>>
>>> That seems like a (possibly) helpful clue. When you
>>> downgraded, did you do etc-update again, or were you asked to?
>>> Did you run it after the original upgrade?
>>
>> No, no and no.
>
> Just to confirm, are you saying that you did *not* run etc-update
> after the original upgrade? I remember clearly from this morning
> that etc-update asked me to replace some files in /etc/pam.d, and I
> said yes to all. (I don't understand pam well enough to disobey
> orders
>
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPkQgcAAoJEJwwOFaNFkYc5I8H/0EWKBxnGZg90NS1zg2jzELh
5aFfK2KV+OrDrBgnYYeSupFjuC6Cyo5BkWs2eB6t47RF3cG0aM 9sl4fSdRJ+pmUc
Fbs0XAaa6jrwsjjtz9o5pgMNIOlZHmFyS6rlMGaj9kMTg8TSWB qBNY3ZbLFDx8gT
DkXLCuXOU8tUGYXn8rjbDn6KAxtQzRIfATLBEl3xk/Sa6stAUIwVWvtSK4tk42gI
LaMQ4SwwYskinYfRjn/zBjvbFv0ae+w3790UaiV2MlpGzvd0GN9RN3oW4DzhyuvQ
k8S+IviozMkEMotVhdB/I//88x052WF/cvG5ncJO1Yeop64pyZ/WF6nl+tYJXwM=
=gHkI
-----END PGP SIGNATURE-----
 
Old 04-20-2012, 07:56 AM
Neil Bothwick
 
Default pambase/shadow warning

On Thu, 19 Apr 2012 17:12:55 -0700, walt wrote:

> >> That seems like a (possibly) helpful clue. When you downgraded,
> >> did you do etc-update again, or were you asked to? Did you run
> >> it after the original upgrade?
> >
> > No, no and no.
>
> Just to confirm, are you saying that you did *not* run etc-update
> after the original upgrade? I remember clearly from this morning
> that etc-update asked me to replace some files in /etc/pam.d, and
> I said yes to all. (I don't understand pam well enough to disobey
> orders

AFAIR there was no suggestion to run etc-update. I certainly don't
remember replacing any pam files, but I have conf-update set to
automatically replace files that only differ in their comments.

I'll run the update again today, paying more attention, and see what
happens.


--
Neil Bothwick

I'm firm. You're obstinate. He's a pigheaded fool
 
Old 04-20-2012, 12:22 PM
Neil Bothwick
 
Default pambase/shadow warning

On Fri, 20 Apr 2012 08:56:48 +0100, Neil Bothwick wrote:

> I'll run the update again today, paying more attention, and see what
> happens.

What happened is it broke again, with no obvious signs of the cause.
conf-update reported only trivial changes to three files.

% su
su: Authentication failure

It didn't even ask for a password. All the syslog contained was

Apr 20 13:17:19 hactar su[27738]: pam_authenticate: Authentication failure
Apr 20 13:17:19 hactar su[27738]: FAILED su for root by nelz
Apr 20 13:17:19 hactar su[27738]: - /dev/pts/3 nelz:root

Which is about as informative as "Doh!".

This was in Konsole, switching to a VC, entering my username (or root)
gave five reports of "Login incorrect" followed by "Maximum number of
tries exceeded". Once again, no password request. Could this be the
problem, that it is trying to authenticate me without, for whatever
reason, asking for a password first?


--
Neil Bothwick

You know the end of the world is near when the Spice Girls start
reproducing.
 
Old 04-20-2012, 12:50 PM
Neil Bothwick
 
Default pambase/shadow warning

On Fri, 20 Apr 2012 13:22:20 +0100, Neil Bothwick wrote:

> > I'll run the update again today, paying more attention, and see what
> > happens.
>
> What happened is it broke again, with no obvious signs of the cause.
> conf-update reported only trivial changes to three files.

I've just tried it on my netbook and the same happened, but I think I'm
closer to the cause. The three files in /etc/pam.d are login, passwd and
su. After updating, there were ._cfg* versions of these files, but no
originals, so conf-update just deleted them. It turns out these were
owned by shadow but now belong to pambase. I suspect that pambase
installed them as ._cfg versions, because the others already existed,
then shadow removed the originals as they were no longer part of the
package.

Whether this is a bug in portage, the ebuilds or conf-update is open to
debate, but conf-update ought to handle the situation better. I'll file a
bug later if no one beats me to it.


--
Neil Bothwick

Only an idiot actually READS taglines.
 
Old 04-20-2012, 04:09 PM
"Walter Dnes"
 
Default pambase/shadow warning

On Thu, Apr 19, 2012 at 08:46:34PM +0100, Neil Bothwick wrote
> I upgraded to sys-auth/pambase-20120417 and sys-apps/shadow-4.1.5-r1 and
> found I couldn't login to a new session or use su. Rebooting only made
> the problem permanent, I had to SSH in to revert to
> sys-auth/pambase-20101024-r2 and sys-apps/shadow-4.1.5.
>
> I've not had a chance to find the full cause, but thought I'd post a
> warning to postpone this upgrade until you have time for the traditional
> ~arch dance.

Congratulations on being a beta tester. See Gentoo dev list post
http://www.gossamer-threads.com/lists/gentoo/dev/251987

| # Pawel Hajdan, Jr. (17 Apr 2012)
| # Masked for testing and review.
| >=sys-auth/pambase-20120417
| >=sys-apps/shadow-4.1.5-r1
| >=sys-apps/hardened-shadow-0.9-r1

| Please help testing above packages (feel free to skip hardened-shadow
| if you're not using it, but I'm pretty sure you have shadow and pambase
| on your systems).

| Maintainers, please review any changes. I can fix what you don't like
| in those updates.

--
Walter Dnes <waltdnes@waltdnes.org>
 
Old 04-21-2012, 03:30 PM
Allan Gottlieb
 
Default pambase/shadow warning

On Fri, Apr 20 2012, Neil Bothwick wrote:

> On Fri, 20 Apr 2012 13:22:20 +0100, Neil Bothwick wrote:
>
>> > I'll run the update again today, paying more attention, and see what
>> > happens.
>>
>> What happened is it broke again, with no obvious signs of the cause.
>> conf-update reported only trivial changes to three files.
>
> I've just tried it on my netbook and the same happened, but I think I'm
> closer to the cause. The three files in /etc/pam.d are login, passwd and
> su. After updating, there were ._cfg* versions of these files, but no
> originals, so conf-update just deleted them. It turns out these were
> owned by shadow but now belong to pambase. I suspect that pambase
> installed them as ._cfg versions, because the others already existed,
> then shadow removed the originals as they were no longer part of the
> package.
>
> Whether this is a bug in portage, the ebuilds or conf-update is open to
> debate, but conf-update ought to handle the situation better. I'll file a
> bug later if no one beats me to it.

First, thanks for the warning.

There is a bug filed https://bugs.gentoo.org/show_bug.cgi?id=412721

The comments there say that if you run etc-update right after the
emerge all is well (but this isn't sufficient for people who use
screen, detatch, and log out). Someone also mentioned dispatch-conf
working. No one mentioned cfg-update, which I use (and I believe
neil does as well). Could the problem be dependent on which
configuration file updater one uses?

I have not updated my primary machine. I did update another one (both
machines are ~amd64) including a cfg-update -q, but have not rebooted
it. The secondary can su. This seems to suggest that cfg-update is
sufficient in some cases.

Am I correct in believing the safe procedure is to add

>=sys-auth/pambase-20101024-r2
>=sys-apps/shadow-4.1.5.

to /etc/portage/package.mask (or a file in that directory)?

thanks,
allan
 
Old 04-21-2012, 07:24 PM
Hinnerk van Bruinehsen
 
Default pambase/shadow warning

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 21.04.2012 17:30, Allan Gottlieb wrote:
> On Fri, Apr 20 2012, Neil Bothwick wrote:
>
>> On Fri, 20 Apr 2012 13:22:20 +0100, Neil Bothwick wrote:
>>
>>>> I'll run the update again today, paying more attention, and
>>>> see what happens.
>>>
>>> What happened is it broke again, with no obvious signs of the
>>> cause. conf-update reported only trivial changes to three
>>> files.
>>
>> I've just tried it on my netbook and the same happened, but I
>> think I'm closer to the cause. The three files in /etc/pam.d are
>> login, passwd and su. After updating, there were ._cfg* versions
>> of these files, but no originals, so conf-update just deleted
>> them. It turns out these were owned by shadow but now belong to
>> pambase. I suspect that pambase installed them as ._cfg versions,
>> because the others already existed, then shadow removed the
>> originals as they were no longer part of the package.
>>
>> Whether this is a bug in portage, the ebuilds or conf-update is
>> open to debate, but conf-update ought to handle the situation
>> better. I'll file a bug later if no one beats me to it.
>
> First, thanks for the warning.
>
> There is a bug filed
> https://bugs.gentoo.org/show_bug.cgi?id=412721
>
> The comments there say that if you run etc-update right after the
> emerge all is well (but this isn't sufficient for people who use
> screen, detatch, and log out). Someone also mentioned
> dispatch-conf working. No one mentioned cfg-update, which I use
> (and I believe neil does as well). Could the problem be dependent
> on which configuration file updater one uses?
>
> I have not updated my primary machine. I did update another one
> (both machines are ~amd64) including a cfg-update -q, but have not
> rebooted it. The secondary can su. This seems to suggest that
> cfg-update is sufficient in some cases.
>
> Am I correct in believing the safe procedure is to add
>
>> =sys-auth/pambase-20101024-r2 =sys-apps/shadow-4.1.5.
>
> to /etc/portage/package.mask (or a file in that directory)?
>
> thanks, allan
>

Hi,

I actually used cfg-update -u on 3 different machines up to now.
So cfg-update can't be at the core of that problem.
Maybe it's some kind of race-condition or the bug depends on other
things too (e.g.: I'm using gnome and gdm also puts some files to
/etc/pam.d which maybe mitigate the issue somehow) - pure speculation,
though.

The syntax for the masking seems to be correct (since shadow-4.1.5-r2
already has hit the tree maybe the problem is solved. Otherwise you
would most likely like to mask -r1 and -r2 also).

WKR
Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPkwltAAoJEJwwOFaNFkYcuRwH/2FoHs4JwplMRZlSS4dtg388
y82/o4Cu60kgbdC1kHS7d/OXhu5ZHgTH1KhxW3zZZYxSBc6yGlTV4XBnBveEPBQG
R7VkBwLMK7kgQewQGBO2GVIVzDlKa2QtZAHTySgqFritZXZeYr pC5FXC+yj3/k3S
tpwZ2RcTFjdaCK8fbELRLtFK4DO00+j7Zs+3NvUz33tTSg8RBK h908DX6IRGW557
Ypd1o1X+Ea8RJcPN71Z8k4EGfwOI3nJW/kpttar3NdRfio6Kc7Gb8MYFeMFIGnX2
AVRTu7pfhdlkjR7+BCXm5kpMtcMZmhN1jelOj8lKtrZsC2VRuY byjsT+1rssO8Q=
=CPBN
-----END PGP SIGNATURE-----
 

Thread Tools




All times are GMT. The time now is 01:19 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org