On 04/19/2012 02:51 PM, Neil Bothwick wrote:
> On Thu, 19 Apr 2012 13:58:42 -0700, walt wrote:
>
>>> I upgraded to sys-auth/pambase-20120417 and sys-apps/shadow-4.1.5-r1
>>> and found I couldn't login to a new session or use su. Rebooting only
>>> made the problem permanent, I had to SSH in to revert to
>>> sys-auth/pambase-20101024-r2 and sys-apps/shadow-4.1.5.
>>
>> I've never been clear on how ssh authenticates a new login. Why would
>> your ssh login be accepted? Did you ssh in as a user and su to root?
>
> That would have failed on su. It works because I have key authentication
> for SSH. Otherwise I'd have been screwed.
That seems like a (possibly) helpful clue. When you downgraded,
did you do etc-update again, or were you asked to? Did you run
it after the original upgrade?
I see that almost all of /etc/pam.d/* have today's date on them,
the only exceptions being samba, sshd, imap, sudo, polkit-1, and
start-stop-daemon.
04-19-2012, 11:41 PM
Neil Bothwick
pambase/shadow warning
On Thu, 19 Apr 2012 15:39:25 -0700, walt wrote:
> > That would have failed on su. It works because I have key
> > authentication for SSH. Otherwise I'd have been screwed.
>
> That seems like a (possibly) helpful clue. When you downgraded,
> did you do etc-update again, or were you asked to? Did you run
> it after the original upgrade?
No, no and no.
> I see that almost all of /etc/pam.d/* have today's date on them,
> the only exceptions being samba, sshd, imap, sudo, polkit-1, and
> start-stop-daemon.
Same here, and some of them have moved between the two packages.
--
Neil Bothwick
An unemployed Court Jester is nobody's fool.
04-20-2012, 12:12 AM
walt
pambase/shadow warning
On 04/19/2012 04:41 PM, Neil Bothwick wrote:
> On Thu, 19 Apr 2012 15:39:25 -0700, walt wrote:
>
>>> That would have failed on su. It works because I have key
>>> authentication for SSH. Otherwise I'd have been screwed.
>>
>> That seems like a (possibly) helpful clue. When you downgraded,
>> did you do etc-update again, or were you asked to? Did you run
>> it after the original upgrade?
>
> No, no and no.
Just to confirm, are you saying that you did *not* run etc-update
after the original upgrade? I remember clearly from this morning
that etc-update asked me to replace some files in /etc/pam.d, and
I said yes to all. (I don't understand pam well enough to disobey
orders
04-20-2012, 06:54 AM
Hinnerk van Bruinehsen
pambase/shadow warning
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Before etc-update severaly login-related things didn't work for me (su
not possible for example). After running etc-update everything seems
to work fine for me (e.g. selinux and gnome3).
I must confess that I didn't use sshd on my laptop so I can't say
anything about that.
With kind regards,
Hinnerk
On 20.04.2012 02:12, walt wrote:
> On 04/19/2012 04:41 PM, Neil Bothwick wrote:
>> On Thu, 19 Apr 2012 15:39:25 -0700, walt wrote:
>>
>>>> That would have failed on su. It works because I have key
>>>> authentication for SSH. Otherwise I'd have been screwed.
>>>
>>> That seems like a (possibly) helpful clue. When you
>>> downgraded, did you do etc-update again, or were you asked to?
>>> Did you run it after the original upgrade?
>>
>> No, no and no.
>
> Just to confirm, are you saying that you did *not* run etc-update
> after the original upgrade? I remember clearly from this morning
> that etc-update asked me to replace some files in /etc/pam.d, and I
> said yes to all. (I don't understand pam well enough to disobey
> orders
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >> That seems like a (possibly) helpful clue. When you downgraded,
> >> did you do etc-update again, or were you asked to? Did you run
> >> it after the original upgrade?
> >
> > No, no and no.
>
> Just to confirm, are you saying that you did *not* run etc-update
> after the original upgrade? I remember clearly from this morning
> that etc-update asked me to replace some files in /etc/pam.d, and
> I said yes to all. (I don't understand pam well enough to disobey
> orders
AFAIR there was no suggestion to run etc-update. I certainly don't
remember replacing any pam files, but I have conf-update set to
automatically replace files that only differ in their comments.
I'll run the update again today, paying more attention, and see what
happens.
--
Neil Bothwick
I'm firm. You're obstinate. He's a pigheaded fool
04-20-2012, 12:22 PM
Neil Bothwick
pambase/shadow warning
On Fri, 20 Apr 2012 08:56:48 +0100, Neil Bothwick wrote:
> I'll run the update again today, paying more attention, and see what
> happens.
What happened is it broke again, with no obvious signs of the cause.
conf-update reported only trivial changes to three files.
% su
su: Authentication failure
It didn't even ask for a password. All the syslog contained was
Apr 20 13:17:19 hactar su[27738]: pam_authenticate: Authentication failure
Apr 20 13:17:19 hactar su[27738]: FAILED su for root by nelz
Apr 20 13:17:19 hactar su[27738]: - /dev/pts/3 nelz:root
Which is about as informative as "Doh!".
This was in Konsole, switching to a VC, entering my username (or root)
gave five reports of "Login incorrect" followed by "Maximum number of
tries exceeded". Once again, no password request. Could this be the
problem, that it is trying to authenticate me without, for whatever
reason, asking for a password first?
--
Neil Bothwick
You know the end of the world is near when the Spice Girls start
reproducing.
04-20-2012, 12:50 PM
Neil Bothwick
pambase/shadow warning
On Fri, 20 Apr 2012 13:22:20 +0100, Neil Bothwick wrote:
> > I'll run the update again today, paying more attention, and see what
> > happens.
>
> What happened is it broke again, with no obvious signs of the cause.
> conf-update reported only trivial changes to three files.
I've just tried it on my netbook and the same happened, but I think I'm
closer to the cause. The three files in /etc/pam.d are login, passwd and
su. After updating, there were ._cfg* versions of these files, but no
originals, so conf-update just deleted them. It turns out these were
owned by shadow but now belong to pambase. I suspect that pambase
installed them as ._cfg versions, because the others already existed,
then shadow removed the originals as they were no longer part of the
package.
Whether this is a bug in portage, the ebuilds or conf-update is open to
debate, but conf-update ought to handle the situation better. I'll file a
bug later if no one beats me to it.
--
Neil Bothwick
Only an idiot actually READS taglines.
04-20-2012, 04:09 PM
"Walter Dnes"
pambase/shadow warning
On Thu, Apr 19, 2012 at 08:46:34PM +0100, Neil Bothwick wrote
> I upgraded to sys-auth/pambase-20120417 and sys-apps/shadow-4.1.5-r1 and
> found I couldn't login to a new session or use su. Rebooting only made
> the problem permanent, I had to SSH in to revert to
> sys-auth/pambase-20101024-r2 and sys-apps/shadow-4.1.5.
>
> I've not had a chance to find the full cause, but thought I'd post a
> warning to postpone this upgrade until you have time for the traditional
> ~arch dance.
Congratulations on being a beta tester. See Gentoo dev list post
http://www.gossamer-threads.com/lists/gentoo/dev/251987
| # Pawel Hajdan, Jr. (17 Apr 2012)
| # Masked for testing and review.
| >=sys-auth/pambase-20120417
| >=sys-apps/shadow-4.1.5-r1
| >=sys-apps/hardened-shadow-0.9-r1
| Please help testing above packages (feel free to skip hardened-shadow
| if you're not using it, but I'm pretty sure you have shadow and pambase
| on your systems).
| Maintainers, please review any changes. I can fix what you don't like
| in those updates.
--
Walter Dnes <waltdnes@waltdnes.org>
04-21-2012, 03:30 PM
Allan Gottlieb
pambase/shadow warning
On Fri, Apr 20 2012, Neil Bothwick wrote:
> On Fri, 20 Apr 2012 13:22:20 +0100, Neil Bothwick wrote:
>
>> > I'll run the update again today, paying more attention, and see what
>> > happens.
>>
>> What happened is it broke again, with no obvious signs of the cause.
>> conf-update reported only trivial changes to three files.
>
> I've just tried it on my netbook and the same happened, but I think I'm
> closer to the cause. The three files in /etc/pam.d are login, passwd and
> su. After updating, there were ._cfg* versions of these files, but no
> originals, so conf-update just deleted them. It turns out these were
> owned by shadow but now belong to pambase. I suspect that pambase
> installed them as ._cfg versions, because the others already existed,
> then shadow removed the originals as they were no longer part of the
> package.
>
> Whether this is a bug in portage, the ebuilds or conf-update is open to
> debate, but conf-update ought to handle the situation better. I'll file a
> bug later if no one beats me to it.
First, thanks for the warning.
There is a bug filed https://bugs.gentoo.org/show_bug.cgi?id=412721
The comments there say that if you run etc-update right after the
emerge all is well (but this isn't sufficient for people who use
screen, detatch, and log out). Someone also mentioned dispatch-conf
working. No one mentioned cfg-update, which I use (and I believe
neil does as well). Could the problem be dependent on which
configuration file updater one uses?
I have not updated my primary machine. I did update another one (both
machines are ~amd64) including a cfg-update -q, but have not rebooted
it. The secondary can su. This seems to suggest that cfg-update is
sufficient in some cases.
Am I correct in believing the safe procedure is to add
to /etc/portage/package.mask (or a file in that directory)?
thanks,
allan
04-21-2012, 07:24 PM
Hinnerk van Bruinehsen
pambase/shadow warning
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 21.04.2012 17:30, Allan Gottlieb wrote:
> On Fri, Apr 20 2012, Neil Bothwick wrote:
>
>> On Fri, 20 Apr 2012 13:22:20 +0100, Neil Bothwick wrote:
>>
>>>> I'll run the update again today, paying more attention, and
>>>> see what happens.
>>>
>>> What happened is it broke again, with no obvious signs of the
>>> cause. conf-update reported only trivial changes to three
>>> files.
>>
>> I've just tried it on my netbook and the same happened, but I
>> think I'm closer to the cause. The three files in /etc/pam.d are
>> login, passwd and su. After updating, there were ._cfg* versions
>> of these files, but no originals, so conf-update just deleted
>> them. It turns out these were owned by shadow but now belong to
>> pambase. I suspect that pambase installed them as ._cfg versions,
>> because the others already existed, then shadow removed the
>> originals as they were no longer part of the package.
>>
>> Whether this is a bug in portage, the ebuilds or conf-update is
>> open to debate, but conf-update ought to handle the situation
>> better. I'll file a bug later if no one beats me to it.
>
> First, thanks for the warning.
>
> There is a bug filed
> https://bugs.gentoo.org/show_bug.cgi?id=412721
>
> The comments there say that if you run etc-update right after the
> emerge all is well (but this isn't sufficient for people who use
> screen, detatch, and log out). Someone also mentioned
> dispatch-conf working. No one mentioned cfg-update, which I use
> (and I believe neil does as well). Could the problem be dependent
> on which configuration file updater one uses?
>
> I have not updated my primary machine. I did update another one
> (both machines are ~amd64) including a cfg-update -q, but have not
> rebooted it. The secondary can su. This seems to suggest that
> cfg-update is sufficient in some cases.
>
> Am I correct in believing the safe procedure is to add
>
>> =sys-auth/pambase-20101024-r2 =sys-apps/shadow-4.1.5.
>
> to /etc/portage/package.mask (or a file in that directory)?
>
> thanks, allan
>
Hi,
I actually used cfg-update -u on 3 different machines up to now.
So cfg-update can't be at the core of that problem.
Maybe it's some kind of race-condition or the bug depends on other
things too (e.g.: I'm using gnome and gdm also puts some files to
/etc/pam.d which maybe mitigate the issue somehow) - pure speculation,
though.
The syntax for the masking seems to be correct (since shadow-4.1.5-r2
already has hit the tree maybe the problem is solved. Otherwise you
would most likely like to mask -r1 and -r2 also).
WKR
Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
pambase/shadow warning
