[PLUG] login weirdness

Russell Senior russell at personaltelco.net
Tue Mar 10 02:49:37 UTC 2009 

>>>>> "Russell" == Russell Senior <russell at personaltelco.net> writes:

>>>>> "Michael" == Michael Rasmussen <michael at jamhome.us> writes:
Michael> On Sun, Mar 08, 2009 at 06:19:35PM -0700, Bill Barry wrote:

Bill> I had this exact same thing occur to me yesterday.  I first
Bill> noticed it when su took me directly to root.  Having seen this
Bill> thread, I went though the backups for the last few days and
Bill> noticed that several files in /etc/pam.d had been updated during
Bill> a normal debian upgrade. The files were etc/pam.d/common-account
Bill> etc/pam.d/common-auth etc/pam.d/common-password
Bill> etc/pam.d/common-session

Bill> I restored these files from the backup and the problem
Bill> disappeared. As far as I can tell this was not caused by any
Bill> malice, but was caused by a packaging problem.

Michael> packaging problem or compromised package?  Coming from the
Michael> package does not rule out malice.

Here are the diffs between the broken version (in /tmp) and what I got
after I reinstalled:

--- /tmp/common-account 2009-03-09 19:41:21.000000000 -0700
+++ common-account      2009-03-06 03:39:39.000000000 -0800
@@ -14,7 +14,7 @@
 #
 
 # here are the per-package modules (the "Primary" block)
-account        [default=1]                     pam_permit.so
+account        [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
 # here's the fallback if no module succeeds
 account        requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
--- /tmp/common-auth    2009-03-09 19:41:21.000000000 -0700
+++ common-auth 2009-03-06 03:39:39.000000000 -0800
@@ -14,7 +14,7 @@
 # pam-auth-update(8) for details.
 
 # here are the per-package modules (the "Primary" block)
-auth   [default=1]                     pam_permit.so
+auth   [success=1 default=ignore]      pam_unix.so nullok_secure
 # here's the fallback if no module succeeds
 auth   requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
--- /tmp/common-password        2009-03-09 19:41:21.000000000 -0700
+++ common-password     2009-03-06 03:39:39.000000000 -0800
@@ -22,7 +22,7 @@
 # pam-auth-update(8) for details.
 
 # here are the per-package modules (the "Primary" block)
-password       [default=1]                     pam_permit.so
+password       [success=1 default=ignore]      pam_unix.so obscure md5
 # here's the fallback if no module succeeds
 password       requisite                       pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
--- /tmp/common-session 2009-03-09 19:41:21.000000000 -0700
+++ common-session      2009-03-06 03:39:39.000000000 -0800
@@ -21,4 +21,5 @@
 # since the modules above will each just jump around
 session        required                        pam_permit.so
 # and here are more per-package modules (the "Additional" block)
+session        required        pam_unix.so 
 # end of pam-auth-update config



-- 
Russell Senior, Secretary
russell at personaltelco.net

More information about the PLUG mailing list