[PLUG] login weirdness
Russell Senior
russell at personaltelco.net
Tue Mar 10 02:49:37 UTC 2009
>>>>> "Russell" == Russell Senior <russell at personaltelco.net> writes:
>>>>> "Michael" == Michael Rasmussen <michael at jamhome.us> writes:
Michael> On Sun, Mar 08, 2009 at 06:19:35PM -0700, Bill Barry wrote:
Bill> I had this exact same thing occur to me yesterday. I first
Bill> noticed it when su took me directly to root. Having seen this
Bill> thread, I went though the backups for the last few days and
Bill> noticed that several files in /etc/pam.d had been updated during
Bill> a normal debian upgrade. The files were etc/pam.d/common-account
Bill> etc/pam.d/common-auth etc/pam.d/common-password
Bill> etc/pam.d/common-session
Bill> I restored these files from the backup and the problem
Bill> disappeared. As far as I can tell this was not caused by any
Bill> malice, but was caused by a packaging problem.
Michael> packaging problem or compromised package? Coming from the
Michael> package does not rule out malice.
Here are the diffs between the broken version (in /tmp) and what I got
after I reinstalled:
--- /tmp/common-account 2009-03-09 19:41:21.000000000 -0700
+++ common-account 2009-03-06 03:39:39.000000000 -0800
@@ -14,7 +14,7 @@
#
# here are the per-package modules (the "Primary" block)
-account [default=1] pam_permit.so
+account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
--- /tmp/common-auth 2009-03-09 19:41:21.000000000 -0700
+++ common-auth 2009-03-06 03:39:39.000000000 -0800
@@ -14,7 +14,7 @@
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
-auth [default=1] pam_permit.so
+auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
--- /tmp/common-password 2009-03-09 19:41:21.000000000 -0700
+++ common-password 2009-03-06 03:39:39.000000000 -0800
@@ -22,7 +22,7 @@
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
-password [default=1] pam_permit.so
+password [success=1 default=ignore] pam_unix.so obscure md5
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
--- /tmp/common-session 2009-03-09 19:41:21.000000000 -0700
+++ common-session 2009-03-06 03:39:39.000000000 -0800
@@ -21,4 +21,5 @@
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
+session required pam_unix.so
# end of pam-auth-update config
--
Russell Senior, Secretary
russell at personaltelco.net
More information about the PLUG
mailing list