[Bug 1081947] New: PAM module pam_keyinit is still not included in the PAM stack
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 Bug ID: 1081947 Summary: PAM module pam_keyinit is still not included in the PAM stack Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: fbui@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Bug #1045886 revealed the lack of the integration of the PAM module "pam_keyinit". The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring. The created session keyring will be linked to the user keyring. Even if it currently works without the integration of "pam_keyinit", in this case the user session keyring is used as fallback, it's strongly recommended to use a session-keyring instead especially for root user, see man user-session-keyring(7). That would also has the benefit to re-enable the keyring support in systemd where each system service gets its own session keyring automatically not linked with the user-keyring (the root one). pam-config gained support for the configuration of pam_keyinit recently [1] but it's still not used and therefore pam_keyinit is still not integrated in the PAM stack. [1] https://build.opensuse.org/request/show/565816 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c1 Franck Bui <fbui@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bnc-team-screening@forge.pr |josef.moellers@suse.com |ovo.novell.com | --- Comment #1 from Franck Bui <fbui@suse.com> --- Josef, as PAM maintainer, I'm assigning this bug to you. Feel free to reassign if this appears to be a wrong choice. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 Franck Bui <fbui@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |http://bugzilla.opensuse.or | |g/show_bug.cgi?id=1045886 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 Josef Möllers <josef.moellers@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c2 --- Comment #2 from Josef Möllers <josef.moellers@suse.com> --- I can't reproduce: 1) when building the current version of pam (1.3.0-0), pam_keyinit.so is there: /lib64/security/pam_keyinit.so 2) when I install pam (1.1.8-14.1) on a Tumbleweed machine, it's there: /lib64/security/pam_keyinit.so Which package version are you using? Can you attach a supportconfig of the system? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c3 --- Comment #3 from Franck Bui <fbui@suse.com> --- It's not about pam_keyinit not built, the problem is that the module is not integrated in the stack: $ grep -r pam_keyinit /etc/pam.d <nothing> Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 Franck Bui <fbui@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|PAM module pam_keyinit is |PAM module pam_keyinit is |still not included in the |still not integrated in the |PAM stack |SUSE PAM stack -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c4 Josef Möllers <josef.moellers@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|josef.moellers@suse.com |kukuk@suse.com --- Comment #4 from Josef Möllers <josef.moellers@suse.com> --- Thorsten, can you please look at this? Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c6 --- Comment #6 from Josef Möllers <josef.moellers@suse.com> --- Re comment #3: Why should it be in the stack? It needs to be added explicitly by calling pam-config with appropriate parameters (eg "pam-config --service vnc -a --keyinit"). The lengthy discussion in Bug #1045886 shows that it would not be advisable to just automatically add pam_keyinit to pam config files! The infrastructure is there, it just needs to be used. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c7 --- Comment #7 from Franck Bui <fbui@suse.com> --- (In reply to Josef Möllers from comment #6)
Re comment #3: Why should it be in the stack?
where else would you want to it to be ? The kernel keyring stuff is a general infra provided by the kernel which needs special care during session creation so that all applications can rely on it if needed.
The lengthy discussion in Bug #1045886 shows that it would not be advisable to just automatically add pam_keyinit to pam config files!
what did you make think so ? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c8 --- Comment #8 from Josef Möllers <josef.moellers@suse.com> --- (In reply to Franck Bui from comment #7)
(In reply to Josef Möllers from comment #6)
Re comment #3: Why should it be in the stack?
where else would you want to it to be ?
But how should it end up there? AFAIK the only way is to explicitly call pam-config!
The kernel keyring stuff is a general infra provided by the kernel which needs special care during session creation so that all applications can rely on it if needed.
The lengthy discussion in Bug #1045886 shows that it would not be advisable to just automatically add pam_keyinit to pam config files!
what did you make think so ?
The quote from "man pam_keyinit": "This module should not, generally, be invoked by programs like su, since it is usually desirable for the key set to percolate through to the alternate context. The keys have their own permissions system to manage this." An idea in the discussion had been to write some rpmlint-skript which would force the maintaines to include pam_keyinit into their pam config files. But I can only guess howone would do that. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c9 --- Comment #9 from Franck Bui <fbui@suse.com> --- (In reply to Josef Möllers from comment #8)
(In reply to Franck Bui from comment #7)
(In reply to Josef Möllers from comment #6)
Re comment #3: Why should it be in the stack?
where else would you want to it to be ?
But how should it end up there? AFAIK the only way is to explicitly call pam-config!
Not for basic/core modules. AFAICS by default /etc/pam.d/common-session contains:
session required pam_limits.so session required pam_unix.so try_first_pass session optional pam_umask.so session optional pam_env.so session optional pam_systemd.so
IIUC none of these modules rely on an external package to set them up. And I just realized that even pam_systemd is part of this "core" list... I didn't know that and I guess the use of "pam-config" in systemd.spec becomes useless... Perhaps you should have a look at how other distros made it ? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c10 --- Comment #10 from Josef Möllers <josef.moellers@suse.com> --- (In reply to Franck Bui from comment #9)
Perhaps you should have a look at how other distros made it ?
BTDT! Other distributions have two sets of common-* and module-specific files: one set *with* "force" and one set *without* "force" and the commands need to load the appropriate module-specific file: i.e. if run with "-i", "sudo" must load "/etc/pam.d/sudo-i" which includes "common-session-force" and if run without "-i" it must load "/etc/pam.d/sudo" which includes "common-session". Then "pam" would ship with both sets of common-* files. This requires a number of packages to be modified: gdm, util-linux, xorg-x11-server, sudo, openssh, to name but a few. I have found no way to automagically detect the requirement of "force". -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c11 Josef Möllers <josef.moellers@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|josef.moellers@suse.com |sbrabec@suse.com --- Comment #11 from Josef Möllers <josef.moellers@suse.com> --- Hi Stanislav, Can you please include pam_keyinit.so in the pam.d config files? It should be inserted at the top of * su-l WITH "force" (ie "session optional pam_keyinit.so force revoke") * runuser WITHOUT "force" (ie "session optional pam_keyinit.so revoke") * runuser-l WITH "force" (ie "session optional pam_keyinit.so force revoke") NB "su" doesn't need it. When you're finished, please re-assign back to me so I can trigger others. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c12 Josef Möllers <josef.moellers@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |josef.moellers@suse.com, | |sbrabec@suse.com Flags| |needinfo?(sbrabec@suse.com) --- Comment #12 from Josef Möllers <josef.moellers@suse.com> --- Ping Stanislav -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c13 --- Comment #13 from Stanislav Brabec <sbrabec@suse.com> --- Is it a request for Tumbleweed only, or should it be done for Leap 15 & SLE 15 as well? And additional question: pam files are %config(noreplace). The default behavior of rpm: If the file is not changed, use the new copy. If the file was changed, save new copy as foo.rpmnew and keep the old instance active. If you want to force the line into user customized pam files, you would need a special %post hacks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c14 --- Comment #14 from Josef Möllers <josef.moellers@suse.com> --- (In reply to Stanislav Brabec from comment #13)
Is it a request for Tumbleweed only, or should it be done for Leap 15 & SLE 15 as well?
Yes. Although the request is for TW, it should be included in all future versions of SLE.
And additional question:
pam files are %config(noreplace). The default behavior of rpm: If the file is not changed, use the new copy. If the file was changed, save new copy as foo.rpmnew and keep the old instance active.
If you want to force the line into user customized pam files, you would need a special %post hacks.
I don't think that would be necessary. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c15 --- Comment #15 from Stanislav Brabec <sbrabec@suse.com> --- Josef Möllers, comment 14:
(In reply to Stanislav Brabec from comment #13)
Is it a request for Tumbleweed only, or should it be done for Leap 15 & SLE 15 as well?
Yes. Although the request is for TW, it should be included in all future versions of SLE.
Does this include a change of SLE 15 GA? If yes, I will submit it there. If not, please open/clone this bug for SLE 15 SP1 (it is not yet clean, whether SLE 15 SP1 will inherit util-linux from GA or Tumbleweed). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c16 --- Comment #16 from Josef Möllers <josef.moellers@suse.com> --- (In reply to Stanislav Brabec from comment #15)
Josef Möllers, comment 14:
(In reply to Stanislav Brabec from comment #13)
Is it a request for Tumbleweed only, or should it be done for Leap 15 & SLE 15 as well?
Yes. Although the request is for TW, it should be included in all future versions of SLE.
Does this include a change of SLE 15 GA? If yes, I will submit it there. If not, please open/clone this bug for SLE 15 SP1 (it is not yet clean, whether SLE 15 SP1 will inherit util-linux from GA or Tumbleweed).
Yes, please submit to SLE 15! Josef -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c17 Stanislav Brabec <sbrabec@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|sbrabec@suse.com |josef.moellers@suse.com Flags|needinfo?(sbrabec@suse.com) | --- Comment #17 from Stanislav Brabec <sbrabec@suse.com> --- Please review: https://build.opensuse.org/request/show/596006 The relevant change only: https://build.opensuse.org/package/rdiff/home:sbrabec:branches:util-linux-b1081947/util-linux?linkrev=base&rev=3 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c19 --- Comment #19 from Josef Möllers <josef.moellers@suse.com> --- (In reply to Stanislav Brabec from comment #17)
Please review: https://build.opensuse.org/request/show/596006
The relevant change only: https://build.opensuse.org/package/rdiff/home:sbrabec:branches:util-linux- b1081947/util-linux?linkrev=base&rev=3
Looks fine to me. One little issue: you refer to su.pamd in the changes files but haven't actually changed it (which is OK). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c20 Josef Möllers <josef.moellers@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kstreitova@suse.com Assignee|josef.moellers@suse.com |kstreitova@suse.com Flags| |needinfo?(kstreitova@suse.c | |om) --- Comment #20 from Josef Möllers <josef.moellers@suse.com> --- Hello Krystina, As you can see from the comments 11 and following, pam_keyinit.so must be added to the sudo configuration: * in the "sudo -l" case, "force must be specified * in the "sudo" case, no "force" must be specified. My understanding is that 1) a "sudo-l" file should be created in "/etc/pam.d" with the same contents as "/etc/pam.d/sudo" PLUS the line "session optional pam_keyinit.so force revoke" 2) plugins/sudoers/defaults.c must be changed as to use that file for def_pam_login_service. Please make the changes ASAP (if possible for SLE-15), then clear NEEDINFO and assign back to me. Any questions -> welcome! Dĕkuji! Josef -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c22 Kristyna Streitova <kstreitova@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(kstreitova@suse.c | |om) | --- Comment #22 from Kristyna Streitova <kstreitova@suse.com> --- (In reply to Josef Möllers from comment #20)
Hello Krystina,
As you can see from the comments 11 and following, pam_keyinit.so must be added to the sudo configuration: * in the "sudo -l" case, "force must be specified * in the "sudo" case, no "force" must be specified.
You probably mean "sudo -i".
My understanding is that 1) a "sudo-l" file should be created in "/etc/pam.d" with the same contents as "/etc/pam.d/sudo" PLUS the line "session optional pam_keyinit.so force revoke"
Yes, and the line "session optional pam_keyinit.so revoke" should be added to the original "/etc/pam.d/sudo" file.
2) plugins/sudoers/defaults.c must be changed as to use that file for def_pam_login_service.
It seems that this is not needed. Upstream added the support for a sudo-i pam.d file [1] while ago. So we just need to build it with "--with-pam-login" option.
Please make the changes ASAP (if possible for SLE-15), then clear NEEDINFO and assign back to me.
Please review my OBS request. If it's ok then I will send it also to SLE15. OBS request: https://build.opensuse.org/request/show/597150 The relevant change only: https://build.opensuse.org/package/rdiff/home:kstreitova:branches:Base:System/sudo?linkrev=base&rev=3 Thanks! [1] https://www.sudo.ws/repos/sudo/rev/06d34f16520b -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c23 --- Comment #23 from Josef Möllers <josef.moellers@suse.com> --- The changes are OK. Thanks and please assign back to me. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c24 Kristyna Streitova <kstreitova@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|kstreitova@suse.com |josef.moellers@suse.com --- Comment #24 from Kristyna Streitova <kstreitova@suse.com> --- (In reply to Josef Möllers from comment #23)
The changes are OK. Thanks and please assign back to me.
Ok, submitted for sudo in: | Codestream | Request | |------------------|---------| | openSUSE:Factory | #597343 | | SUSE:SLE-15:GA | #162078 | I'm assigning it back to you. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c25 Josef Möllers <josef.moellers@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pcerny@suse.com Assignee|josef.moellers@suse.com |pcerny@suse.com Flags| |needinfo?(pcerny@suse.com) --- Comment #25 from Josef Möllers <josef.moellers@suse.com> --- Hello Petr, you're next in line ;-) Can you please add pam_keyinit.so to the sshd PAM config file? Just add the line session optional pam_keyinit.so force revoke Please re-assign back to me when you're done. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c27 --- Comment #27 from Josef Möllers <josef.moellers@suse.com> --- Petr, if you finish this next week (23rd to 27th), can you please assign the bug to Dominique Leuenberger <dimstar@opensuse.org> for appropriate changes to gdm? I will be out-of-office during the week with no access to company emails. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c28 --- Comment #28 from Josef Möllers <josef.moellers@suse.com> --- Ping Petr Cerny. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c29 Josef Möllers <josef.moellers@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|pcerny@suse.com |dimstar@opensuse.org Flags|needinfo?(pcerny@suse.com) | --- Comment #29 from Josef Möllers <josef.moellers@suse.com> --- Hello Dominique, As Petr does not respond, can you please make appropriate changes to gdm and re-assign back to me (or to Petr)? Thanks, -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c30 --- Comment #30 from Josef Möllers <josef.moellers@suse.com> --- Ping Dominique. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c31 Josef Möllers <josef.moellers@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dimstar@opensuse.org Flags| |needinfo?(dimstar@opensuse. | |org) --- Comment #31 from Josef Möllers <josef.moellers@suse.com> --- Pingping Dominique! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c32 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(dimstar@opensuse. | |org) | --- Comment #32 from Dominique Leuenberger <dimstar@opensuse.org> --- (In reply to Josef Möllers from comment #31)
Pingping Dominique!
Pfft - what a long bug - Just a hint for next time you have some multi-package touching stuff: make a meta-bug and children bugs relevant to each of the packages you want changed; also helps you get things done in parallel. As for gdm: There are currently four (well, 3, one is a link) pam files installed: -rw-r--r-- 1 root root 293 Jul 3 17:57 gdm -rw-r--r-- 1 root root 363 Jul 3 17:57 gdm-autologin -rw-r--r-- 1 root root 223 Jul 3 17:57 gdm-launch-environment lrwxrwxrwx 1 root root 3 Jul 3 17:57 gdm-password -> gdm I assume you want/need "session optional pam_keyinit.so force revoke" gdm/gdm-autologin and gdm-password, and without force in gdm-launch-environment? Or force not needed in any of them? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c33 --- Comment #33 from Dominique Leuenberger <dimstar@opensuse.org> --- for reference: on Fedora, all seem to be using 'force' - so I'll do the same for Tumbleweed -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c34 --- Comment #34 from Josef Möllers <josef.moellers@suse.com> --- (In reply to Dominique Leuenberger from comment #33)
for reference: on Fedora, all seem to be using 'force' - so I'll do the same for Tumbleweed
Likewise Ubuntu, I was just about to write that ;-) OK, thanks. And ... as to the "meta-bug" and "children": Never been there, never done that, but I'll keep that in mind. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c35 Dominique Leuenberger <dimstar@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|dimstar@opensuse.org |josef.moellers@suse.com --- Comment #35 from Dominique Leuenberger <dimstar@opensuse.org> --- Submitted fix to the devel project: 625409 State:review By:dimstar When:2018-07-26T11:53:03 submit: home:dimstar:branches:GNOME:Factory/gdm@2 -> GNOME:Factory Review by User is new: gnome-review-bot Review by Group is new: gnome-maintainers Descr: - Enable pam_keyinit module (boo#1081947). => Back to Josef for tracking purposes -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c36 Josef Möllers <josef.moellers@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|josef.moellers@suse.com |pcerny@suse.com Flags| |needinfo?(pcerny@suse.com) --- Comment #36 from Josef Möllers <josef.moellers@suse.com> --- Hello Petr, you're next in line ;-) Can you please add pam_keyinit.so to the sshd PAM config file? Just add the line session optional pam_keyinit.so force revoke Please re-assign back to me when you're done. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c45 Josef Möllers <josef.moellers@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #45 from Josef Möllers <josef.moellers@suse.com> --- That should fix this, then. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c51 Franck Bui <fbui@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- --- Comment #51 from Franck Bui <fbui@suse.com> --- (In reply to Stanislav Brabec from comment #17)
Please review: https://build.opensuse.org/request/show/596006
The relevant change only: https://build.opensuse.org/package/rdiff/home:sbrabec:branches:util-linux- b1081947/util-linux?linkrev=base&rev=3
I believe this ended up to the following commit: https://build.opensuse.org/package/rdiff/Base:System/util-linux?linkrev=base&rev=372 If so, you forgot to add pam_keyinit in /etc/pam.d/login too. Can you please do so ? Thanks. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 Franck Bui <fbui@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|josef.moellers@suse.com |sbrabec@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c52 Stanislav Brabec <sbrabec@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |IN_PROGRESS CC| |fbui@suse.com Flags| |needinfo?(fbui@suse.com) --- Comment #52 from Stanislav Brabec <sbrabec@suse.com> --- Done: https://build.opensuse.org/request/show/680184 Could you verify that it is correct? I will submit the change to SLE 15 SP1. Should I add this to the next update in SLE 15? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c53 Franck Bui <fbui@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fbui@suse.com) | --- Comment #53 from Franck Bui <fbui@suse.com> --- (In reply to Stanislav Brabec from comment #52)
Done: https://build.opensuse.org/request/show/680184
Could you verify that it is correct?
According to pam_keyring man page: This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring. Therefore I would put it earlier in the list, ie before "common-session".
I will submit the change to SLE 15 SP1.
Should I add this to the next update in SLE 15?
The most important distro to fix is Factory/Tumbleweed at the moment since we're planning to re-introduce the keyring mode stuff in systemd soon. As far as SLE15+ is concerned, it's not strictly mandatory since we don't plan to re-enable the keyring stuff but it shouldn't hurt either. I think if you add it to SLE15-SP1, it also makes sense to submit it to SLE15 especially if other packages did it already. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c54 Stanislav Brabec <sbrabec@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fbui@suse.com) --- Comment #54 from Stanislav Brabec <sbrabec@suse.com> --- Thanks, request was updated: https://build.opensuse.org/request/show/680624 Last question: We have also remote.pamd. It is used by login for remote logins (i. e. logins from terminals that are not recognized as local). Should I add pam_keyinit support there as well? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c55 Franck Bui <fbui@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fbui@suse.com) | --- Comment #55 from Franck Bui <fbui@suse.com> --- (In reply to Stanislav Brabec from comment #54)
Thanks, request was updated: https://build.opensuse.org/request/show/680624
Other distros tend to put pam_keyinit below pam_loginuid.
Last question: We have also remote.pamd. It is used by login for remote logins (i. e. logins from terminals that are not recognized as local).
Should I add pam_keyinit support there as well?
Well not sure but I don't see any reason why a user shouldn't have a new session keyring setup if he logs in via telnelt (for example). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c56 Franck Bui <fbui@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|sbrabec@suse.com |josef.moellers@suse.com --- Comment #56 from Franck Bui <fbui@suse.com> --- Josef, It seems there are packages which are still missing the pam_keyinit module: sddm, xdm, enlightment... And before you ask, I don't know how to get an exhaustive list of the remaining packages ;) But if we miss one package and the session keyring stuff in systemd is enabled (which is not the case currently) we may end up with a security issue like the one described in boo#1045886 comment #20 :-/ And given that how pam_keyinit is added in each package, I don't see how we can be certain that we won't miss one. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c60 Stanislav Brabec <sbrabec@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fbui@suse.com) --- Comment #60 from Stanislav Brabec <sbrabec@suse.com> --- I am going to prepare SLE12 SP5 package of util-linux. Should I add these fixes there, as the sudo submit indicates (internal comment 59)? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c61 Franck Bui <fbui@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fbui@suse.com) | --- Comment #61 from Franck Bui <fbui@suse.com> --- For now I would have done that for Factory only. Maybe once we were sure that everything worked properly and no regressions had been reported we could have considered backporting it to SLE through a new SP release. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c62 Stanislav Brabec <sbrabec@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fbui@suse.com) --- Comment #62 from Stanislav Brabec <sbrabec@suse.com> --- I am just preparing a big util-linux update for all released products. I realized that session optional pam_keyinit.so force revoke is already present in SLE-15:Update and SLE-15-SP1:Update. But it is in an inconsistent state. This one is included: Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com - Integrate pam_keyinit pam module (boo#1081947, su-l.pamd, runuser-l.pamd, runuser.pamd). This one is not included: Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com - Integrate pam_keyinit pam module to login (boo#1081947, login.pamd, remote.pamd). I would like to see it in a consistent state. What do you recommend for SLE-15:Update and SLE-15-SP1:Update? 1) Remove pam_keyinit integration from all files? 2) Add pam_keyinit consistently to all pam files? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c64 Stanislav Brabec <sbrabec@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fbui@suse.com) --- Comment #64 from Stanislav Brabec <sbrabec@suse.com> --- Well, in case of util-linux in Factory, all its files have pam_keyinit and they should have it. Se bugs referred in the comment 62. Regarding SLE15 and SLE15 SP1: We already have pam_keyinit support there from boo#1081947. I want to know, whether I should backport boo#1081947 as well, so its support will be complete. Or should I postpone the second bug fix e. g. to SLE15 SP2. Note to comment 60: While backporting util-linux from Factory to SLE12 SP5, I deleted pam_keyinit support from all files. And a special note: Many pam files are tagged as noreplace. In this case, its fix in the package does not mean, that it will be fixed on upgrade. We need a special action for that. See bug 1082293 as an example. I just made a fix for that: oneshot reset of the config file. Once tested, I will provide the implementation here. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c74 Stanislav Brabec <sbrabec@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(kukuk@suse.com) --- Comment #74 from Stanislav Brabec <sbrabec@suse.com> --- Thorsten Kukuk: So what solutions your propose? If we use noreplace, that we will get bug reports like "pam_keyinit not integrated after upgrade" or "last login shown twice" (bug 1082293). I can imagine: a) Remove "noreplace". Allow PAM file change only for new products or service packs. Prohibit any packaged PAM file changes in online updates, so online update will never overwrite PAM file, but new product release or migration can do it. (Easy to do, but my recent online update has to be redone.) b) Keep "noreplace" and risk side-effects of outdated PAM files (e. g. bug 1082293 will be closed as RESOLVED INVALID). Maybe report the existing backup to the console. (Easy to do it.) c) Keep "noreplace" and track all PAM file changes back to the beginning of the "noreplace" history, and provide a special migration %post that makes required. (Complicated, as it requires digging into old releases.) Example: if grep "^auth.*default=bad.*pam_securetty\\.so" /etc/pam.d/login ; then sed -i "/^auth.*default=bad.*pam_securetty\\.so/d" /etc/pam.d/login fi if ! grep "^session.*pam_keyinit\\.so" /etc/pam.d/login ; then echo "session optional pam_keyinit.so force revoke"
/etc/pam.d/login fi etc.
d) Invent a special check/tool that can track pam file changes. I was working on a check that will trigger build failure whenever PAM file is changed and migration script is not made. I can finish it and make a RPM macro for that. (Also complicated, as it requires digging into old releases, but once it will be done, it will be safe for future.) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c109 --- Comment #109 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1081947) was mentioned in https://build.opensuse.org/request/show/970966 Factory / systemd -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com