http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 Franck Bui changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |http://bugzilla.opensuse.or | |g/show_bug.cgi?id=1045886 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c2 --- Comment #2 from Josef Möllers --- I can't reproduce: 1) when building the current version of pam (1.3.0-0), pam_keyinit.so is there: /lib64/security/pam_keyinit.so 2) when I install pam (1.1.8-14.1) on a Tumbleweed machine, it's there: /lib64/security/pam_keyinit.so Which package version are you using? Can you attach a supportconfig of the system? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 Franck Bui changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|PAM module pam_keyinit is |PAM module pam_keyinit is |still not included in the |still not integrated in the |PAM stack |SUSE PAM stack -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c6 --- Comment #6 from Josef Möllers --- Re comment #3: Why should it be in the stack? It needs to be added explicitly by calling pam-config with appropriate parameters (eg "pam-config --service vnc -a --keyinit"). The lengthy discussion in Bug #1045886 shows that it would not be advisable to just automatically add pam_keyinit to pam config files! The infrastructure is there, it just needs to be used. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c8 --- Comment #8 from Josef Möllers --- (In reply to Franck Bui from comment #7)

(In reply to Josef Möllers from comment #6)

...

Re comment #3: Why should it be in the stack?

where else would you want to it to be ?

But how should it end up there? AFAIK the only way is to explicitly call pam-config!

The kernel keyring stuff is a general infra provided by the kernel which needs special care during session creation so that all applications can rely on it if needed.

...

The lengthy discussion in Bug #1045886 shows that it would not be advisable to just automatically add pam_keyinit to pam config files!

what did you make think so ?

The quote from "man pam_keyinit": "This module should not, generally, be invoked by programs like su, since it is usually desirable for the key set to percolate through to the alternate context. The keys have their own permissions system to manage this." An idea in the discussion had been to write some rpmlint-skript which would force the maintaines to include pam_keyinit into their pam config files. But I can only guess howone would do that. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c10 --- Comment #10 from Josef Möllers --- (In reply to Franck Bui from comment #9)

Perhaps you should have a look at how other distros made it ?

BTDT! Other distributions have two sets of common-* and module-specific files: one set *with* "force" and one set *without* "force" and the commands need to load the appropriate module-specific file: i.e. if run with "-i", "sudo" must load "/etc/pam.d/sudo-i" which includes "common-session-force" and if run without "-i" it must load "/etc/pam.d/sudo" which includes "common-session". Then "pam" would ship with both sets of common-* files. This requires a number of packages to be modified: gdm, util-linux, xorg-x11-server, sudo, openssh, to name but a few. I have found no way to automagically detect the requirement of "force". -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c12 Josef Möllers changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |josef.moellers@suse.com, | |sbrabec@suse.com Flags| |needinfo?(sbrabec@suse.com) --- Comment #12 from Josef Möllers --- Ping Stanislav -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c14 --- Comment #14 from Josef Möllers --- (In reply to Stanislav Brabec from comment #13)

Is it a request for Tumbleweed only, or should it be done for Leap 15 & SLE 15 as well?

Yes. Although the request is for TW, it should be included in all future versions of SLE.

And additional question:

pam files are %config(noreplace). The default behavior of rpm: If the file is not changed, use the new copy. If the file was changed, save new copy as foo.rpmnew and keep the old instance active.

If you want to force the line into user customized pam files, you would need a special %post hacks.

I don't think that would be necessary. Thanks. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c16 --- Comment #16 from Josef Möllers --- (In reply to Stanislav Brabec from comment #15)

Josef Möllers, comment 14:

...

(In reply to Stanislav Brabec from comment #13)

...

Is it a request for Tumbleweed only, or should it be done for Leap 15 & SLE 15 as well?

Yes. Although the request is for TW, it should be included in all future versions of SLE.

Does this include a change of SLE 15 GA? If yes, I will submit it there. If not, please open/clone this bug for SLE 15 SP1 (it is not yet clean, whether SLE 15 SP1 will inherit util-linux from GA or Tumbleweed).

Yes, please submit to SLE 15! Josef -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c19 --- Comment #19 from Josef Möllers --- (In reply to Stanislav Brabec from comment #17)

Please review: https://build.opensuse.org/request/show/596006

The relevant change only: https://build.opensuse.org/package/rdiff/home:sbrabec:branches:util-linux- b1081947/util-linux?linkrev=base&rev=3

Looks fine to me. One little issue: you refer to su.pamd in the changes files but haven't actually changed it (which is OK). -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c22 Kristyna Streitova changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(kstreitova@suse.c | |om) | --- Comment #22 from Kristyna Streitova --- (In reply to Josef Möllers from comment #20)

Hello Krystina,

As you can see from the comments 11 and following, pam_keyinit.so must be added to the sudo configuration: * in the "sudo -l" case, "force must be specified * in the "sudo" case, no "force" must be specified.

You probably mean "sudo -i".

My understanding is that 1) a "sudo-l" file should be created in "/etc/pam.d" with the same contents as "/etc/pam.d/sudo" PLUS the line "session optional pam_keyinit.so force revoke"

Yes, and the line "session optional pam_keyinit.so revoke" should be added to the original "/etc/pam.d/sudo" file.

2) plugins/sudoers/defaults.c must be changed as to use that file for def_pam_login_service.

It seems that this is not needed. Upstream added the support for a sudo-i pam.d file [1] while ago. So we just need to build it with "--with-pam-login" option.

Please make the changes ASAP (if possible for SLE-15), then clear NEEDINFO and assign back to me.

Please review my OBS request. If it's ok then I will send it also to SLE15. OBS request: https://build.opensuse.org/request/show/597150 The relevant change only: https://build.opensuse.org/package/rdiff/home:kstreitova:branches:Base:System/sudo?linkrev=base&rev=3 Thanks! [1] https://www.sudo.ws/repos/sudo/rev/06d34f16520b -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c24 Kristyna Streitova changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|kstreitova@suse.com |josef.moellers@suse.com --- Comment #24 from Kristyna Streitova --- (In reply to Josef Möllers from comment #23)

The changes are OK. Thanks and please assign back to me.

Ok, submitted for sudo in: | Codestream | Request | |------------------|---------| | openSUSE:Factory | #597343 | | SUSE:SLE-15:GA | #162078 | I'm assigning it back to you. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c27 --- Comment #27 from Josef Möllers --- Petr, if you finish this next week (23rd to 27th), can you please assign the bug to Dominique Leuenberger for appropriate changes to gdm? I will be out-of-office during the week with no access to company emails. Thanks -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c29 Josef Möllers changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|pcerny@suse.com |dimstar@opensuse.org Flags|needinfo?(pcerny@suse.com) | --- Comment #29 from Josef Möllers --- Hello Dominique, As Petr does not respond, can you please make appropriate changes to gdm and re-assign back to me (or to Petr)? Thanks, -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c31 Josef Möllers changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dimstar@opensuse.org Flags| |needinfo?(dimstar@opensuse. | |org) --- Comment #31 from Josef Möllers --- Pingping Dominique! -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c33 --- Comment #33 from Dominique Leuenberger --- for reference: on Fedora, all seem to be using 'force' - so I'll do the same for Tumbleweed -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c35 Dominique Leuenberger changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|dimstar@opensuse.org |josef.moellers@suse.com --- Comment #35 from Dominique Leuenberger --- Submitted fix to the devel project: 625409 State:review By:dimstar When:2018-07-26T11:53:03 submit: home:dimstar:branches:GNOME:Factory/gdm@2 -> GNOME:Factory Review by User is new: gnome-review-bot Review by Group is new: gnome-maintainers Descr: - Enable pam_keyinit module (boo#1081947). => Back to Josef for tracking purposes -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c45 Josef Möllers changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #45 from Josef Möllers --- That should fix this, then. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 Franck Bui changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|josef.moellers@suse.com |sbrabec@suse.com -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c53 Franck Bui changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fbui@suse.com) | --- Comment #53 from Franck Bui --- (In reply to Stanislav Brabec from comment #52)

Done: https://build.opensuse.org/request/show/680184

Could you verify that it is correct?

According to pam_keyring man page: This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring. Therefore I would put it earlier in the list, ie before "common-session".

I will submit the change to SLE 15 SP1.

Should I add this to the next update in SLE 15?

The most important distro to fix is Factory/Tumbleweed at the moment since we're planning to re-introduce the keyring mode stuff in systemd soon. As far as SLE15+ is concerned, it's not strictly mandatory since we don't plan to re-enable the keyring stuff but it shouldn't hurt either. I think if you add it to SLE15-SP1, it also makes sense to submit it to SLE15 especially if other packages did it already. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c55 Franck Bui changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fbui@suse.com) | --- Comment #55 from Franck Bui --- (In reply to Stanislav Brabec from comment #54)

Thanks, request was updated: https://build.opensuse.org/request/show/680624

Other distros tend to put pam_keyinit below pam_loginuid.

Last question: We have also remote.pamd. It is used by login for remote logins (i. e. logins from terminals that are not recognized as local).

Should I add pam_keyinit support there as well?

Well not sure but I don't see any reason why a user shouldn't have a new session keyring setup if he logs in via telnelt (for example). -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c60 Stanislav Brabec changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fbui@suse.com) --- Comment #60 from Stanislav Brabec --- I am going to prepare SLE12 SP5 package of util-linux. Should I add these fixes there, as the sudo submit indicates (internal comment 59)? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c62 Stanislav Brabec changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fbui@suse.com) --- Comment #62 from Stanislav Brabec --- I am just preparing a big util-linux update for all released products. I realized that session optional pam_keyinit.so force revoke is already present in SLE-15:Update and SLE-15-SP1:Update. But it is in an inconsistent state. This one is included: Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com - Integrate pam_keyinit pam module (boo#1081947, su-l.pamd, runuser-l.pamd, runuser.pamd). This one is not included: Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com - Integrate pam_keyinit pam module to login (boo#1081947, login.pamd, remote.pamd). I would like to see it in a consistent state. What do you recommend for SLE-15:Update and SLE-15-SP1:Update? 1) Remove pam_keyinit integration from all files? 2) Add pam_keyinit consistently to all pam files? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c74 Stanislav Brabec changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(kukuk@suse.com) --- Comment #74 from Stanislav Brabec --- Thorsten Kukuk: So what solutions your propose? If we use noreplace, that we will get bug reports like "pam_keyinit not integrated after upgrade" or "last login shown twice" (bug 1082293). I can imagine: a) Remove "noreplace". Allow PAM file change only for new products or service packs. Prohibit any packaged PAM file changes in online updates, so online update will never overwrite PAM file, but new product release or migration can do it. (Easy to do, but my recent online update has to be redone.) b) Keep "noreplace" and risk side-effects of outdated PAM files (e. g. bug 1082293 will be closed as RESOLVED INVALID). Maybe report the existing backup to the console. (Easy to do it.) c) Keep "noreplace" and track all PAM file changes back to the beginning of the "noreplace" history, and provide a special migration %post that makes required. (Complicated, as it requires digging into old releases.) Example: if grep "^auth.*default=bad.*pam_securetty\\.so" /etc/pam.d/login ; then sed -i "/^auth.*default=bad.*pam_securetty\\.so/d" /etc/pam.d/login fi if ! grep "^session.*pam_keyinit\\.so" /etc/pam.d/login ; then echo "session optional pam_keyinit.so force revoke"

...

/etc/pam.d/login fi etc.

d) Invent a special check/tool that can track pam file changes. I was working on a check that will trigger build failure whenever PAM file is changed and migration script is not made. I can finish it and make a RPM macro for that. (Also complicated, as it requires digging into old releases, but once it will be done, it will be safe for future.) -- You are receiving this mail because: You are on the CC list for the bug.