[Bug 409541] New: pam-config making incorrect entries to pam modules
https://bugzilla.novell.com/show_bug.cgi?id=409541 Summary: pam-config making incorrect entries to pam modules Product: openSUSE 11.0 Version: Final Platform: i586 OS/Version: openSUSE 11.0 Status: NEW Severity: Critical Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: jrobiso2@ford.com QAContact: qa@suse.de Found By: --- The following command: pam-config --service login -a --mount should add "session optional pam_mount.so" to /etc/pam.d/login Instead it adds "session required pam_mount.so". This causes login failure! Same for any module pam-config adds pam_mount to. End result for xdm after using pam-config to add pam_mount: auth optional pam_mount.so auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session session required pam_resmgr.so session required pam_mount.so Note: "auth optional pam_mount.so" should have been AFTER he "include common-auth", and should also have a "use_first_pass". As it stands, pam_mount is giving me errors (pam_mount(mount.c:845) error sending password to mount) so it isn't working. If left as pam-config does it, I end up totally locked out of my system. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=409541
Cyril Hrubis
https://bugzilla.novell.com/show_bug.cgi?id=409541
Thorsten Kukuk
https://bugzilla.novell.com/show_bug.cgi?id=409541
User kukuk@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=409541#c1
Thorsten Kukuk
Note: "auth optional pam_mount.so" should have been AFTER he "include common-auth", and should also have a "use_first_pass".
Why should it be?
From the manual page:
1. pam_mount, as the first "auth" module, will prompt for a password and export it to the PAM system. And "use_first_pass" is wrong anyways, if, then it should be "try_first_pass". Between, there is no gurantee that pam_mount.so will be executed at all if you put it after the include common-auth. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=409541
User jrobiso2@ford.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=409541#c2
--- Comment #2 from Jonathon Robison
https://bugzilla.novell.com/show_bug.cgi?id=409541
User kukuk@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=409541#c3
--- Comment #3 from Thorsten Kukuk
If you have pam_mount first, then you are basically forced to use "try_first_pass" or "use_first_pass" on unix2.so inside the common-auth. Otherwise, you will have to enter your password twice.
This sounds to me, as if you hvaer neverreally tested it? Because this is not the case (else there is a very new bug introduced only shortly). pam_unix2 will not ask a second time for a password if there was already one provided.
So long as common-auth does not include a "sufficient", having pam_mount after the include is fine. Also, isn't the part of the manual you referenced above the part that talks about what to do when another module uses "sufficient" ?
It does not matter that the example described there uses "sufficient". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=409541
User jrobiso2@ford.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=409541#c4
--- Comment #4 from Jonathon Robison
https://bugzilla.novell.com/show_bug.cgi?id=409541
User sschober@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=409541#c5
--- Comment #5 from Sven Schober
https://bugzilla.novell.com/show_bug.cgi?id=409541
User sschober@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=409541#c6
Sven Schober
participants (1)
-
bugzilla_noreply@novell.com