FS#42120 - [pambase] /etc/pam.d/system-login configured with deprecated pam_tally module
Attached to Project:
Arch Linux
Opened by Patrick Goetz (pgoetz) - Thursday, 25 September 2014, 21:08 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 05 January 2019, 15:31 GMT
Opened by Patrick Goetz (pgoetz) - Thursday, 25 September 2014, 21:08 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 05 January 2019, 15:31 GMT
|
Details
Description: From the pam_tally man page: "pam_tally has
several limitations, which are solved with pam_tally2. For
this reason pam_tally is deprecated and will be removed in a
future release." pam_tally2 is available on the current
system, why is pam_tally still included in
/etc/pam.d/system-login by default?
Additional info: * package version: pambase 20130928-1 |
This task depends upon
Closed by Dave Reisner (falconindy)
Saturday, 05 January 2019, 15:31 GMT
Reason for closing: Fixed
Additional comments about closing: testing/pambase-20190105.1-1
Saturday, 05 January 2019, 15:31 GMT
Reason for closing: Fixed
Additional comments about closing: testing/pambase-20190105.1-1
1. When changing to pam_tally2, it should be considered to add it to
account pam_tally2.so
in the stack as well. Reason: If using sudo to authenticate, the counter for the user will otherwise not be reset on authenticate success - i.e. the user will eventually be locked out no matter what. References: [1] [2]
2. There is a recent (06/2016) bug report on pam upstream, which introduces yet another pam module to replace both pam_tally/pam_tally2.[3] - the bug progress should be checked to avoid changing the stack twice, if [3] eventually gets through.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=707660
[2] https://www.novell.com/support/kb/doc.php?id=7011883
[3] https://fedorahosted.org/linux-pam/ticket/62
FS#50369