FS#67485 : [gdm] provided pam config is not ready for pam 1.4.0

FS#67485 - [gdm] provided pam config is not ready for pam 1.4.0

Attached to Project: Arch Linux
Opened by Michael Laß (Bevan) - Tuesday, 04 August 2020, 15:15 GMT
Last edited by Jan Alexander Steffens (heftig) - Sunday, 09 August 2020, 14:27 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Closed
Assigned To	Jan de Groot (JGC) Jan Alexander Steffens (heftig)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:

The pam configuration files gdm-fingerprint.pam and gdm-smartcard.pam require the pam module pam_tally. In version 1.4.0 of pam (which is in [testing] right now) this module is deprecated and actually not included anymore in Arch's pam package:
https://github.com/linux-pam/linux-pam/releases/tag/v1.4.0
https://bugs.archlinux.org/task/67347

This breaks login via fingerprint or smartcard in gdm and unlocking sessions in gnome-shell using these methods. The suggested replacement for pam_tally is pam_faillock. Indeed I could fix login via fingerprint locally by replacing
"auth required pam_tally.so onerr=succeed file=/var/log/faillog"
by
"auth required pam_faillock.so"

Initially I thought about sending a pull request to gdm as those files are maintained upstream:
https://gitlab.gnome.org/GNOME/gdm/-/tree/master/data/pam-arch

However, the gdm package currently contains patches against those files, so it seems like upstream's config got out of sync.

Additional info:
* Package versions:
* gdm 3.36.3-1
* pam 1.4.0-2

This task depends upon

Closed by Jan Alexander Steffens (heftig)
Sunday, 09 August 2020, 14:27 GMT
Reason for closing: Fixed
Additional comments about closing: gdm 3.36.3-4
Improvements to pam_faillock depend on ~~FS#67347~~

Comment by loqs (loqs) - Tuesday, 04 August 2020, 19:47 GMT

auth required pam_faillock.so
will count the auth as successful and reset the failure tally.

gdm-fingerprint.pam.skip uses a skip approach

gdm-fingerprint.pam.substack plus gdm-fingerprint-substack.pam uses a substack approach.

Both use three calls to pamfaillock.
The preauth call denies if the tally count has exceeded the limit.
The authfail call records failures used with [default=die] to exit pam.
The authsucc call resets the tally count. Limits failure recording to consecutive failures.

gdm-fingerprint.pam.skip (0.7 KiB)

gdm-fingerprint.pam.substack (0.5 KiB)

gdm-fingerprint-substack.pam (0.1 KiB)

Comment by loqs (loqs) - Sunday, 09 August 2020, 13:55 GMT

Field changed: Percent Complete (100% → 0%)

gdm 3.36.3-2 changed from pam_tally to pam_faillock before pam 1.4 was moved from testing. Also pam_faillock has no onerr or file options, without the preauth or authfail option it will operate equivalent to authsucc being specified and reset the tally log.

Comment by Jan Alexander Steffens (heftig) - Sunday, 09 August 2020, 14:17 GMT

I'll fix the packages in extra/testing, but if we're not using pam_faillock right, please fix the pambase package first. I'm only copying what system-login does.

Comment by loqs (loqs) - Sunday, 09 August 2020, 14:26 GMT

I opened ~~FS#67347~~ for the pambase / pam issue.
https://github.com/loqs/pam/tree/update contains my proposed solution for pam.
I have two proposed solutions for pambase https://github.com/loqs/pambase/tree/update-substack https://github.com/loqs/pambase/tree/update-jump

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#67485 - [gdm] provided pam config is not ready for pam 1.4.0

Details

Loading...