OK, I've started implementing.
First, I confirmed that pam_tally appears to work with the new pam
library.
So, blocking the upgrade at libpam-modules's preinst is a sane thing to
do.
I then implemented the attached patch which goes and looks for enabled
profiles that include modules we don't like and turns them off.
I next need to implement a patch to pam-auth-update to keep profiles
with modules we don't like from coming back.
And then I need to adapt your first patch to just search /etc/pam.d.
I hope to work on these items tomorrow.
>From 7b55d6b81ce58d2aa866f7be83fd6167f02ad256 Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartm...@debian.org>
Date: Wed, 24 Feb 2021 14:29:53 -0500
Subject: [PATCH] debian/libpam-modules.preinst|templates: pam_tally
deprecation
* Add a facility to detect enabled profiles that contain a particular module
* If a profile contains an enabled module that is being removed,
remove that profile and warn the user.
* Use this to pam_tally and because of how the string search works pam_tally2
---
debian/changelog | 7 +++++++
debian/libpam-modules.preinst | 33 ++++++++++++++++++++++++++++++++-
debian/libpam-modules.templates | 9 +++++++++
3 files changed, 48 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index daa8e6bc..376b0ab5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+pam (1.4.0-5) unstable; urgency=medium
+
+ * Remove profiles containing pam_tally or pam_tally2 since we no longer
+ build them.
+
+ -- Sam Hartman <hartm...@debian.org> Wed, 24 Feb 2021 14:11:06 -0500
+
pam (1.4.0-4) unstable; urgency=medium
* Document in README.source how to avoid multi-arch problems with documentation, Closes: #851650
diff --git a/debian/libpam-modules.preinst b/debian/libpam-modules.preinst
index 3a86a8fb..3102b6a6 100644
--- a/debian/libpam-modules.preinst
+++ b/debian/libpam-modules.preinst
@@ -4,8 +4,39 @@ set -e
. /usr/share/debconf/confmodule
+
+handle_profiles_with_removed_modules() {
+ removed_modules="$1"
+ profiles=""
+ modules=""
+ test -x /usr/sbin/pam-auth-update ||return 0
+ test -r /var/lib/pam/auth ||return 0
+ for module in $removed_modules; do
+ new_profiles=$( perl -nle 'BEGIN {$removed = shift;} /^Module: (.*)$/&&($profile = $1); /^[^#]*$removed/&&$profile&&($profiles{$profile} = 1); END {print join("\n",keys %profiles) if %profiles;}' \
+ $module \
+ /var/lib/pam/auth /var/lib/pam/account \
+ /var/lib/pam/password /var/lib/pam/session \
+ /var/lib/pam/session-noninteractive)
+ if [ "$new_profiles" != "" ]; then
+ modules="$modules $module"
+ profiles="${profiles}${new_profiles}"
+ fi
+ done
+ profiles=$( echo "$profiles" |sort |uniq)
+ if [ "$profiles" != "" ]; then
+ db_reset libpam-modules/profiles-disabled
+ db_subst libpam-modules/profiles-disabled modules "$modules"
+ db_input critical libpam-modules/profiles-disabled ||true
+ db_go ||true
+ pam-auth-update --remove $profiles
+ fi
+}
+
+
+
if dpkg --compare-versions "$2" lt-nl 1.4.0-2; then
- db_version 2.0
+ db_version 2.0
+ handle_profiles_with_removed_modules pam_tally
if pidof xscreensaver xlockmore >/dev/null; then
db_input critical libpam-modules/disable-screensaver || true
diff --git a/debian/libpam-modules.templates b/debian/libpam-modules.templates
index b928751e..491bc5c1 100644
--- a/debian/libpam-modules.templates
+++ b/debian/libpam-modules.templates
@@ -7,3 +7,12 @@ _Description: xscreensaver and xlockmore must be restarted before upgrading
authenticate to these programs. You should arrange for these programs
to be restarted or stopped before continuing this upgrade, to avoid
locking your users out of their current sessions.
+
+Template: libpam-modules/profiles-disabled
+Type: error
+_Description: PAM Profiles with Deprecated Modules Disabled
+ Your system had PAM profiles enabled with the ${modules} PAM
+ modules. These modules have been removed from PAM. Leaving these PAM
+ profiles enabled would prevent users from accessing your system. As a
+ result, these profiles have been disabled.
+
\ No newline at end of file
--
2.29.2
