OK, I've started implementing. First, I confirmed that pam_tally appears to work with the new pam library. So, blocking the upgrade at libpam-modules's preinst is a sane thing to do.
I then implemented the attached patch which goes and looks for enabled profiles that include modules we don't like and turns them off. I next need to implement a patch to pam-auth-update to keep profiles with modules we don't like from coming back. And then I need to adapt your first patch to just search /etc/pam.d. I hope to work on these items tomorrow.
>From 7b55d6b81ce58d2aa866f7be83fd6167f02ad256 Mon Sep 17 00:00:00 2001 From: Sam Hartman <hartm...@debian.org> Date: Wed, 24 Feb 2021 14:29:53 -0500 Subject: [PATCH] debian/libpam-modules.preinst|templates: pam_tally deprecation * Add a facility to detect enabled profiles that contain a particular module * If a profile contains an enabled module that is being removed, remove that profile and warn the user. * Use this to pam_tally and because of how the string search works pam_tally2 --- debian/changelog | 7 +++++++ debian/libpam-modules.preinst | 33 ++++++++++++++++++++++++++++++++- debian/libpam-modules.templates | 9 +++++++++ 3 files changed, 48 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index daa8e6bc..376b0ab5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +pam (1.4.0-5) unstable; urgency=medium + + * Remove profiles containing pam_tally or pam_tally2 since we no longer + build them. + + -- Sam Hartman <hartm...@debian.org> Wed, 24 Feb 2021 14:11:06 -0500 + pam (1.4.0-4) unstable; urgency=medium * Document in README.source how to avoid multi-arch problems with documentation, Closes: #851650 diff --git a/debian/libpam-modules.preinst b/debian/libpam-modules.preinst index 3a86a8fb..3102b6a6 100644 --- a/debian/libpam-modules.preinst +++ b/debian/libpam-modules.preinst @@ -4,8 +4,39 @@ set -e . /usr/share/debconf/confmodule + +handle_profiles_with_removed_modules() { + removed_modules="$1" + profiles="" + modules="" + test -x /usr/sbin/pam-auth-update ||return 0 + test -r /var/lib/pam/auth ||return 0 + for module in $removed_modules; do + new_profiles=$( perl -nle 'BEGIN {$removed = shift;} /^Module: (.*)$/&&($profile = $1); /^[^#]*$removed/&&$profile&&($profiles{$profile} = 1); END {print join("\n",keys %profiles) if %profiles;}' \ + $module \ + /var/lib/pam/auth /var/lib/pam/account \ + /var/lib/pam/password /var/lib/pam/session \ + /var/lib/pam/session-noninteractive) + if [ "$new_profiles" != "" ]; then + modules="$modules $module" + profiles="${profiles}${new_profiles}" + fi + done + profiles=$( echo "$profiles" |sort |uniq) + if [ "$profiles" != "" ]; then + db_reset libpam-modules/profiles-disabled + db_subst libpam-modules/profiles-disabled modules "$modules" + db_input critical libpam-modules/profiles-disabled ||true + db_go ||true + pam-auth-update --remove $profiles + fi +} + + + if dpkg --compare-versions "$2" lt-nl 1.4.0-2; then - db_version 2.0 + db_version 2.0 + handle_profiles_with_removed_modules pam_tally if pidof xscreensaver xlockmore >/dev/null; then db_input critical libpam-modules/disable-screensaver || true diff --git a/debian/libpam-modules.templates b/debian/libpam-modules.templates index b928751e..491bc5c1 100644 --- a/debian/libpam-modules.templates +++ b/debian/libpam-modules.templates @@ -7,3 +7,12 @@ _Description: xscreensaver and xlockmore must be restarted before upgrading authenticate to these programs. You should arrange for these programs to be restarted or stopped before continuing this upgrade, to avoid locking your users out of their current sessions. + +Template: libpam-modules/profiles-disabled +Type: error +_Description: PAM Profiles with Deprecated Modules Disabled + Your system had PAM profiles enabled with the ${modules} PAM + modules. These modules have been removed from PAM. Leaving these PAM + profiles enabled would prevent users from accessing your system. As a + result, these profiles have been disabled. + \ No newline at end of file -- 2.29.2