>>>>> "Russell" == Russell Senior <[email protected]> writes:
>>>>> "Michael" == Michael Rasmussen <[email protected]> writes: Michael> On Sun, Mar 08, 2009 at 06:19:35PM -0700, Bill Barry wrote: Bill> I had this exact same thing occur to me yesterday. I first Bill> noticed it when su took me directly to root. Having seen this Bill> thread, I went though the backups for the last few days and Bill> noticed that several files in /etc/pam.d had been updated during Bill> a normal debian upgrade. The files were etc/pam.d/common-account Bill> etc/pam.d/common-auth etc/pam.d/common-password Bill> etc/pam.d/common-session Bill> I restored these files from the backup and the problem Bill> disappeared. As far as I can tell this was not caused by any Bill> malice, but was caused by a packaging problem. Michael> packaging problem or compromised package? Coming from the Michael> package does not rule out malice. Here are the diffs between the broken version (in /tmp) and what I got after I reinstalled: --- /tmp/common-account 2009-03-09 19:41:21.000000000 -0700 +++ common-account 2009-03-06 03:39:39.000000000 -0800 @@ -14,7 +14,7 @@ # # here are the per-package modules (the "Primary" block) -account [default=1] pam_permit.so +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; --- /tmp/common-auth 2009-03-09 19:41:21.000000000 -0700 +++ common-auth 2009-03-06 03:39:39.000000000 -0800 @@ -14,7 +14,7 @@ # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) -auth [default=1] pam_permit.so +auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; --- /tmp/common-password 2009-03-09 19:41:21.000000000 -0700 +++ common-password 2009-03-06 03:39:39.000000000 -0800 @@ -22,7 +22,7 @@ # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) -password [default=1] pam_permit.so +password [success=1 default=ignore] pam_unix.so obscure md5 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; --- /tmp/common-session 2009-03-09 19:41:21.000000000 -0700 +++ common-session 2009-03-06 03:39:39.000000000 -0800 @@ -21,4 +21,5 @@ # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) +session required pam_unix.so # end of pam-auth-update config -- Russell Senior, Secretary [email protected] _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
