Bug#979973: libpam-yubico: proposed patch to fix #979973

[Jochen Hein]

Package: libpam-yubico
Followup-For: Bug #979973

Dear Maintainer,

I've upgraded one of my systems where I use pam_yubico and hit the problem.
I'd like to see the issue fixed for bullseye since it might have
security implications or might render people to be unable to login.

Please consider the attached patch to debian packaging.

Do we need to talk to the release team and/or raise the bug severity?

<#part type="text/x-diff" 
filename="~/work/GNU/libpam-yubico-fix-debian-bug-979973.diff" 
disposition=inline>
<#/part>

Thanks for considering.
Jochen

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-3-amd64 (SMP w/4 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libpam-yubico depends on:
ii  debconf [debconf-2.0]  1.5.74
ii  libc6  2.31-9
ii  libldap-2.4-2  2.4.57+dfsg-2
ii  libpam-runtime 1.4.0-4
ii  libpam0g   1.4.0-4
ii  libykclient3   2.15-2+b1
ii  libykpers-1-1  1.20.0-3
ii  libyubikey01.13-6

libpam-yubico recommends no packages.

libpam-yubico suggests no packages.

-- debconf information:
  libpam-yubico/module_args: mode=client try_first_pass id=N key=K

Bug#979973: libpam-yubico: add missing patch

[Jochen Hein]

Package: libpam-yubico
Followup-For: Bug #979973

Dear Maintainer,

I missed adding the path. Here it is:

diff -ur yubico-pam-2.26.orig/debian/changelog yubico-pam-2.26/debian/changelog
--- yubico-pam-2.26.orig/debian/changelog   2021-02-21 05:40:48.0 
+0100
+++ yubico-pam-2.26/debian/changelog2021-02-21 06:01:59.0 +0100
@@ -1,3 +1,10 @@
+yubico-pam (2.26-1.2~jochen1+1) unstable; urgency=low
+
+  * Move pam_yubico.so from /lib/security to /lib/x86_64-linux-gnu/security
+(Closes: 979973)
+
+ -- Jochen Kellner   Sun, 21 Feb 2021 17:37:57 +0100
+
 yubico-pam (2.26-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -ur yubico-pam-2.26.orig/debian/rules yubico-pam-2.26/debian/rules
--- yubico-pam-2.26.orig/debian/rules   2021-02-21 05:40:48.0 +0100
+++ yubico-pam-2.26/debian/rules2021-02-21 05:58:17.0 +0100
@@ -7,14 +7,14 @@
 
 override_dh_auto_configure:
dh_auto_configure -- \
-   --with-pam-dir=$(DESTDIR)/lib/security \
+   --with-pam-dir=$(DESTDIR)/lib/x86_64-linux-gnu/security \
--includedir=/usr/include/libpam-yubico
 
 override_dh_install:
install -D -m 0644 debian/pam-auth-update \

debian/libpam-yubico/usr/share/libpam-yubico/pam-auth-update.template
chrpath -d debian/libpam-yubico/usr/bin/ykpamcfg
-   chrpath -d debian/libpam-yubico/lib/security/pam_yubico.so
-   rm debian/libpam-yubico/lib/security/pam_yubico.la
+   chrpath -d 
debian/libpam-yubico/lib/x86_64-linux-gnu/security/pam_yubico.so
+   rm debian/libpam-yubico/lib/x86_64-linux-gnu/security/pam_yubico.la
rm -rf debian/libpam-yubico/usr/include
dh_install --fail-missing

Bug#926928: fetchmail: Server CommonName mismatch

[Jochen Hein]

Source: fetchmail
Followup-For: Bug #926928

I've checked the manpage for fetchmail. There was the following in the
stretch package:

   --sslcommonname 
  (Keyword: sslcommonname; since v6.3.9)
  Use of this option is discouraged. Before using it,
  contact the administrator of your upstream server and
  ask for a proper SSL certificate to be used. If that
  cannot be attained, this option can be used to specify
  the name (CommonName) that fetchmail expects on the
  server certificate.  A correctly configured server will
  have this set to the hostname by which it is reached,
  and by default fetchmail will expect as much. Use this
  option when the CommonName is set to some other value,
  to avoid the "Server CommonName mismatch" warning, and
  only if the upstream server can't be made to use proper
  certificates.

Beside that I think that the bug should be downgraded...

Jochen

Bug#878066: ganglia-webfrontend: not compatible with PHP 7

[Jochen Hein]

Package: ganglia-webfrontend
Version: 3.6.1-3
Followup-For: Bug #878066

I've just upgraded my Ganglia server to buster. Another needed patch is
https://github.com/ganglia/ganglia-web/commit/13d426bcf66fb0f27d44847154ba2180884edcd6


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ganglia-webfrontend depends on:
ii  apache2 [httpd-cgi] 2.4.37-1
ii  debconf 1.5.69
ii  libapache2-mod-php7.3 [libapache2-mod-php]  7.3.0-2
ii  php 2:7.3+69
ii  php-xml 2:7.3+69
ii  php7.3 [php]7.3.0-2
ii  php7.3-xml [php-xml]7.3.0-2
ii  rrdtool 1.7.0-1+b3

Versions of packages ganglia-webfrontend recommends:
ii  gmetad  3.6.0-7+b2
ii  php-gd  2:7.3+69
ii  php7.3-gd [php-gd]  7.3.0-2

ganglia-webfrontend suggests no packages.

-- debconf information excluded

Bug#919062: python-ipalib depends on transitional packages gnupg2 and gnupg-agent

[Jochen Hein]

Package: python-ipalib
Version: 4.7.1-3
Severity: minor

Dear Maintainer,

I've just updated an IPA client to buster and installed freeipa-client
from SID. After the update I looked for transitional packages and have
these:

# dpkg -l | grep dummy
ii  gnupg-agent   2.2.12-1   all  GNU privacy guard - cryptographic 
agent (dummy transitional package)
ii  gnupg22.2.12-1   all  GNU privacy guard - a free PGP 
replacement (dummy transitional package)

When I try to remove these apt will remove IPA client:

# LANG=C apt purge gnupg2 gnupg-agent
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  freeipa-client* gnupg-agent* gnupg2* python-ipaclient* python-ipalib*
0 upgraded, 0 newly installed, 5 to remove and 0 not upgraded.
After this operation, 6996 kB disk space will be freed.
Do you want to continue? [Y/n]

When I look at the packages gnupg-agent we get the hint:

 This is a dummy transitional package; please use gpg-agent instead.

I think we can change the depends and be done.

gnupg2 has this:

 This is a dummy transitional package that provides symlinks from gpg2
 to gpg.

Do we use the gpg2 command? I have no idea...

Thanks for the updated packages - I think the client is ready for buster.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python-ipalib depends on:
ii  freeipa-common   4.7.1-3
ii  gnupg-agent  2.2.12-1
ii  gnupg2   2.2.12-1
ii  gpg-agent [gnupg-agent]  2.2.12-1
ii  keyutils 1.5.9-9.3
ii  python   2.7.15-3
ii  python-cffi  1.11.5-3
ii  python-cryptography  2.3-1
ii  python-dbus  1.2.8-2+b3
ii  python-dnspython 1.16.0-1
ii  python-gssapi1.4.1-1+b1
ii  python-jwcrypto  0.4.2-1
ii  python-ldap  3.1.0-2
ii  python-libipa-hbac   1.16.3-3
ii  python-lxml  4.2.5-1
ii  python-netaddr   0.7.19-1
ii  python-netifaces 0.10.4-1+b1
ii  python-nss   1.0.0-1+b2
ii  python-pyasn10.4.2-3
ii  python-pyasn1-modules0.2.1-0.2
ii  python-qrcode6.0-1
ii  python-requests  2.20.0-2
ii  python-setuptools40.6.2-1
ii  python-six   1.12.0-1
ii  python-usb   1.0.2-1
ii  python-yubico1.3.2-1.1
ii  systemd  240-2

python-ipalib recommends no packages.

python-ipalib suggests no packages.

-- no debconf information

Bug#878066: ganglia-webfrontend: not compatible with PHP 7

[Jochen Hein]

Package: ganglia-webfrontend
Version: 3.6.1-3
Followup-For: Bug #878066

Upstream seems to have this fixed with this commit:
https://github.com/ganglia/ganglia-web/commit/c5e5831d23c6db0b04a868578680b32cb03ee952#diff-6e9d3d41e5bc04968be8f28e0b6f7a1a

-  list( $_cluster, $_host ) = split( '/', $v );
+  list( $_cluster, $_host ) = str_split( '/', $v );

The patch is from 2016, but no new upstream release with this fix.

Bug#549655: ganglia-webfrontend: The script pie.php creates wrong pie charts.

[Jochen Hein]

Package: ganglia-webfrontend
Version: 3.6.1-3
Followup-For: Bug #549655

I've just had a look at the report and could (temporarily) reproduce it.

First some hints for a reproducer.  In the cluster view we display a
heatmap as the default (and no pie chart).  We can either set
  $conf['heatmaps_enabled'] = 0;
or toggle the host display off with "Show Hosts Scaled:" = "None" in the
cluster view to get a pie chart with hosts up/down.

With these settings I got a gray pie with 100% hosts up. I tried your patch
and got a green pie as expected.  Now I've reverted your patch and still have
a green pie...

I wanted to try this patch instead of your's:

--- /usr/src/ganglia-web-3.6.1/pie.php  2014-04-04 12:20:44.0 +0200
+++ pie.php 2018-12-01 20:33:24.468726328 +0100
@@ -150,6 +150,8 @@
   $from = 0;$to = 0;
   for ($i = 0; $i < $n; $i++) {
 $this->angles[$i] = $this->roundoff( ($this->data[$i][0] * 360) / 
doubleval($this->sum));
+if ( $this->angles[$i]>360 )
+  $this->angles[$i]=360;
   }
   $this->draw_slices( $this->center_x, $this->center_y, $this->angles, 
$this->colors );
 }

I now see that this shouldn't make a difference since we have in draw_slices():

286   if( $to > 360 )
287 $to = 360;

For now I'm unable to reproduce and don't have a fix, but my guess is some 
rounding error.
What's your host count?

Bug#518254: ganglia-webfrontend: missing README.Debian

[Jochen Hein]

Package: ganglia-webfrontend
Followup-For: Bug #518254

Dear Maintainer,

in the current stable distribution we have:

# dpkg -L ganglia-webfrontend | grep README.Debian
/usr/share/doc/ganglia-webfrontend/README.Debian

I suggest closing this bug.

Jochen


-- System Information:
Debian Release: 9.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ganglia-webfrontend depends on:
ii  apache2 [httpd-cgi] 2.4.25-3+deb9u6
ii  debconf 1.5.61
ii  libapache2-mod-php  1:7.0+49
ii  libapache2-mod-php7.0 [libapache2-mod-php]  7.0.30-0+deb9u1
ii  php 1:7.0+49
ii  php-xml 1:7.0+49
ii  php7.0 [php]7.0.30-0+deb9u1
ii  php7.0-xml [php-xml]7.0.30-0+deb9u1
ii  rrdtool 1.6.0-1+b2

Versions of packages ganglia-webfrontend recommends:
ii  gmetad  3.6.0-7+b1
ii  php-gd  1:7.0+49
ii  php7.0-gd [php-gd]  7.0.30-0+deb9u1

ganglia-webfrontend suggests no packages.

-- debconf information excluded

Bug#881896: RFP: src -- Simple Revision Control, single-file and single-user version tracking

[Jochen Hein]

Chris Lamb  writes:

> retitle 881896 ITP: src -- Simple Revision Control, single-file and 
> single-user version tracking
...
> Is there a prefix, suffix or even an alternative name that upstream
> use to avoid this?

On http://www.catb.org/esr/src/ upstream describes it as "Simple
Revision Control".  Something like simple-revision-control?

Jochen

-- 
This space is intentionally left blank.

Bug#891410: upstream work is already in progress

[Jochen Hein]

Christoph Biedl  writes:

> Thanks for reminding me, it's on radar - but given the discussion hasn't
> been finished yet I'd prefer to wait until this is part of another
> clevis release. If you'd like to have it cherry-picked so people can
> start playing with it, let me know.

I've no idea when the next upstream release will happen, but my hope is
to have clevis in buster.  So perhaps waiting some more should be fine,
but if the freeze is nearing for buster I'd reconsider cherry picking.
So, let's wait some more for upstream.

Jochen

-- 
This space is intentionally left blank.

Bug#902447: clevis-udisks2: /usr/lib/x86_64-linux-gnu/clevis-luks-udisks2 is not setuid/setgid

[Jochen Hein]

Package: clevis-udisks2
Severity: normal

Dear Maintainer,

[I'm running my tests on Ubuntu 18.04, but I'm pretty sure
it hits Debian too]

I'm playing with clevis and encrypted disks and tried to automatically
decrypt an USB stick - which did not work.

/usr/lib/x86_64-linux-gnu/clevis-luks-udisks2 will be started when
logging in according to /etc/xdg/autostart/clevis-luks-udisks2.desktop.
The program will be started with my user and fails:

$ /usr/lib/x86_64-linux-gnu/clevis-luks-udisks2
Root privileges required!

When looking at the source we have in clevis-luks-udisks2.c, line 314:


if (setgid(gid) != 0 || setegid(gid) != 0)
return EXIT_FAILURE;

if (setuid(uid) != 0 || seteuid(uid) != 0)
return EXIT_FAILURE;

After "hmod u+s /usr/lib/x86_64-linux-gnu/clevis-luks-udisks2" I can
at least start the program.  Upstream has the following report
concerning Fedora for a similar problem:
https://github.com/latchset/clevis/issues/28
https://github.com/latchset/clevis/pull/45

I think we need to install clevis-luks-udisks2 setuid root on
Debian/Ubuntu too.  Did I miss something else?

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#891410: upstream work is already in progress

[Jochen Hein]

Hello,

please have a look at https://github.com/latchset/clevis/pull/35
I've used the scripts from https://github.com/latchset/clevis/pull/18,
where I added my comments/diff for Debian.

I guess that the updated pull request is a better start now.
Hope this helps.

Jochen

-- 
This space is intentionally left blank.

Bug#887937: krb5-user: Should krb5-user depend on/recommend krb5-k5tls?

[Jochen Hein]

Package: krb5-user
Version: 1.15-1.2
Severity: wishlist

Dear Maintainer,

   * What led up to the situation?

I'm running a road warrior setup and authenticate via KDCProxy.  If the package
krb5-ktls is not installed authentication fails:

# KRB5_TRACE=/dev/stderr kinit admin
[12904] 1516167827.841029: Getting initial credentials for admin at EXAMPLE.ORG
[12904] 1516167827.845059: Sending request (169 bytes) to EXAMPLE.ORG
[12904] 1516167827.845173: Resolving hostname kdcproxy.example.org
[12904] 1516167828.115087: Terminating TCP connection to https 89.0.xx.yy:443
[12904] 1516167828.551801: Terminating TCP connection to https 
2a0a:a541:57ed:0:216:[redacted]:443
kinit: Cannot contact any KDC for realm EXAMPLE.ORG' while getting initial 
credentials

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

After installation of krb5-k5tls authentication succeded.

I've discussed with upstream and there will be better logs added:
http://mailman.mit.edu/pipermail/kerberos/2018-January/021913.html
There was also the suggestion to either add a recommends/depends to
krb5-k5tls to krb5-user or maybe to integrate it in libkrb5 as CentOS
does.

Better logging will be fine for me - this bug is to discuss possible
packaging changes (recommends/depends or integration into libkrb5).
Feel free to close the bug if you think packaging is fine and there is
no change needed.


-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages krb5-user depends on:
ii  krb5-config 2.6
ii  libc6   2.24-11+deb9u1
ii  libcomerr2  1.43.4-2
ii  libgssapi-krb5-21.15-1.2
ii  libgssrpc4  1.15-1.2
ii  libk5crypto31.15-1.2
ii  libkadm5clnt-mit11  1.15-1.2
ii  libkadm5srv-mit11   1.15-1.2
ii  libkdb5-8   1.15-1.2
ii  libkeyutils11.5.9-9
ii  libkrb5-3   1.15-1.2
ii  libkrb5support0 1.15-1.2
ii  libss2  1.43.4-2

krb5-user recommends no packages.

krb5-user suggests no packages.

-- no debconf information

Bug#856328: Fixed upstream in release 2.2.1

[Jochen Hein]

This seems to be fixed upstream:
http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=907426b00bdcd69d9a56ac1870990e8ae8c6fe9f

-- 
This space is intentionally left blank.

Bug#502292: Please consider including cache option to fix nfs4 problems

[Jochen Hein]

Source: nfs-utils
Followup-For: Bug #502292

This report is now almost 10 years old - I'd suggest to close the bug
with WONTFIX.  The original reporter used libnss-ldap to access the
user directory, which doesn't do caching of results as far as I know.
Even changing /proc/sys/fs/nfs/idmap_cache_timeout to 10 seconds might
not fix the race conditions entirely.

Since some time we have sssd which we can use to get users/groups from
LDAP.  sssd caches the results and can even allow offline
authentication against LDAP users.  So my suggestion to the original
reporter would be to use sssd instead of libnss-ldap.

What do you think?

Bug#884490: krb5: new upstream release 1.16 available

[Jochen Hein]

Source: krb5
Severity: wishlist

Dear Maintainer,

There is a new upstream available at
http://web.mit.edu/kerberos/dist/#krb5-1.16 I'd like to see it
packaged, so it might be included in Buster and the next Ubuntu LTS.
Thanks!

Jochen


-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS

[Jochen Hein]

Sam Hartman  writes:

> It's almost certainly impossible to get 1.15.1 into a point release of
> stretch.

That's also my guess.

> When you filed this bug as normal rather than important, I assumed you
> were saying that when you considered the severity it really met the
> criteria for important severity.
> I was on the fence about the issue, and decided to take your lead.
> Without real users actually claiming the issue met the criteria for
> important, I wasn't going to push for it or do the work to prepare a fix
> for stretch.

That's fine for me.  It only manifests for OTP users which seems to be
new and until now not often used.

> So, how big of a deal is this for you and your organization?  How easy
> is the work around of not relying on DNS to deploy?

Not a really big deal. I've prepared a local package and will deploy it
to the debian servers I have.  Ubuntu (LTS) is used on the
Laptops/Workstation, but I'll walk the same path when needed.  We talk
about 12-15 machine - so no big deal.

Jochen

-- 
This space is intentionally left blank.

Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS

[Jochen Hein]

Package: krb5-user
Followup-For: Bug #856307

Dear Maintainer,

I see that in the meantime krb5-1.15.1 has been releases upstream.  My
guess would be, that we can't get the fix/upstream release in the (now
frozen) stretch release.

Do you think it would be possible to get 1.15.1 in a point release to
stretch?

Thanks
Jochen

Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS

[Jochen Hein]

Hello Greg,

> Upstream fix:
>  https://github.com/krb5/krb5/commit/bc7594058011c2f9711f24af4fa15a421a8d5b62

I've recompiled the Debian package with your patch and can confirm that
it works for me.  Thanks for the quick fix.

> This bug will also be fixed in the krb5 1.15.1 and krb5 1.14.5 patch
> releases.

Wonderful.

Jochen

Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS

[Jochen Hein]

Sam Hartman  writes:

> So, your experience is that with _kerberos._tcp entries but no
> _kerberos._udp entries it works.

Yes.

> However, with _kerberos._udp and _kerberos._tcp entries both, it fails?

Yes, it fails (in Testing, but not in Stable)

> However, if adding the UDP entries causes a failure, I definitely should
> work with upstream.

Thanks.

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS

[Jochen Hein]

Sam Hartman  writes:

> Do you have _kerberos._tcp DNS entries along with the _kerberos._udp
> entries?

Yes, I do have them - they were created when I installed my IPA domain.

> Does that help if not?

Yes, that seems to work. Hm, my CentOS machine worked with these
entries, but I didn't see relevant config differences and browsing
through the source diff didn't help.

Do you think it will hurt to just leave the _kerberos._udp-entries
removed?  I'll just wait and see for now.

Thanks for your quick answer.

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS

[Jochen Hein]

Oh, and kinit with _udp entries worked fine in stable with krb5-user
1.12.1+dfsg-19+deb8u2. And now seems to work without them too.

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS

[Jochen Hein]

Package: krb5-user
Version: 1.15-1
Severity: normal

Dear Maintainer,

I'm running two IPA servers for authentication and have enrolled a
Debian/testing host as a client in my IPA domain. Authentication with
kinit as normal user (password only) works fine [redacted/shortened
log]:

Passwort for u...@example.org: 
[8356] 1488202583.504266: Preauth module encrypted_challenge (138) (real) 
returned: 0/Success
[8356] 1488202583.504305: Produced preauth for next request: 133, 138
[8356] 1488202583.504332: Encoding request body and padata into FAST request
[8356] 1488202583.504565: Sending request (1180 bytes) to EXAMPLE.ORG
[8356] 1488202583.506508: Resolving hostname freeipa1.example.org.
[8356] 1488202583.507624: Sending initial UDP request to dgram 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[8356] 1488202583.672491: Received answer (1038 bytes) from dgram 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[8356] 1488202583.673974: Response was from master KDC

When using the same /etc/krb5.conf and kinit with an OTP user I get:

[11894] 1488202850.383675: Encoding request body and padata into FAST request
[11894] 1488202850.383843: Sending request (1077 bytes) to EXAMPLE.ORG
[11894] 1488202850.385176: Resolving hostname freeipa2.example.org.
[11894] 1488202850.385782: Sending initial UDP request to dgram 
fd23:e163:19f7:1234:5054:ff:fe07:ff5a:88
[11894] 1488202850.387857: Received answer (546 bytes) from dgram 
fd23:e163:19f7:1234:5054:ff:fe07:ff5a:88
[11894] 1488202850.388696: Response was from master KDC
[11894] 1488202850.388761: Received error from KDC: -1765328359/zusätzlich 
Vorauthentifizierung erforderlich
[11894] 1488202850.388784: Decoding FAST response
[11894] 1488202850.388980: Processing preauth types: 136, 141, 133, 137
[11894] 1488202850.388998: Received cookie: MIT
Geben Sie den Wert des Einwegpasswort-Tokens an: 
[11894] 1488202860.437172: Preauth module otp (141) (real) returned: 0/Success
[11894] 1488202860.437196: Produced preauth for next request: 133, 142
[11894] 1488202860.437211: Encoding request body and padata into FAST request
[11894] 1488202860.437438: Sending request (1272 bytes) to EXAMPLE.ORG
[11894] 1488202860.440332: Resolving hostname freeipa2.example.org.
[11894] 1488202860.441738: Sending initial UDP request to dgram 
fd23:e163:19f7:1234:5054:ff:fe07:ff5a:88
[11894] 1488202861.442912: Sending initial UDP request to dgram 
192.168.30.122:88
[11894] 1488202861.443663: Received answer (0 bytes) from dgram 
192.168.30.122:88
[11894] 1488202861.464406: Response was from master KDC
[11894] 1488202861.464406: Response was from master KDC
[11894] 1488202861.464495: Processing preauth types: 136, 141, 133, 137
[11894] 1488202861.464521: Received cookie: MIT
kinit: allgemeiner Fehlschlag der Vorauthentifizierung bei Anfängliche 
Anmeldedaten werden geholt.


So we try multiple UDP requests, and finally fail.  I do have
"udp_preference_limit = 1" in /etc/krb5.conf to force TCP, but as we
see above, we use UDP.

So, bug number one seems to be that we use UDP instead of the wanted
TCP. And we try multiple KDCs, which is not useful fpr OTP, because
the token will be consumed and the second request will fail.

If I change my /etc/krb5.conf to (dns_lookup_kdc = false, kdc = 
freeipa1.example.org):

...
[libdefaults]
  default_realm = EXAMPLE.ORG
  dns_lookup_realm = true
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 1
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
  EXAMPLE.ORG = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
kdc = freeipa1.example.org
  }
...

authentication a an OTP user works as expected and we use TCP sessions:

[15302] 1488203143.7313: Resolving hostname freeipa1.example.org
[15302] 1488203143.8013: Initiating TCP connection to stream 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[15302] 1488203143.8392: Sending TCP request to stream 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[15302] 1488203143.10601: Received answer (544 bytes) from stream 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[15302] 1488203143.10624: Terminating TCP connection to stream 
fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88
[15302] 1488203143.10698: Response was not from master KDC
[15302] 1488203143.10745: Received error from KDC: -1765328359/zusätzlich 
Vorauthentifizierung erforderlich
[15302] 1488203143.10765: Decoding FAST response
[15302] 1488203143.10966: Processing preauth types: 136, 141, 133, 137
[15302] 1488203143.10988: Received cookie: MIT
Geben Sie den Wert des Einwegpasswort-Tokens an: 
[15302] 1488203153.599264: Preauth module otp (141) (real) returned: 0/Success
[15302] 1488203153.599305: Produced preauth for next request: 133, 142
[15302] 1488203153.599322: Encoding request body and padata into FAST request
[15302] 1488203153.599560: Sending request (1271 bytes) to EXAMPLE.ORG
[15302] 1488203153.599621: Resolving hostname freeipa1.example.org
[15302] 1488203153.600632: Initiating TCP connection to stream 

Bug#830905: openconnect: proposed patch to control

[Jochen Hein]

Mike Miller <mtmil...@debian.org> writes:

> On Sat, Oct 15, 2016 at 22:05:02 +0200, Jochen Hein wrote:
>> @@ -46,6 +47,7 @@
>>  Multi-Arch: same
>>  Depends: libgnutls28-dev,
>>   liboath-dev,
>> + libkrb5-dev,
>>   libopenconnect5 (= ${binary:Version}),
>>   libp11-kit-dev,
>>   libproxy-dev,
>
> I believe this hunk isn't needed, libkrb5 is not part of openconnect's
> public API, so dependent packages shouldn't need it.

I'd expect the same for the other -dev packages, but I didn't
investigate further.

> I'll apply this to the 7.07-1 package.

Thanks!

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

Bug#843203: python-kdcproxy: Please add README to binary packages

[Jochen Hein]

Package: python-kdcproxy
Version: 0.3.2-3
Severity: wishlist

Dear Maintainer,

in the binary package is no documentation - a look at github and
I see that the README is well written and describes how to
configure apache to use python-kdcproxy. I'd like to have
the README packaged - my first look was at /usr/share/doc...

Thanks
Jochen

-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (900, 'stable'), (500, 'stable-updates'), (99, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python-kdcproxy depends on:
ii  python-dnspython  1.12.0-1
ii  python-pyasn1 0.1.7-1
pn  python:any

python-kdcproxy recommends no packages.

python-kdcproxy suggests no packages.

-- no debconf information

Bug#830905: openconnect: proposed patch to control

[Jochen Hein]

Package: openconnect
Version: 7.06-2
Followup-For: Bug #830905

Dear Maintainer,

I think the attached patch should work.
Can you apply it or comment what should be needed?

Thanks for your work
Jochen
--- openconnect-7.06/debian/control.orig	2015-05-25 23:26:22.0 +0200
+++ openconnect-7.06/debian/control	2016-10-15 21:57:22.0 +0200
@@ -7,6 +7,7 @@
groff,
libgnutls28-dev,
liblz4-dev,
+   libkrb5-dev,
liboath-dev,
libp11-kit-dev,
libproxy-dev,
@@ -46,6 +47,7 @@
 Multi-Arch: same
 Depends: libgnutls28-dev,
  liboath-dev,
+ libkrb5-dev,
  libopenconnect5 (= ${binary:Version}),
  libp11-kit-dev,
  libproxy-dev,

Bug#830905: openconnect: Please enable GSSAPI support

[Jochen Hein]

Package: openconnect
Version: 7.06-2
Severity: wishlist

Dear Maintainer,

I'm running a FreeIPA server in my local network and use Kerberos/GSSAPI
for most authentication purposes. Openconnect as compiled for Debian right
now does not include support for GSSAPI.

I've compiled a local package after installing krb5-multidev/libkrb5-dev and
have built openconnect. That package includes GSSAPI support and works
for me.

I'm not sure what beside adding the build-dep to the control file
might be needed, but a GSSAPI enabled package would help in running
Single-Sign-On for me.

Thanks for your consideration
Jochen


-- System Information:
Debian Release: 8.5
  APT prefers stable
  APT policy: (900, 'stable'), (500, 'stable-updates'), (500, 'stable'), (99, 
'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openconnect depends on:
ii  libc62.19-18+deb8u4
ii  libgnutls30  3.4.12-1
ii  libopenconnect5  7.06-2
ii  libproxy10.4.11-4+b2
ii  libxml2  2.9.1+dfsg1-5+deb8u2
ii  vpnc-scripts 0.1~git20140806-1

openconnect recommends no packages.

openconnect suggests no packages.

-- no debconf information

Bug#307696: udev doesn't fill values in syslog

[Jochen Hein]

Package: udev
Version: 0.056-2
Severity: minor


From my syslog:

May  4 20:59:51 hermes udev[10015]: configured rule in 
'/etc/udev/rules.d/z_hal-plugdev.rules[2]' applied, 'sda' becomes '%k'
May  4 20:59:51 hermes udev[10015]: creating device node '/dev/sda'
May  4 20:59:52 hermes udev[10055]: configured rule in 
'/etc/udev/rules.d/00_local.rules[1]' applied, added symlink '%c'
May  4 20:59:52 hermes udev[10055]: configured rule in 
'/etc/udev/rules.d/z_hal-plugdev.rules[2]' applied, 'sda1' becomes
'%k'
May  4 20:59:52 hermes udev[10055]: creating device node '/dev/sda1'

When debugging it might be helpful to have %k and %c replaced with
sensible values.

Jochen

-- Package-specific info:
-- /etc/udev/rules.d/:
/etc/udev/rules.d/:
insgesamt 4
-rw-r--r--  1 root root 69 2005-05-04 20:54 00_local.rules
lrwxrwxrwx  1 root root 20 2005-04-17 08:30 020_permissions.rules - 
../permissions.rules
lrwxr-xr-x  1 root root 19 2004-12-26 15:07 cd-aliases.rules - 
../cd-aliases.rules
lrwxrwxrwx  1 root root 17 2005-04-12 22:12 thinkpad.rules - ../thinkpad.rules
lrwxr-xr-x  1 root root 13 2004-08-24 15:16 udev.rules - ../udev.rules
lrwxrwxrwx  1 root root 12 2005-04-02 21:07 z_hal-plugdev.rules - ../hal.rules

-- /sys/:
/sys/block/fd0/dev
/sys/block/hda/dev
/sys/block/hda/hda1/dev
/sys/block/hda/hda2/dev
/sys/block/hda/hda3/dev
/sys/block/hda/hda4/dev
/sys/block/hdc/dev
/sys/class/cpuid/cpu0/dev
/sys/class/drm/card0/dev
/sys/class/graphics/fb0/dev
/sys/class/i2c-dev/i2c-0/dev
/sys/class/i2c-dev/i2c-1/dev
/sys/class/i2c-dev/i2c-2/dev
/sys/class/i2c-dev/i2c-3/dev
/sys/class/input/event0/dev
/sys/class/input/event1/dev
/sys/class/input/event2/dev
/sys/class/input/event3/dev
/sys/class/input/mice/dev
/sys/class/input/mouse0/dev
/sys/class/input/mouse1/dev
/sys/class/misc/agpgart/dev
/sys/class/misc/device-mapper/dev
/sys/class/misc/nvram/dev
/sys/class/misc/psaux/dev
/sys/class/misc/rtc/dev
/sys/class/misc/tun/dev
/sys/class/misc/watchdog/dev
/sys/class/msr/msr0/dev
/sys/class/ppp/ppp/dev
/sys/class/printer/lp0/dev
/sys/class/raw/rawctl/dev
/sys/class/sound/adsp/dev
/sys/class/sound/audio1/dev
/sys/class/sound/audio/dev
/sys/class/sound/controlC0/dev
/sys/class/sound/controlC1/dev
/sys/class/sound/dsp1/dev
/sys/class/sound/dsp/dev
/sys/class/sound/mixer1/dev
/sys/class/sound/mixer/dev
/sys/class/sound/pcmC0D0c/dev
/sys/class/sound/pcmC0D0p/dev
/sys/class/sound/pcmC0D1c/dev
/sys/class/sound/pcmC0D2c/dev
/sys/class/sound/pcmC0D3c/dev
/sys/class/sound/pcmC0D4p/dev
/sys/class/sound/pcmC1D0c/dev
/sys/class/sound/pcmC1D0p/dev
/sys/class/sound/timer/dev

-- Kernel configuration:
 isapnp_init not present.


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.7
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages udev depends on:
ii  hotplug  0.0.20040329-22 Linux Hotplug Scripts
ii  initscripts  2.86.ds1-1  Standard scripts needed for bootin
ii  libc62.3.2.ds1-21GNU C Library: Shared libraries an
ii  makedev  2.3.1-77creates device files in /dev
ii  sed  4.1.2-8 The GNU sed stream editor

-- debconf information:
  udev/devfs-warning:
* udev/reboot-warning:


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#304020: jfbterm: Please compile with --enable-direct-color

[Jochen Hein]

Package: jfbterm
Version: 0.4.7-2.0
Severity: wishlist


I'm running jfbterm with radeonfb which uses directcolor for my
resolution/depth.  jfbterm as compiled for Debian prints unknown
framebuffer and stops.  Using --enable-direct-color works for me,
so I like to see it compiled that way.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages jfbterm depends on:
ii  libc62.3.2.ds1-20GNU C Library: Shared libraries an
ii  unifont  1:1.0-1 X11 dual-width GNU unicode font
ii  xfonts-base  4.3.0.dfsg.1-12 standard fonts for X

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#303894: fbiterm crashes with Segmentation Fault when using less UTF-8-demo.txt

[Jochen Hein]

Package: fbiterm
Version: 0.5-3.2
Severity: normal


The demo file starts with:

,
| UTF-8 encoded sample plain-text file
| 

| 
| Markus Kuhn [maks kun] [EMAIL PROTECTED]  2002-07-25
`

I'll attach the file.  The system is an uptodate sarge.

Jochen

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.10
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages fbiterm depends on:
ii  debconf 1.4.30.11Debian configuration management sy
ii  libc6   2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libiterm1   0.5-3.2  internationalized terminal emulato
ii  unifont 1:1.0-1  X11 dual-width GNU unicode font
ii  zlib1g  1:1.2.2-3compression library - runtime

-- debconf information:
* fbiterm/SUID_bit: true

UTF-8 encoded sample plain-text file


Markus Kuhn [maks kun] [EMAIL PROTECTED]  2002-07-25


The ASCII compatible UTF-8 encoding used in this plain-text file
is defined in Unicode, ISO 10646-1, and RFC 2279.


Using Unicode/UTF-8, you can write in emails and source code things such as

Mathematics and sciences:

   Eda = Q,  n  ,  f(i) =  g(i),  

a+b 
  x: x = x,= (  ),
 
 c   
,  

  
a  b  c  d(A  B),   
 
 a-b
  2H + O  2HO, R = 4.7 k,  200 mm i=1

Linguistics and dictionaries:

  i ntnnl fntk sosien
  Y [psiln], Yen [jn], Yoga [jog]

APL:

  ((VV)=V)/V,V

Nicer typography in plain text files:

  


  single and double quotes 

  Curly apostrophes: Weve been here 

  Latin-1 apostrophe and accents: '`  

  deutsche Anfhrungszeichen   

  , , , , 34, , 5/+5, ,   

  ASCII safety test: 1lI|, 0OD, 8B 
 
  the euro symbol:  14.95   
 
  


Combining characters:

  STARGTE SG-1, a = v = r, a  b

Greek (in Polytonic):

  The Greek anthem:

  
 ,
  
   .

 
 
 
  ,  , !

  From a speech of Demosthenes in the 4th century BC:

  , 
  ,
 
  
 
 
 , 
   
, 
 
 .  
   
, 
  ,
   
.  ,  
  
  
  , 
  ,  
   
  
  ,  
 
  . 
,

   
 ,  
  
 .

  ,  

Georgian:

  From a Unicode conference invitation:

 
 Unicode-  

   , 
  10-12 ,
  . , . 
   

 
   Unicode-,

, Unicode- 
   ,  
 , 
,
 
  
.

Russian:

  From a Unicode conference invitation:

  
  
  Unicode,   10-12  1997   
  .
  

Unicode,   
,  
   Unicode
  
  , ,   
  .

Thai (UCS Level 2):

  Excerpt from a poetry on The Romance of The Three Kingdoms (a Chinese
  classic 'San Gua'):

  [|]
 

  
  

   

 
  

  

 
 
 
  
  


 
 

 
 

  (The above is a two-column text. If combining characters are handled
  correctly, the lines of the second column should be aligned with the
  | character above.)

Ethiopian:

  Proverbs in the Amharic language:

 
 
 
   
 
 
   
  
 
   

  
   
 
   
   
 
  
 

Runes:

 


  (Old English, which transcribed into Latin reads 'He cwaeth that he
  bude thaem lande northweardum with tha Westsae.' and means 'He said
  that he lived in the northern land near the Western Sea.')

Braille:

  


   

  
   
  
   
  
   

   

 


  
  
   
  

  
   

 
  

 

   
   
  



  (The first couple of paragraphs of A Christmas Carol by Dickens)

Compact font selection example text:

  ABCDEFGHIJKLMNOPQRSTUVWXYZ /0123456789
  abcdefghijklmnopqrstuvwxyz 


 


Greetings in various languages:

  Hello world,  , 

Box drawing alignment tests:  
  

   
 

  
  
  


 
   
   
  
 


 



   

Bug#252738: w3m-img: works for me with 0.5.1-1, but docs still missing

[Jochen Hein]

Package: w3m-img
Version: 0.5.1-1
Followup-For: Bug #252738


I just tried a fresh install of w3m and w3m-img and get images
inline.  Anyway, at first I've been as confused as the original
reporter. 

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages w3m-img depends on:
ii  libc62.3.2.ds1-20GNU C Library: Shared libraries an
ii  libgc1   1:6.4-1 conservative garbage collector for
ii  libgdk-pixbuf2   0.22.0-7The GdkPixBuf image library, gtk+ 
ii  libglib1.2   1.2.10-9The GLib library of C routines
ii  libgtk1.21.2.10-17   The GIMP Toolkit set of widgets fo
ii  libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li
ii  libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii  libxi6   4.3.0.dfsg.1-10 X Window System Input extension li
ii  w3m  0.5.1-1 WWW browsable pager with excellent
ii  xlibs4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]