Bug#979973: libpam-yubico: proposed patch to fix #979973
Package: libpam-yubico Followup-For: Bug #979973 Dear Maintainer, I've upgraded one of my systems where I use pam_yubico and hit the problem. I'd like to see the issue fixed for bullseye since it might have security implications or might render people to be unable to login. Please consider the attached patch to debian packaging. Do we need to talk to the release team and/or raise the bug severity? <#part type="text/x-diff" filename="~/work/GNU/libpam-yubico-fix-debian-bug-979973.diff" disposition=inline> <#/part> Thanks for considering. Jochen -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-3-amd64 (SMP w/4 CPU threads) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libpam-yubico depends on: ii debconf [debconf-2.0] 1.5.74 ii libc6 2.31-9 ii libldap-2.4-2 2.4.57+dfsg-2 ii libpam-runtime 1.4.0-4 ii libpam0g 1.4.0-4 ii libykclient3 2.15-2+b1 ii libykpers-1-1 1.20.0-3 ii libyubikey01.13-6 libpam-yubico recommends no packages. libpam-yubico suggests no packages. -- debconf information: libpam-yubico/module_args: mode=client try_first_pass id=N key=K
Bug#979973: libpam-yubico: add missing patch
Package: libpam-yubico Followup-For: Bug #979973 Dear Maintainer, I missed adding the path. Here it is: diff -ur yubico-pam-2.26.orig/debian/changelog yubico-pam-2.26/debian/changelog --- yubico-pam-2.26.orig/debian/changelog 2021-02-21 05:40:48.0 +0100 +++ yubico-pam-2.26/debian/changelog2021-02-21 06:01:59.0 +0100 @@ -1,3 +1,10 @@ +yubico-pam (2.26-1.2~jochen1+1) unstable; urgency=low + + * Move pam_yubico.so from /lib/security to /lib/x86_64-linux-gnu/security +(Closes: 979973) + + -- Jochen Kellner Sun, 21 Feb 2021 17:37:57 +0100 + yubico-pam (2.26-1.1) unstable; urgency=low * Non-maintainer upload. diff -ur yubico-pam-2.26.orig/debian/rules yubico-pam-2.26/debian/rules --- yubico-pam-2.26.orig/debian/rules 2021-02-21 05:40:48.0 +0100 +++ yubico-pam-2.26/debian/rules2021-02-21 05:58:17.0 +0100 @@ -7,14 +7,14 @@ override_dh_auto_configure: dh_auto_configure -- \ - --with-pam-dir=$(DESTDIR)/lib/security \ + --with-pam-dir=$(DESTDIR)/lib/x86_64-linux-gnu/security \ --includedir=/usr/include/libpam-yubico override_dh_install: install -D -m 0644 debian/pam-auth-update \ debian/libpam-yubico/usr/share/libpam-yubico/pam-auth-update.template chrpath -d debian/libpam-yubico/usr/bin/ykpamcfg - chrpath -d debian/libpam-yubico/lib/security/pam_yubico.so - rm debian/libpam-yubico/lib/security/pam_yubico.la + chrpath -d debian/libpam-yubico/lib/x86_64-linux-gnu/security/pam_yubico.so + rm debian/libpam-yubico/lib/x86_64-linux-gnu/security/pam_yubico.la rm -rf debian/libpam-yubico/usr/include dh_install --fail-missing
Bug#926928: fetchmail: Server CommonName mismatch
Source: fetchmail Followup-For: Bug #926928 I've checked the manpage for fetchmail. There was the following in the stretch package: --sslcommonname (Keyword: sslcommonname; since v6.3.9) Use of this option is discouraged. Before using it, contact the administrator of your upstream server and ask for a proper SSL certificate to be used. If that cannot be attained, this option can be used to specify the name (CommonName) that fetchmail expects on the server certificate. A correctly configured server will have this set to the hostname by which it is reached, and by default fetchmail will expect as much. Use this option when the CommonName is set to some other value, to avoid the "Server CommonName mismatch" warning, and only if the upstream server can't be made to use proper certificates. Beside that I think that the bug should be downgraded... Jochen
Bug#878066: ganglia-webfrontend: not compatible with PHP 7
Package: ganglia-webfrontend Version: 3.6.1-3 Followup-For: Bug #878066 I've just upgraded my Ganglia server to buster. Another needed patch is https://github.com/ganglia/ganglia-web/commit/13d426bcf66fb0f27d44847154ba2180884edcd6 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ganglia-webfrontend depends on: ii apache2 [httpd-cgi] 2.4.37-1 ii debconf 1.5.69 ii libapache2-mod-php7.3 [libapache2-mod-php] 7.3.0-2 ii php 2:7.3+69 ii php-xml 2:7.3+69 ii php7.3 [php]7.3.0-2 ii php7.3-xml [php-xml]7.3.0-2 ii rrdtool 1.7.0-1+b3 Versions of packages ganglia-webfrontend recommends: ii gmetad 3.6.0-7+b2 ii php-gd 2:7.3+69 ii php7.3-gd [php-gd] 7.3.0-2 ganglia-webfrontend suggests no packages. -- debconf information excluded
Bug#919062: python-ipalib depends on transitional packages gnupg2 and gnupg-agent
Package: python-ipalib Version: 4.7.1-3 Severity: minor Dear Maintainer, I've just updated an IPA client to buster and installed freeipa-client from SID. After the update I looked for transitional packages and have these: # dpkg -l | grep dummy ii gnupg-agent 2.2.12-1 all GNU privacy guard - cryptographic agent (dummy transitional package) ii gnupg22.2.12-1 all GNU privacy guard - a free PGP replacement (dummy transitional package) When I try to remove these apt will remove IPA client: # LANG=C apt purge gnupg2 gnupg-agent Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: freeipa-client* gnupg-agent* gnupg2* python-ipaclient* python-ipalib* 0 upgraded, 0 newly installed, 5 to remove and 0 not upgraded. After this operation, 6996 kB disk space will be freed. Do you want to continue? [Y/n] When I look at the packages gnupg-agent we get the hint: This is a dummy transitional package; please use gpg-agent instead. I think we can change the depends and be done. gnupg2 has this: This is a dummy transitional package that provides symlinks from gpg2 to gpg. Do we use the gpg2 command? I have no idea... Thanks for the updated packages - I think the client is ready for buster. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages python-ipalib depends on: ii freeipa-common 4.7.1-3 ii gnupg-agent 2.2.12-1 ii gnupg2 2.2.12-1 ii gpg-agent [gnupg-agent] 2.2.12-1 ii keyutils 1.5.9-9.3 ii python 2.7.15-3 ii python-cffi 1.11.5-3 ii python-cryptography 2.3-1 ii python-dbus 1.2.8-2+b3 ii python-dnspython 1.16.0-1 ii python-gssapi1.4.1-1+b1 ii python-jwcrypto 0.4.2-1 ii python-ldap 3.1.0-2 ii python-libipa-hbac 1.16.3-3 ii python-lxml 4.2.5-1 ii python-netaddr 0.7.19-1 ii python-netifaces 0.10.4-1+b1 ii python-nss 1.0.0-1+b2 ii python-pyasn10.4.2-3 ii python-pyasn1-modules0.2.1-0.2 ii python-qrcode6.0-1 ii python-requests 2.20.0-2 ii python-setuptools40.6.2-1 ii python-six 1.12.0-1 ii python-usb 1.0.2-1 ii python-yubico1.3.2-1.1 ii systemd 240-2 python-ipalib recommends no packages. python-ipalib suggests no packages. -- no debconf information
Bug#878066: ganglia-webfrontend: not compatible with PHP 7
Package: ganglia-webfrontend Version: 3.6.1-3 Followup-For: Bug #878066 Upstream seems to have this fixed with this commit: https://github.com/ganglia/ganglia-web/commit/c5e5831d23c6db0b04a868578680b32cb03ee952#diff-6e9d3d41e5bc04968be8f28e0b6f7a1a - list( $_cluster, $_host ) = split( '/', $v ); + list( $_cluster, $_host ) = str_split( '/', $v ); The patch is from 2016, but no new upstream release with this fix.
Bug#549655: ganglia-webfrontend: The script pie.php creates wrong pie charts.
Package: ganglia-webfrontend Version: 3.6.1-3 Followup-For: Bug #549655 I've just had a look at the report and could (temporarily) reproduce it. First some hints for a reproducer. In the cluster view we display a heatmap as the default (and no pie chart). We can either set $conf['heatmaps_enabled'] = 0; or toggle the host display off with "Show Hosts Scaled:" = "None" in the cluster view to get a pie chart with hosts up/down. With these settings I got a gray pie with 100% hosts up. I tried your patch and got a green pie as expected. Now I've reverted your patch and still have a green pie... I wanted to try this patch instead of your's: --- /usr/src/ganglia-web-3.6.1/pie.php 2014-04-04 12:20:44.0 +0200 +++ pie.php 2018-12-01 20:33:24.468726328 +0100 @@ -150,6 +150,8 @@ $from = 0;$to = 0; for ($i = 0; $i < $n; $i++) { $this->angles[$i] = $this->roundoff( ($this->data[$i][0] * 360) / doubleval($this->sum)); +if ( $this->angles[$i]>360 ) + $this->angles[$i]=360; } $this->draw_slices( $this->center_x, $this->center_y, $this->angles, $this->colors ); } I now see that this shouldn't make a difference since we have in draw_slices(): 286 if( $to > 360 ) 287 $to = 360; For now I'm unable to reproduce and don't have a fix, but my guess is some rounding error. What's your host count?
Bug#518254: ganglia-webfrontend: missing README.Debian
Package: ganglia-webfrontend Followup-For: Bug #518254 Dear Maintainer, in the current stable distribution we have: # dpkg -L ganglia-webfrontend | grep README.Debian /usr/share/doc/ganglia-webfrontend/README.Debian I suggest closing this bug. Jochen -- System Information: Debian Release: 9.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ganglia-webfrontend depends on: ii apache2 [httpd-cgi] 2.4.25-3+deb9u6 ii debconf 1.5.61 ii libapache2-mod-php 1:7.0+49 ii libapache2-mod-php7.0 [libapache2-mod-php] 7.0.30-0+deb9u1 ii php 1:7.0+49 ii php-xml 1:7.0+49 ii php7.0 [php]7.0.30-0+deb9u1 ii php7.0-xml [php-xml]7.0.30-0+deb9u1 ii rrdtool 1.6.0-1+b2 Versions of packages ganglia-webfrontend recommends: ii gmetad 3.6.0-7+b1 ii php-gd 1:7.0+49 ii php7.0-gd [php-gd] 7.0.30-0+deb9u1 ganglia-webfrontend suggests no packages. -- debconf information excluded
Bug#881896: RFP: src -- Simple Revision Control, single-file and single-user version tracking
Chris Lamb writes: > retitle 881896 ITP: src -- Simple Revision Control, single-file and > single-user version tracking ... > Is there a prefix, suffix or even an alternative name that upstream > use to avoid this? On http://www.catb.org/esr/src/ upstream describes it as "Simple Revision Control". Something like simple-revision-control? Jochen -- This space is intentionally left blank.
Bug#891410: upstream work is already in progress
Christoph Biedl writes: > Thanks for reminding me, it's on radar - but given the discussion hasn't > been finished yet I'd prefer to wait until this is part of another > clevis release. If you'd like to have it cherry-picked so people can > start playing with it, let me know. I've no idea when the next upstream release will happen, but my hope is to have clevis in buster. So perhaps waiting some more should be fine, but if the freeze is nearing for buster I'd reconsider cherry picking. So, let's wait some more for upstream. Jochen -- This space is intentionally left blank.
Bug#902447: clevis-udisks2: /usr/lib/x86_64-linux-gnu/clevis-luks-udisks2 is not setuid/setgid
Package: clevis-udisks2 Severity: normal Dear Maintainer, [I'm running my tests on Ubuntu 18.04, but I'm pretty sure it hits Debian too] I'm playing with clevis and encrypted disks and tried to automatically decrypt an USB stick - which did not work. /usr/lib/x86_64-linux-gnu/clevis-luks-udisks2 will be started when logging in according to /etc/xdg/autostart/clevis-luks-udisks2.desktop. The program will be started with my user and fails: $ /usr/lib/x86_64-linux-gnu/clevis-luks-udisks2 Root privileges required! When looking at the source we have in clevis-luks-udisks2.c, line 314: if (setgid(gid) != 0 || setegid(gid) != 0) return EXIT_FAILURE; if (setuid(uid) != 0 || seteuid(uid) != 0) return EXIT_FAILURE; After "hmod u+s /usr/lib/x86_64-linux-gnu/clevis-luks-udisks2" I can at least start the program. Upstream has the following report concerning Fedora for a similar problem: https://github.com/latchset/clevis/issues/28 https://github.com/latchset/clevis/pull/45 I think we need to install clevis-luks-udisks2 setuid root on Debian/Ubuntu too. Did I miss something else? -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#891410: upstream work is already in progress
Hello, please have a look at https://github.com/latchset/clevis/pull/35 I've used the scripts from https://github.com/latchset/clevis/pull/18, where I added my comments/diff for Debian. I guess that the updated pull request is a better start now. Hope this helps. Jochen -- This space is intentionally left blank.
Bug#887937: krb5-user: Should krb5-user depend on/recommend krb5-k5tls?
Package: krb5-user Version: 1.15-1.2 Severity: wishlist Dear Maintainer, * What led up to the situation? I'm running a road warrior setup and authenticate via KDCProxy. If the package krb5-ktls is not installed authentication fails: # KRB5_TRACE=/dev/stderr kinit admin [12904] 1516167827.841029: Getting initial credentials for admin at EXAMPLE.ORG [12904] 1516167827.845059: Sending request (169 bytes) to EXAMPLE.ORG [12904] 1516167827.845173: Resolving hostname kdcproxy.example.org [12904] 1516167828.115087: Terminating TCP connection to https 89.0.xx.yy:443 [12904] 1516167828.551801: Terminating TCP connection to https 2a0a:a541:57ed:0:216:[redacted]:443 kinit: Cannot contact any KDC for realm EXAMPLE.ORG' while getting initial credentials * What exactly did you do (or not do) that was effective (or ineffective)? After installation of krb5-k5tls authentication succeded. I've discussed with upstream and there will be better logs added: http://mailman.mit.edu/pipermail/kerberos/2018-January/021913.html There was also the suggestion to either add a recommends/depends to krb5-k5tls to krb5-user or maybe to integrate it in libkrb5 as CentOS does. Better logging will be fine for me - this bug is to discuss possible packaging changes (recommends/depends or integration into libkrb5). Feel free to close the bug if you think packaging is fine and there is no change needed. -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages krb5-user depends on: ii krb5-config 2.6 ii libc6 2.24-11+deb9u1 ii libcomerr2 1.43.4-2 ii libgssapi-krb5-21.15-1.2 ii libgssrpc4 1.15-1.2 ii libk5crypto31.15-1.2 ii libkadm5clnt-mit11 1.15-1.2 ii libkadm5srv-mit11 1.15-1.2 ii libkdb5-8 1.15-1.2 ii libkeyutils11.5.9-9 ii libkrb5-3 1.15-1.2 ii libkrb5support0 1.15-1.2 ii libss2 1.43.4-2 krb5-user recommends no packages. krb5-user suggests no packages. -- no debconf information
Bug#856328: Fixed upstream in release 2.2.1
This seems to be fixed upstream: http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=907426b00bdcd69d9a56ac1870990e8ae8c6fe9f -- This space is intentionally left blank.
Bug#502292: Please consider including cache option to fix nfs4 problems
Source: nfs-utils Followup-For: Bug #502292 This report is now almost 10 years old - I'd suggest to close the bug with WONTFIX. The original reporter used libnss-ldap to access the user directory, which doesn't do caching of results as far as I know. Even changing /proc/sys/fs/nfs/idmap_cache_timeout to 10 seconds might not fix the race conditions entirely. Since some time we have sssd which we can use to get users/groups from LDAP. sssd caches the results and can even allow offline authentication against LDAP users. So my suggestion to the original reporter would be to use sssd instead of libnss-ldap. What do you think?
Bug#884490: krb5: new upstream release 1.16 available
Source: krb5 Severity: wishlist Dear Maintainer, There is a new upstream available at http://web.mit.edu/kerberos/dist/#krb5-1.16 I'd like to see it packaged, so it might be included in Buster and the next Ubuntu LTS. Thanks! Jochen -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
Sam Hartmanwrites: > It's almost certainly impossible to get 1.15.1 into a point release of > stretch. That's also my guess. > When you filed this bug as normal rather than important, I assumed you > were saying that when you considered the severity it really met the > criteria for important severity. > I was on the fence about the issue, and decided to take your lead. > Without real users actually claiming the issue met the criteria for > important, I wasn't going to push for it or do the work to prepare a fix > for stretch. That's fine for me. It only manifests for OTP users which seems to be new and until now not often used. > So, how big of a deal is this for you and your organization? How easy > is the work around of not relying on DNS to deploy? Not a really big deal. I've prepared a local package and will deploy it to the debian servers I have. Ubuntu (LTS) is used on the Laptops/Workstation, but I'll walk the same path when needed. We talk about 12-15 machine - so no big deal. Jochen -- This space is intentionally left blank.
Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
Package: krb5-user Followup-For: Bug #856307 Dear Maintainer, I see that in the meantime krb5-1.15.1 has been releases upstream. My guess would be, that we can't get the fix/upstream release in the (now frozen) stretch release. Do you think it would be possible to get 1.15.1 in a point release to stretch? Thanks Jochen
Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
Hello Greg, > Upstream fix: > https://github.com/krb5/krb5/commit/bc7594058011c2f9711f24af4fa15a421a8d5b62 I've recompiled the Debian package with your patch and can confirm that it works for me. Thanks for the quick fix. > This bug will also be fixed in the krb5 1.15.1 and krb5 1.14.5 patch > releases. Wonderful. Jochen
Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
Sam Hartmanwrites: > So, your experience is that with _kerberos._tcp entries but no > _kerberos._udp entries it works. Yes. > However, with _kerberos._udp and _kerberos._tcp entries both, it fails? Yes, it fails (in Testing, but not in Stable) > However, if adding the UDP entries causes a failure, I definitely should > work with upstream. Thanks. Jochen -- The only problem with troubleshooting is that the trouble shoots back.
Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
Sam Hartmanwrites: > Do you have _kerberos._tcp DNS entries along with the _kerberos._udp > entries? Yes, I do have them - they were created when I installed my IPA domain. > Does that help if not? Yes, that seems to work. Hm, my CentOS machine worked with these entries, but I didn't see relevant config differences and browsing through the source diff didn't help. Do you think it will hurt to just leave the _kerberos._udp-entries removed? I'll just wait and see for now. Thanks for your quick answer. Jochen -- The only problem with troubleshooting is that the trouble shoots back.
Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
Oh, and kinit with _udp entries worked fine in stable with krb5-user 1.12.1+dfsg-19+deb8u2. And now seems to work without them too. Jochen -- The only problem with troubleshooting is that the trouble shoots back.
Bug#856307: krb5-user: kinit fails for OTP user when using kdc discovery via DNS
Package: krb5-user Version: 1.15-1 Severity: normal Dear Maintainer, I'm running two IPA servers for authentication and have enrolled a Debian/testing host as a client in my IPA domain. Authentication with kinit as normal user (password only) works fine [redacted/shortened log]: Passwort for u...@example.org: [8356] 1488202583.504266: Preauth module encrypted_challenge (138) (real) returned: 0/Success [8356] 1488202583.504305: Produced preauth for next request: 133, 138 [8356] 1488202583.504332: Encoding request body and padata into FAST request [8356] 1488202583.504565: Sending request (1180 bytes) to EXAMPLE.ORG [8356] 1488202583.506508: Resolving hostname freeipa1.example.org. [8356] 1488202583.507624: Sending initial UDP request to dgram fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88 [8356] 1488202583.672491: Received answer (1038 bytes) from dgram fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88 [8356] 1488202583.673974: Response was from master KDC When using the same /etc/krb5.conf and kinit with an OTP user I get: [11894] 1488202850.383675: Encoding request body and padata into FAST request [11894] 1488202850.383843: Sending request (1077 bytes) to EXAMPLE.ORG [11894] 1488202850.385176: Resolving hostname freeipa2.example.org. [11894] 1488202850.385782: Sending initial UDP request to dgram fd23:e163:19f7:1234:5054:ff:fe07:ff5a:88 [11894] 1488202850.387857: Received answer (546 bytes) from dgram fd23:e163:19f7:1234:5054:ff:fe07:ff5a:88 [11894] 1488202850.388696: Response was from master KDC [11894] 1488202850.388761: Received error from KDC: -1765328359/zusätzlich Vorauthentifizierung erforderlich [11894] 1488202850.388784: Decoding FAST response [11894] 1488202850.388980: Processing preauth types: 136, 141, 133, 137 [11894] 1488202850.388998: Received cookie: MIT Geben Sie den Wert des Einwegpasswort-Tokens an: [11894] 1488202860.437172: Preauth module otp (141) (real) returned: 0/Success [11894] 1488202860.437196: Produced preauth for next request: 133, 142 [11894] 1488202860.437211: Encoding request body and padata into FAST request [11894] 1488202860.437438: Sending request (1272 bytes) to EXAMPLE.ORG [11894] 1488202860.440332: Resolving hostname freeipa2.example.org. [11894] 1488202860.441738: Sending initial UDP request to dgram fd23:e163:19f7:1234:5054:ff:fe07:ff5a:88 [11894] 1488202861.442912: Sending initial UDP request to dgram 192.168.30.122:88 [11894] 1488202861.443663: Received answer (0 bytes) from dgram 192.168.30.122:88 [11894] 1488202861.464406: Response was from master KDC [11894] 1488202861.464406: Response was from master KDC [11894] 1488202861.464495: Processing preauth types: 136, 141, 133, 137 [11894] 1488202861.464521: Received cookie: MIT kinit: allgemeiner Fehlschlag der Vorauthentifizierung bei Anfängliche Anmeldedaten werden geholt. So we try multiple UDP requests, and finally fail. I do have "udp_preference_limit = 1" in /etc/krb5.conf to force TCP, but as we see above, we use UDP. So, bug number one seems to be that we use UDP instead of the wanted TCP. And we try multiple KDCs, which is not useful fpr OTP, because the token will be consumed and the second request will fail. If I change my /etc/krb5.conf to (dns_lookup_kdc = false, kdc = freeipa1.example.org): ... [libdefaults] default_realm = EXAMPLE.ORG dns_lookup_realm = true dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 1 default_ccache_name = KEYRING:persistent:%{uid} [realms] EXAMPLE.ORG = { pkinit_anchors = FILE:/etc/ipa/ca.crt kdc = freeipa1.example.org } ... authentication a an OTP user works as expected and we use TCP sessions: [15302] 1488203143.7313: Resolving hostname freeipa1.example.org [15302] 1488203143.8013: Initiating TCP connection to stream fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88 [15302] 1488203143.8392: Sending TCP request to stream fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88 [15302] 1488203143.10601: Received answer (544 bytes) from stream fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88 [15302] 1488203143.10624: Terminating TCP connection to stream fd23:e163:19f7:1234:5054:ff:fe85:ba0d:88 [15302] 1488203143.10698: Response was not from master KDC [15302] 1488203143.10745: Received error from KDC: -1765328359/zusätzlich Vorauthentifizierung erforderlich [15302] 1488203143.10765: Decoding FAST response [15302] 1488203143.10966: Processing preauth types: 136, 141, 133, 137 [15302] 1488203143.10988: Received cookie: MIT Geben Sie den Wert des Einwegpasswort-Tokens an: [15302] 1488203153.599264: Preauth module otp (141) (real) returned: 0/Success [15302] 1488203153.599305: Produced preauth for next request: 133, 142 [15302] 1488203153.599322: Encoding request body and padata into FAST request [15302] 1488203153.599560: Sending request (1271 bytes) to EXAMPLE.ORG [15302] 1488203153.599621: Resolving hostname freeipa1.example.org [15302] 1488203153.600632: Initiating TCP connection to stream
Bug#830905: openconnect: proposed patch to control
Mike Miller <mtmil...@debian.org> writes: > On Sat, Oct 15, 2016 at 22:05:02 +0200, Jochen Hein wrote: >> @@ -46,6 +47,7 @@ >> Multi-Arch: same >> Depends: libgnutls28-dev, >> liboath-dev, >> + libkrb5-dev, >> libopenconnect5 (= ${binary:Version}), >> libp11-kit-dev, >> libproxy-dev, > > I believe this hunk isn't needed, libkrb5 is not part of openconnect's > public API, so dependent packages shouldn't need it. I'd expect the same for the other -dev packages, but I didn't investigate further. > I'll apply this to the 7.07-1 package. Thanks! Jochen -- The only problem with troubleshooting is that the trouble shoots back.
Bug#843203: python-kdcproxy: Please add README to binary packages
Package: python-kdcproxy Version: 0.3.2-3 Severity: wishlist Dear Maintainer, in the binary package is no documentation - a look at github and I see that the README is well written and describes how to configure apache to use python-kdcproxy. I'd like to have the README packaged - my first look was at /usr/share/doc... Thanks Jochen -- System Information: Debian Release: 8.6 APT prefers stable APT policy: (900, 'stable'), (500, 'stable-updates'), (99, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages python-kdcproxy depends on: ii python-dnspython 1.12.0-1 ii python-pyasn1 0.1.7-1 pn python:any python-kdcproxy recommends no packages. python-kdcproxy suggests no packages. -- no debconf information
Bug#830905: openconnect: proposed patch to control
Package: openconnect Version: 7.06-2 Followup-For: Bug #830905 Dear Maintainer, I think the attached patch should work. Can you apply it or comment what should be needed? Thanks for your work Jochen --- openconnect-7.06/debian/control.orig 2015-05-25 23:26:22.0 +0200 +++ openconnect-7.06/debian/control 2016-10-15 21:57:22.0 +0200 @@ -7,6 +7,7 @@ groff, libgnutls28-dev, liblz4-dev, + libkrb5-dev, liboath-dev, libp11-kit-dev, libproxy-dev, @@ -46,6 +47,7 @@ Multi-Arch: same Depends: libgnutls28-dev, liboath-dev, + libkrb5-dev, libopenconnect5 (= ${binary:Version}), libp11-kit-dev, libproxy-dev,
Bug#830905: openconnect: Please enable GSSAPI support
Package: openconnect Version: 7.06-2 Severity: wishlist Dear Maintainer, I'm running a FreeIPA server in my local network and use Kerberos/GSSAPI for most authentication purposes. Openconnect as compiled for Debian right now does not include support for GSSAPI. I've compiled a local package after installing krb5-multidev/libkrb5-dev and have built openconnect. That package includes GSSAPI support and works for me. I'm not sure what beside adding the build-dep to the control file might be needed, but a GSSAPI enabled package would help in running Single-Sign-On for me. Thanks for your consideration Jochen -- System Information: Debian Release: 8.5 APT prefers stable APT policy: (900, 'stable'), (500, 'stable-updates'), (500, 'stable'), (99, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openconnect depends on: ii libc62.19-18+deb8u4 ii libgnutls30 3.4.12-1 ii libopenconnect5 7.06-2 ii libproxy10.4.11-4+b2 ii libxml2 2.9.1+dfsg1-5+deb8u2 ii vpnc-scripts 0.1~git20140806-1 openconnect recommends no packages. openconnect suggests no packages. -- no debconf information
Bug#307696: udev doesn't fill values in syslog
Package: udev Version: 0.056-2 Severity: minor From my syslog: May 4 20:59:51 hermes udev[10015]: configured rule in '/etc/udev/rules.d/z_hal-plugdev.rules[2]' applied, 'sda' becomes '%k' May 4 20:59:51 hermes udev[10015]: creating device node '/dev/sda' May 4 20:59:52 hermes udev[10055]: configured rule in '/etc/udev/rules.d/00_local.rules[1]' applied, added symlink '%c' May 4 20:59:52 hermes udev[10055]: configured rule in '/etc/udev/rules.d/z_hal-plugdev.rules[2]' applied, 'sda1' becomes '%k' May 4 20:59:52 hermes udev[10055]: creating device node '/dev/sda1' When debugging it might be helpful to have %k and %c replaced with sensible values. Jochen -- Package-specific info: -- /etc/udev/rules.d/: /etc/udev/rules.d/: insgesamt 4 -rw-r--r-- 1 root root 69 2005-05-04 20:54 00_local.rules lrwxrwxrwx 1 root root 20 2005-04-17 08:30 020_permissions.rules - ../permissions.rules lrwxr-xr-x 1 root root 19 2004-12-26 15:07 cd-aliases.rules - ../cd-aliases.rules lrwxrwxrwx 1 root root 17 2005-04-12 22:12 thinkpad.rules - ../thinkpad.rules lrwxr-xr-x 1 root root 13 2004-08-24 15:16 udev.rules - ../udev.rules lrwxrwxrwx 1 root root 12 2005-04-02 21:07 z_hal-plugdev.rules - ../hal.rules -- /sys/: /sys/block/fd0/dev /sys/block/hda/dev /sys/block/hda/hda1/dev /sys/block/hda/hda2/dev /sys/block/hda/hda3/dev /sys/block/hda/hda4/dev /sys/block/hdc/dev /sys/class/cpuid/cpu0/dev /sys/class/drm/card0/dev /sys/class/graphics/fb0/dev /sys/class/i2c-dev/i2c-0/dev /sys/class/i2c-dev/i2c-1/dev /sys/class/i2c-dev/i2c-2/dev /sys/class/i2c-dev/i2c-3/dev /sys/class/input/event0/dev /sys/class/input/event1/dev /sys/class/input/event2/dev /sys/class/input/event3/dev /sys/class/input/mice/dev /sys/class/input/mouse0/dev /sys/class/input/mouse1/dev /sys/class/misc/agpgart/dev /sys/class/misc/device-mapper/dev /sys/class/misc/nvram/dev /sys/class/misc/psaux/dev /sys/class/misc/rtc/dev /sys/class/misc/tun/dev /sys/class/misc/watchdog/dev /sys/class/msr/msr0/dev /sys/class/ppp/ppp/dev /sys/class/printer/lp0/dev /sys/class/raw/rawctl/dev /sys/class/sound/adsp/dev /sys/class/sound/audio1/dev /sys/class/sound/audio/dev /sys/class/sound/controlC0/dev /sys/class/sound/controlC1/dev /sys/class/sound/dsp1/dev /sys/class/sound/dsp/dev /sys/class/sound/mixer1/dev /sys/class/sound/mixer/dev /sys/class/sound/pcmC0D0c/dev /sys/class/sound/pcmC0D0p/dev /sys/class/sound/pcmC0D1c/dev /sys/class/sound/pcmC0D2c/dev /sys/class/sound/pcmC0D3c/dev /sys/class/sound/pcmC0D4p/dev /sys/class/sound/pcmC1D0c/dev /sys/class/sound/pcmC1D0p/dev /sys/class/sound/timer/dev -- Kernel configuration: isapnp_init not present. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.11.7 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Versions of packages udev depends on: ii hotplug 0.0.20040329-22 Linux Hotplug Scripts ii initscripts 2.86.ds1-1 Standard scripts needed for bootin ii libc62.3.2.ds1-21GNU C Library: Shared libraries an ii makedev 2.3.1-77creates device files in /dev ii sed 4.1.2-8 The GNU sed stream editor -- debconf information: udev/devfs-warning: * udev/reboot-warning: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#304020: jfbterm: Please compile with --enable-direct-color
Package: jfbterm Version: 0.4.7-2.0 Severity: wishlist I'm running jfbterm with radeonfb which uses directcolor for my resolution/depth. jfbterm as compiled for Debian prints unknown framebuffer and stops. Using --enable-direct-color works for me, so I like to see it compiled that way. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.11 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Versions of packages jfbterm depends on: ii libc62.3.2.ds1-20GNU C Library: Shared libraries an ii unifont 1:1.0-1 X11 dual-width GNU unicode font ii xfonts-base 4.3.0.dfsg.1-12 standard fonts for X -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#303894: fbiterm crashes with Segmentation Fault when using less UTF-8-demo.txt
Package: fbiterm Version: 0.5-3.2 Severity: normal The demo file starts with: , | UTF-8 encoded sample plain-text file | | | Markus Kuhn [maks kun] [EMAIL PROTECTED] 2002-07-25 ` I'll attach the file. The system is an uptodate sarge. Jochen -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.10 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Versions of packages fbiterm depends on: ii debconf 1.4.30.11Debian configuration management sy ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libiterm1 0.5-3.2 internationalized terminal emulato ii unifont 1:1.0-1 X11 dual-width GNU unicode font ii zlib1g 1:1.2.2-3compression library - runtime -- debconf information: * fbiterm/SUID_bit: true UTF-8 encoded sample plain-text file Markus Kuhn [maks kun] [EMAIL PROTECTED] 2002-07-25 The ASCII compatible UTF-8 encoding used in this plain-text file is defined in Unicode, ISO 10646-1, and RFC 2279. Using Unicode/UTF-8, you can write in emails and source code things such as Mathematics and sciences: Eda = Q, n , f(i) = g(i), a+b x: x = x,= ( ), c , a b c d(A B), a-b 2H + O 2HO, R = 4.7 k, 200 mm i=1 Linguistics and dictionaries: i ntnnl fntk sosien Y [psiln], Yen [jn], Yoga [jog] APL: ((VV)=V)/V,V Nicer typography in plain text files: single and double quotes Curly apostrophes: Weve been here Latin-1 apostrophe and accents: '` deutsche Anfhrungszeichen , , , , 34, , 5/+5, , ASCII safety test: 1lI|, 0OD, 8B the euro symbol: 14.95 Combining characters: STARGTE SG-1, a = v = r, a b Greek (in Polytonic): The Greek anthem: , . , , ! From a speech of Demosthenes in the 4th century BC: , , , , . , , . , , , , . , , . , Georgian: From a Unicode conference invitation: Unicode- , 10-12 , . , . Unicode-, , Unicode- , , , . Russian: From a Unicode conference invitation: Unicode, 10-12 1997 . Unicode, , Unicode , , . Thai (UCS Level 2): Excerpt from a poetry on The Romance of The Three Kingdoms (a Chinese classic 'San Gua'): [|] (The above is a two-column text. If combining characters are handled correctly, the lines of the second column should be aligned with the | character above.) Ethiopian: Proverbs in the Amharic language: Runes: (Old English, which transcribed into Latin reads 'He cwaeth that he bude thaem lande northweardum with tha Westsae.' and means 'He said that he lived in the northern land near the Western Sea.') Braille: (The first couple of paragraphs of A Christmas Carol by Dickens) Compact font selection example text: ABCDEFGHIJKLMNOPQRSTUVWXYZ /0123456789 abcdefghijklmnopqrstuvwxyz Greetings in various languages: Hello world, , Box drawing alignment tests:
Bug#252738: w3m-img: works for me with 0.5.1-1, but docs still missing
Package: w3m-img Version: 0.5.1-1 Followup-For: Bug #252738 I just tried a fresh install of w3m and w3m-img and get images inline. Anyway, at first I've been as confused as the original reporter. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.11 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Versions of packages w3m-img depends on: ii libc62.3.2.ds1-20GNU C Library: Shared libraries an ii libgc1 1:6.4-1 conservative garbage collector for ii libgdk-pixbuf2 0.22.0-7The GdkPixBuf image library, gtk+ ii libglib1.2 1.2.10-9The GLib library of C routines ii libgtk1.21.2.10-17 The GIMP Toolkit set of widgets fo ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous exte ii libxi6 4.3.0.dfsg.1-10 X Window System Input extension li ii w3m 0.5.1-1 WWW browsable pager with excellent ii xlibs4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]