Bug#963974: faillog command does not display anything since a long time

2020-06-29 Thread Martin Steigerwald 
Am Montag, den 29.06.2020, 16:32 +0200 schrieb Martin Steigerwald:
> Package: libpam-modules
> Version: 1.3.1-5
> Severity: normal
[…]
> I digged on the internet I found Red Hat apparently removed it during
> RHEL 5 development already. I digged in libpam-modules Debian
> changelog and NEWS file and found nothing about 'faillog' or
> pam_tally.
>
[…]
> Not sure what the best resolution for Debian would be. Maybe just a
> note in NEWS.Debian or… something else?

I tested various distributions: Both CentOS 8.2 and SLES 15 SP 1 have no
faillog command. The Debian 10, Debian Sid and the Debian based ones
Devuan 3 aka Beowolf and Ubuntu 20.04 LTS still have it.

Removing it would break setups with manually enabled pam_tally though.

Best,

Mit freundlichen Grüßen / With kind regards
Martin Steigerwald •
Proact Deutschland GmbH
Trainer
Telefon: +49 911 30999 0 •
Fax: +49 911 30999 99
Südwestpark 43 •
90449 Nürnberg •
Germany
martin.steigerw...@proact.de •
www.proact.de
Amtsgericht Nürnberg
 •
HRB 18320
Geschäftsführer:
René Schülein
 •
Jonas Hasselberg
 •
Jonas Persson
•
Oliver Kügow
– Delivering Business Agility –

Bug#963974: faillog command does not display anything since a long time

2020-06-29 Thread Martin Steigerwald 
Package: libpam-modules
Version: 1.3.1-5
Severity: normal

Dear maintainers,

quite some time, quite some Debian releases ago, I found during a Linux
training I held that faillog would not display anything anymore, while
lastlog still does.

Finally I took time to research this a bit. I learned quickly that
pam_tally is required for it to work. However it is not enabled by
default in Debian, `grep tally /etc/pam.d/*' does not return any results.

I digged on the internet I found Red Hat apparently removed it during
RHEL 5 development already. I digged in libpam-modules Debian changelog
and NEWS file and found nothing about 'faillog' or pam_tally.

However in the manpage 'pam_tally(8)' I found:

   pam_tally has several limitations, which are solved with
   pam_tally2. For this reason pam_tally is deprecated and will be
   removed in a future release.

'pam_tally2' is included in Debian, yet also not enabled. And its file
format is not compatible with 'faillog', as manpage 'pam_tally2(8)' states:

   pam_tally2 is not compatible with the old pam_tally faillog
   file format. This is caused by requirement of compatibility of
   the tallylog file format between 32bit and 64bit architectures
   on multiarch systems.

So by default the Debian system contains a command that does not work out
of the box. And experienced user can dig up how to enable pam_tally, yet
this situation is still somehow inconsistent.

pam_tally2 has a command 'pam_tally2', but pam_tally2 by default is also
not enabled.

However there is 'lastb' command which displays the last failed login
attempt for each user. I am going to use that for the training for now
and mention that faillog is dysfunctional unless pam_tally is enabled,
which is deprecated.

Not sure what the best resolution for Debian would be. Maybe just a note
in NEWS.Debian or… something else?

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.8.0-rc2-tp520 (SMP w/4 CPU cores; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: runit (via /run/runit.stopit)
LSM: AppArmor: enabled

Versions of packages libpam-modules depends on:
ii  debconf [debconf-2.0]  1.5.74
ii  libaudit1  1:2.8.5-3+b1
ii  libc6  2.30-8
ii  libdb5.3   5.3.28+dfsg1-0.6
ii  libpam-modules-bin 1.3.1-5
ii  libpam0g   1.3.1-5
ii  libselinux13.0-1+b3

libpam-modules recommends no packages.

libpam-modules suggests no packages.

-- debconf-show failed