** Description changed: [ Impact ] * The following line has been found in users logs when trying to log in to their systems: login[2449]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory - This results in users reporting that they cannot login to their systems. They can perhaps do so with other login methods (ssh, login, gdm, xdm, etc) that don't depend on the lastlog binary, but that doesn't suffice. + This is the only known occurrence of the log. It occurs when users log in to their systems using a tty, or rather referred to as the 'login' method in shadow/pam etc. This log error message is not present when logging in via ssh, gdm, xdm, or other login methods, as they do not depend on the lastlog binary. * The upload fixes the issue by dropping pam_lastlog.so from all config, as well as not installing the lastlog binary. [ Test Plan ] - * TODO: Need to come up with a test plan + * To reproduce the bug, simply take the Noble 24.04.1 iso, install to a system, and login via a TTY instead of the graphical display manager. Then check journalctl -b 0 and search for 'lastlog'. You should see the log message. + + * To test the change, remove the session optional pam_lastlog.so from /etc/pam.d/login, and then try to login with a tty again, then check the journal. [ Where problems could occur ] - * Users may no longer see the last login message when logging in via - ssh, or other login methods. + * Any production systems that use lastlog in a `required` manner may be + broken by this change, if they are not already in a broken state. [ Other Info ] * This should already be fixed in Plucky and onwards, with necessary changes introduced in shadow/1:4.13+dfsg1-5, and in plucky we are already on shadow/1:4.15.3-3ubuntu2. * pam_lastlog2 is included in util-linux/2.40. We can make changes in shadow going forward that depends on pam_lastlog2 rather than pam_lastlog, going forward. But that's not really relevant to the SRU I guess. These changes are planned to be implemented upstream https://bugs.debian.org/cgi-bin/bugreport.cgi?att=0;bug=1068229;msg=39, so likely from Ubuntu's side, we can just wait for the changes. [Original description] Imported from Debian bug http://bugs.debian.org/1068229: Package: libpam-modules Version: 1.5.3-6 Severity: normal I noticed the following line in my logs: login[2449]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory I looked in the deb files from snapshot.debian.org, and noticed the last version that had it was 1.5.2-9.1 - starting from 1.5.3-1 it disappeared. Maybe it's fallout from the time_t transition and you're already aware of it, in which case feel free to close. Thanks, -- M -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, arm64 Kernel: Linux 6.7.9-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages libpam-modules depends on: ii debconf [debconf-2.0] 1.5.86 ii libaudit1 1:3.1.2-2.1 ii libc6 2.37-15.1 ii libcrypt1 1:4.4.36-4 ii libpam-modules-bin 1.5.3-6 ii libpam0g 1.5.3-6 ii libselinux1 3.5-2 ii libsystemd0 255.4-1+b1 libpam-modules recommends no packages. libpam-modules suggests no packages. -- debconf information excluded
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060676 Title: [SRU] login: remove pam_lastlog.so from config To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2060676/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
