[solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

kinhodder · 2012-07-06 20:53:00

Psykorgasm wrote:

┌─[arch-ck ~]
└─╼ pacman -Qo /etc/pam.d/login
/etc/pam.d/login is owned by util-linux 2.21.2-3
https://projects.archlinux.org/svntogit … util-linux
pam-login ==> /etc/pam.d/login(.pacnew)

Thanks Psykorgasm - no idea why my brain skipped right to assuming it was pambase without checking!

89c51 · 2012-07-07 08:33:03

I replaced the file and it seems to be going ok.

Shouldn't this be in the news or something since you have to replace the file manually??

jasonwryan · 2012-07-07 09:57:01

89c51 wrote:

Shouldn't this be in the news or something since you have to replace the file manually??

You are always expected to manage your .pac* files; there is nothing newsworthy about that...

89c51 · 2012-07-07 10:56:17

OK i am new to arch and its the first time i encountered something like this

I thought it was similar to the filesystem thing that was in the news.

stqn · 2012-07-07 12:39:48

jasonwryan wrote:

You are always expected to manage your .pac* files; there is nothing newsworthy about that...

The problem in this case is that this is not a typical merge. The new file is totally different and since it changes rarely I didn’t know if I had to keep something from the old file. (I have no idea what PAM is and if something can change the file, like for example the “group” file can be changed.)

Last edited by stqn (2012-07-07 12:40:29)

ataraxia · 2012-07-07 16:09:54

stqn wrote:

(I have no idea what PAM is and if something can change the file, like for example the “group” file can be changed.)

Not to single you out here, but you just made clear what I think has been the trouble with this update for just about everyone in this thread. Those of us who handled the update with no problem know PAM at least a little bit, allowing us to make sense of the difference between the old and new files. From where such more experienced users stand, it was hard to understand where all of your confusion came from.

PAM is an important piece of infrastructure that's worth knowing at least a little about - after all, if you break it, you won't be able to log in, or you won't be able to keep bad guys out. There are two useful manpages here: pam(8), which explains the concepts, so you know what PAM is, and pam.conf(5), which explains the syntax of the files in /etc/pam.d. (There are also individual manpages for the various pam_* modules that are listed in those pam.d files.) Please be good Arch users and read these pages - the more of us here that are knowledgeable, the better off this community will be.

Archer777 · 2012-07-09 16:05:40

Padfoot wrote:

I have replaced the file and rebooted without issue. The script is just becoming more modular, all the stuff removed is in the included scripts.

Thanks for the heads-up!
I was using /etc/pam.d/login to load ecryptfs modules:

auth      required  pam_ecryptfs.so unwrap
password  required  pam_ecryptfs.so

I followed the modules in new /etc/pam.d/login and added the above modules in /etc/pam.d/system-auth:

auth      required  pam_env.so
auth      required  pam_unix.so     try_first_pass nullok
auth      required  pam_ecryptfs.so unwrap
auth      optional  pam_permit.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  required  pam_ecryptfs.so
password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_env.so
session   required  pam_unix.so
session   optional  pam_permit.so

And everything is working fine...!

turion · 2012-07-09 16:25:40

Archer777, thanks for the contribution! Do you mind if I copy that to the wiki?
Allow me to ask why you didn't add this line:

session         optional        pam_ecryptfs.so unwrap

And also, why do you have "required" and not "optional"?

Last edited by turion (2012-07-09 16:46:37)

fabertawe · 2012-07-09 17:51:38

I have

auth       required     pam_ecryptfs.so unwrap
password   required     pam_ecryptfs.so
session    required     pam_ecryptfs.so unwrap

I also had to add

auth       optional     pam_gnome_keyring.so
session    optional     pam_gnome_keyring.so auto_start

@turion - I read pam.d(5) but I'm still not sure why it should be "optional".

Archer777 · 2012-07-09 18:25:43

turion wrote:

Archer777, thanks for the contribution! Do you mind if I copy that to the wiki?

Glad I could help. Yes you can add it to wiki but remember that I'm using ecryptfs to encrypt the entire $Home, whereas wiki only covers the encryption of a private directory.

Allow me to ask why you didn't add this line:
session         optional        pam_ecryptfs.so unwrap
And also, why do you have "required" and not "optional"?

I followed eCryptfs and $HOME guide, I hope it will answer your questions.

masteryod · 2012-07-12 23:02:13

I must admit, I'm little bit confused with this one too. Wouldn't be less error prone to indicate whether .pacnew should be merged or replaced? With /etc/pam.d/login I'm still not sure if I need other lines from my old file. I know we should manage this ourselves but not everyone here are uber-geeks, little section on forum with latests .pacnews could be nice for instance "/etc/gshadow.pacnew - we just added lock group, in case you don't have it allready add this", people create those threads anyway so official ones could save some confusion and lower the noise (I think)

ZekeSulastin · 2012-07-13 08:36:13

Unless I'm missing something, wouldn't you only have gotten a pacnew for /etc/pam.d/login if you had manually changed something previously in that file?

masteryod · 2012-07-13 10:40:39

ZekeSulastin wrote:

Unless I'm missing something, wouldn't you only have gotten a pacnew for /etc/pam.d/login if you had manually changed something previously in that file?

Correct. I was talking about earlier upgrade (/etc/gshadow and /etc/group) which also bring some confusion on the board.

cfr · 2012-07-13 22:57:02

You only get the .pacnew if you've altered the original, right?

So whatever changes you made to the original should indicate what you might need to change in the new version...

That is, you can't need the old *default* lines. If you did, so would people who'd never edited the old defaults at all. But they obviously don't because the new version will have replaced their old version silently.

So just focus on any changes you made to the defaults and see if you need to integrate any of those into the new version. Forget about the differences between the old defaults and the new defaults.

stqn · 2012-07-13 23:45:28

cfr wrote:

You only get the .pacnew if you've altered the original, right?

I don’t remember ever touching that “login” file but still got the .pacnew…

Leonid.I · 2012-07-14 18:33:59

stqn wrote:

cfr wrote:
You only get the .pacnew if you've altered the original, right?
I don’t remember ever touching that “login” file but still got the .pacnew…

OK, I stopped understanding this problem.

If /etc/pam.d/login used to belong to shadow and now belongs to util-linux, then why do we get a .pacnew at all? I would imagine that shadow is updated 1st (otherwise there would be a file conflict) which leads to removal of login and, since it was in backup() and altered, creation of a .pacsave. The new login (from util-linux) would install as-is, and the user would have to put settings from login.pacsave back in... Where am I wrong?

TheCycoONE · 2012-07-31 02:07:47

Leonid.I wrote:

If /etc/pam.d/login used to belong to shadow and now belongs to util-linux, then why do we get a .pacnew at all?

I'm not sure but this comes up occasionally. I typically resolve it by deleting the old file and re-installing the owning package, otherwise you end up with useless pacnew files every upgrade.

Arch Linux

#26 2012-07-06 20:53:00

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#27 2012-07-07 08:33:03

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#28 2012-07-07 09:57:01

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#29 2012-07-07 10:56:17

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#30 2012-07-07 12:39:48

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#31 2012-07-07 16:09:54

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#32 2012-07-09 16:05:40

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#33 2012-07-09 16:25:40

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#34 2012-07-09 17:51:38

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#35 2012-07-09 18:25:43

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#36 2012-07-12 23:02:13

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#37 2012-07-13 08:36:13

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#38 2012-07-13 10:40:39

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#39 2012-07-13 22:57:02

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#40 2012-07-13 23:45:28

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#41 2012-07-14 18:33:59

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

#42 2012-07-31 02:07:47

Re: [solved] diff /etc/pam.d/login /etc/pam.d/login.pacnew

Board footer