You are not logged in.
Hello,
Recently updated pam to 1.6.0-3 from pam-1.5.3-3 and it broke:
sudo (wrong password)
openvpn (failed login).
I havent tested local login but i suspect it might break too.
downgraded to 1.5.3-3 and the issue was resolved.
I tried filing a bug but i dont have an account. creating an account is disabled for now.
im requesting one but it might take a while, so im posting here for other users.
Cheers.
Offline
Offline
You can report the issue upstream without waiting for an account on Arch's gitlab. Please consider performing the git bisection first. Please ask if you need help with the bisection.
Offline
Also as a sanity check
pacman -Qikk pam pambase sudo
Offline
@seth any thoughts on https://gitlab.archlinux.org/archlinux/ … ote_157606
Offline
The relevant branch exists since 19 years, https://github.com/linux-pam/linux-pam/ … pwd.c#L108
If the pam update indeed breaks (?) the openvpn-plugin-auth-pam.so plugin keeping the UID/GID intact and withdrawing the systemd restrictions seems more interesting.
Apparantly the offending pam commit introduces a helper and that helper will not be covered by the hardened service .
Could be a massive clash between pam and systemd…
Also, still sanity check
pacman -Qikk pam pambase sudo openvpn
Offline
Possibly https://github.com/linux-pam/linux-pam/ … pwd.c#L119 interacting with CAP_SETGID CAP_SETUID?
Edit:
What happens if CAP_SETGID and CAP_SETUID are removed from AmbientCapabilities plus CapabilityBoundingSet of the openvpn service?
Edit2:
Still produces the issue https://gitlab.archlinux.org/archlinux/ … ote_158006.
Edit3:
sudo could be pam_faillog triggering after three failures using openvpn.
Last edited by loqs (2024-01-21 17:11:24)
Offline