New PAM in experimental needs testing

[Roger Leigh]

Hi folks,

A new version of PAM (0.99.7.1-1) has been packaged and uploaded to
experimental.  This is intended to replace 0.79-4.  However, because
there have been quite a number of upstream changes, and all the
Debian-specific patches against the old one were painstakingly
re-diffed and updated by hand, and because a broken PAM means a rather
broken system, this new version needs some wider testing before it is
suitable for unstable.

The work for this was done by myself and Jan Christoph Nordholz, who
rewrote the @include patch, fixing a memory leak in the current code,
as well as doing a lot of testing, building and general reviewing of
the PAM packaging.  It's thanks to Jan that it's ready for wider
review, since I did all the rediffing back in April, but lacked time
to squash the last few bugs.

If anyone could take the time to install it, test all the services
using PAM for authentication/authorisation still work as expected, and
report any defects, that would be much appreciated.  If you want to
avoid breaking your system, it is advisable to install into a chroot.
However, we have tested that basic functionality does work (su and
passwd in particular), so it should be safe to install for real (but
no guarantees are given).

Additionally, all of the packages which Build-Depend, Depend or
Recommend PAM packages should be tested against the new packages.  A
complete list is given below, and the maintainer's Bcc'd with this
message.


If you do hack on the PAM sources, note that the dpatch patch order is
important--later patches do rely on earlier patches being present.
Also, you need to run "debian/rules patch|unpatch" by hand, due to the
need to re-bootstrap the autotools.  To do that "debian/rules
bootstrap" will do everything consistently, providing the patches are
applied.


Some bits which need wider review and discussion:

Several of the Debian-specific patches should probably be removed.
For example, the @include (Debian-specific) syntax should be replaced
by the include mechanism added by upstream; we should make this a
release goal for Lenny IMO.  Maintaining Debian-specific hacks imposes
a real burden on the PAM maintainers--it took over 15 man hours to do
the main re-diffing, and the same again to get it working, which is
ridiculous and error-prone.  We could easily be introducing
Debian-specific security bugs by doing so.  Some checks such as the
obscure checks for pam_unix and chroot limits for pam_limits should be
dropped (who uses this functionality)?  The obsure checks appear to
predate PAM, but should cracklib not be the replacement?  This
non-standard stuff should really be deprecated, obsoleted, then
dropped.  What do other people think about this?

The remaining patches should then really be pushed upstream, which
possible now we are synched with their latest stable release.

One other note: upstream now default to enabling cracklib in pam_unix
(in addition to pam_cracklib), which causes passwd to do all the extra
checks cracklib does.  This has been disabled for now after discussion
with Jan, because it brings in quite a few dependencies into base, and
may not be generally wanted.  It also breaks passwd if you don't have
cracklib-runtime *and* a wordlist *and* run update-cracklib, so this
needs some fixing of dependencies and coordination to do properly.  It
might be worth re-adding, if there was consensus for that.  I'm not
yet sure how this differs from the pam_cracklib functionality,
however.


Regards,
Roger


Laszlo Boszormenyi (GCS) <address@hidden>
   gradm2

Stefan Hornburg (Racke) <address@hidden>
   courier
   courier-authlib
   pure-ftpd

Richard A Nelson (Rick) <address@hidden>
   libnss-ldap
   libpam-ldap

Marco Presi (Zufus) <address@hidden>
   linesrv

Krzysztof Krzyzaniak (eloy) <address@hidden>
   popa3d

Russ Allbery <address@hidden>
   libpam-afs-session

Sebastien Bacher <address@hidden>
   libgnomesu

Carlos Barros <address@hidden>
   tac-plus

Dima Barsky <address@hidden>
   python-pam

Vincent Bernat <address@hidden>
   xrdp

Michael Biebl <address@hidden>
   partimage

Laurent Bigonville <address@hidden>
   pam-keyring

Blars Blarson <address@hidden>
   nntp

Primoz Bratanic <address@hidden>
   pam-pgsql

Joachim Breitner <address@hidden>
   poldi

Adrian Bridgett <address@hidden>
   dante

Chris Butler <address@hidden>
   wu-ftpd

Rubén Porras Campo <address@hidden>
   libpam-encfs

Pierre Chifflier <address@hidden>
   nufw
   wzdftpd

Adam Conrad <address@hidden>
   poppassd

Christopher Cramer <address@hidden>
   usermode

Debian CUPS Maintainers <address@hidden>
   cupsys

Debian Cyrus SASL Team <address@hidden>
   cyrus-sasl2
   cyrus-sasl2-heimdal

Debian Cyrus Team <address@hidden>
   cyrus-imapd-2.2

Debian Edu Developers <address@hidden>
   debian-edu

Debian GNOME Maintainers <address@hidden>
   gdm

Debian Kolab Maintainers <address@hidden>
   kolab-cyrus-imapd

Debian Multimedia Team <address@hidden>
   jack-audio-connection-kit

Debian OpenOffice Team <address@hidden>
   openoffice.org

Debian OpenSSH Maintainers <address@hidden>
   openssh

Debian PHP Maintainers <address@hidden>
   php5

Debian Qt/KDE Maintainers <address@hidden>
   kdeadmin
   kdebase

Debian Samba Maintainers <address@hidden>
   samba

Debian VoIP Team <address@hidden>
   bayonne

Debian X Strike Force <address@hidden>
   xdm

Debian buildd-tools Developers <address@hidden>
   schroot

Eric Dorland <address@hidden>
   pam-p11

Paul Dwerryhouse <address@hidden>
   kannel

Peter Eisentraut <address@hidden>
   pgpool

Rene Engelhard <address@hidden>
   away

Exim4 Maintainers <address@hidden>
   exim4

Gerfried Fuchs <address@hidden>
   francine

Luigi Gangitano <address@hidden>
   squid
   squid3

Bdale Garbee <address@hidden>
   sudo

Matthew Garrett <address@hidden>
   libpam-foreground

Thomas Goirand <address@hidden>
   dtc

Stephen Gran <address@hidden>
   freeradius

Debian QA Group <address@hidden>
   pexts

Yu Guanghui <address@hidden>
   qpopper

Guido Guenther <address@hidden>
   libpam-ccreds

Pierre Habouzit <address@hidden>
   ldapscripts

Christian Hammers <address@hidden>
   quagga

Sam Hartman <address@hidden>
   libpam-krb5
   openafs
   pam

Tollef Fog Heen <address@hidden>
   pam-passwdqc
   pam-tmpdir
   pam-umask

Henrique de Moraes Holschuh <address@hidden>
   fcron

Simon Horman <address@hidden>
   heartbeat
   perdition

Alberto Gonzalez Iniesta <address@hidden>
   linux-ftpd
   netkit-rsh
   openvpn

Joerg Jaspert <address@hidden>
   muddleftpd

Arthur de Jong <address@hidden>
   nss-ldapd

Guillem Jover <address@hidden>
   inetutils
   lockvc

Stephan Kaufhold <address@hidden>
   libpam-pwgen

Bastian Kleineidam <address@hidden>
   libpam-mount

Ivan Kohler <address@hidden>
   libpam-unix2

Anand Kumria <address@hidden>
   pam-http

Oliver Kurth <address@hidden>
   pam-dotfile

Aurelien Labrosse <address@hidden>
   libpam-ssh

Asheesh Laroia <address@hidden>
   alpine

Simon Law <address@hidden>
   lsh-utils
   wvstreams

Jeff Licquia <address@hidden>
   diald

John Lightsey <address@hidden>
   apt-watch

Francesco Paolo Lovergine <address@hidden>
   proftpd-dfsg
   yardradius

Robert Luberda <address@hidden>
   solid-pop3d
   super

Dovecot Maintainers <address@hidden>
   dovecot

OHURA Makoto <address@hidden>
   xemacs21

Jordi Mallach <address@hidden>
   mailutils

Roland Mas <address@hidden>
   gforge

Peter Mathiasson <address@hidden>
   pam-devperm

Martin Maurer <address@hidden>
   fireflier

Rene Mayrhofer <address@hidden>
   openswan
   strongswan

Steve McIntyre <address@hidden>
   cvs

Matthijs Mohlmann <address@hidden>
   libpam-heimdal

Ryan Murray <address@hidden>
   at

Jaakko Niemi <address@hidden>
   sfs

Fabio M. Di Nitto <address@hidden>
   libpam-radius-auth

Jan Christoph Nordholz <address@hidden>
   screen

Greg Norris <address@hidden>
   libpam-pwdfile

Alvaro Lopez Ortega <address@hidden>
   cherokee

Erlang Packagers <address@hidden>
   yaws

Peter Palfrader <address@hidden>
   uucp
   vlock

Eloy A. Paris <address@hidden>
   ncpfs

Jose Parrella <address@hidden>
   libpam-rsa
   libpam-usb

Guilherme de S. Pastore <address@hidden>
   gnome-screensaver

Javier Fernandez-Sanguino Pen~a <address@hidden>
   cron
   libpam-chroot

Christian Perrier <address@hidden>
   calife

Martin Pitt <address@hidden>
   postgresql-8.1
   postgresql-8.2

Cai Qian <address@hidden>
   linux-ftpd-ssl

Florian Ragwitz <address@hidden>
   libauthen-pam-perl

Ganesan Rajagopal <address@hidden>
   ipsec-tools

Sebastian Rittau <address@hidden>
   netatalk

Jose Luis Rivas <address@hidden>
   xscreensaver

Ghe Rivero <address@hidden>
   libuser

Piotr Roszatycki <address@hidden>
   libapache2-mod-auth-pam

Ludovic Rousseau <address@hidden>
   muscleframework

Giuseppe Sacco <address@hidden>
   hylafax

Riccardo Setti <address@hidden>
   aolserver4-nsimap

Shadow package maintainers <address@hidden>
   shadow

Vladimir Shakhov <address@hidden>
   wdm

Guus Sliepen <address@hidden>
   rsh-redone

Jonas Smedegaard <address@hidden>
   libmail-cclient-perl
   uw-imap

Roger So <address@hidden>
   im-sdk

Manoj Srivastava <address@hidden>
   policycoreutils
   refpolicy

Riccardo Stagni <address@hidden>
   qingy

Michael Stone <address@hidden>
   libpam-opie
   opie
   xlockmore

Debian Shishi Team <address@hidden>
   shishi

Andreas Tscharner <address@hidden>
   cvsnt

Utopia Maintenance Team <address@hidden>
   network-manager

Matej Vela <address@hidden>
   vsftpd

Jelmer Vernooij <address@hidden>
   pam-krb5-migrate

Paweł Więcek <address@hidden>
   pam-mysql

Carsten Wolff <address@hidden>
   php-auth-pam

Marco d'Itri <address@hidden>
   inn2
   ppp

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

pgptZHzwEQvqN.pgp
Description: PGP signature