748228 – pam_faillock(sshd:auth): Unknown option: conf with sys-auth/pambase-20201010 sys-libs/pam-1.4.0_p20200829

Bug 748228 - pam_faillock(sshd:auth): Unknown option: conf with sys-auth/pambase-20201010 sys-libs/pam-1.4.0_p20200829

Summary: pam_faillock(sshd:auth): Unknown option: conf with sys-auth/pambase-20201010 ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Mikle Kolyada (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2020-10-13 06:49 UTC by Manuel Mommertz
Modified:	2020-10-13 18:52 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Manuel Mommertz 2020-10-13 06:49:42 UTC

After upgrading to sys-auth/pambase-20201010 sys-libs/pam-1.4.0_p20200829 I cannot login via ssh + pw. ssh + keys still works, which is currently the only way I have access to this server.

Log:
Oct 13 08:29:24 xxx sshd[7408]: pam_krb5(sshd:auth): user xxx authenticated as xxx@XXX.DE
Oct 13 08:29:24 xxx sshd[7408]: pam_faillock(sshd:auth): Unknown option: conf
Oct 13 08:29:24 xxx sshd[7408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=xxx
Oct 13 08:29:25 xxx sshd[7391]: error: PAM: Permission denied for xxx from x.x.x.x

Which seems to be caused by 4. line in /etc/pam.d/system-login:
auth            required        pam_faillock.so preauth conf=/etc/security/faillock.conf

Reproducible: Always




=================================================================
                        Package Settings
=================================================================

sys-libs/pam-1.4.0_p20200829::gentoo was built with the following:
USE="berkdb filecaps nis pie (split-usr) -audit -debug (-selinux)" ABI_X86="(64) -32 (-x32)"
CFLAGS="-O2 -pipe"
CXXFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"


sys-auth/pambase-20201010::gentoo was built with the following:
USE="nullok pam_krb5 passwdqc sha512 -caps -debug -elogind -gnome-keyring -minimal -mktemp -pam_ssh -pwhistory -pwquality -securetty (-selinux) -systemd" ABI_X86="(64)"
CFLAGS="-O2 -pipe"
CXXFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"

Comment 1 Manuel Mommertz 2020-10-13 09:44:45 UTC

After looking at the source of pam_faillock, I realize, that it has nothing to do with the fail. pam_faillock looks at first for the conf-paremeter and uses it. But it does not drop it from its parameter list. After that a regular loop parses all parameters, but this loop does not know about 'conf'. So it outputs the warning, without any bad side-effect.

I reported the login-failure as separate Bug #748405

Comment 2 Mikle Kolyada (RETIRED) archtester

2020-10-13 18:52:47 UTC

Fixed in new release.