Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 748228

Summary: pam_faillock(sshd:auth): Unknown option: conf with sys-auth/pambase-20201010 sys-libs/pam-1.4.0_p20200829
Product: Gentoo Linux Reporter: Manuel Mommertz <2kmm>
Component: Current packagesAssignee: Mikle Kolyada (RETIRED) <zlogene>
Status: RESOLVED FIXED    
Severity: minor CC: gentoo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Manuel Mommertz 2020-10-13 06:49:42 UTC 
After upgrading to sys-auth/pambase-20201010 sys-libs/pam-1.4.0_p20200829 I cannot login via ssh + pw. ssh + keys still works, which is currently the only way I have access to this server.

Log:
Oct 13 08:29:24 xxx sshd[7408]: pam_krb5(sshd:auth): user xxx authenticated as xxx@XXX.DE
Oct 13 08:29:24 xxx sshd[7408]: pam_faillock(sshd:auth): Unknown option: conf
Oct 13 08:29:24 xxx sshd[7408]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=xxx
Oct 13 08:29:25 xxx sshd[7391]: error: PAM: Permission denied for xxx from x.x.x.x

Which seems to be caused by 4. line in /etc/pam.d/system-login:
auth            required        pam_faillock.so preauth conf=/etc/security/faillock.conf

Reproducible: Always




=================================================================
                        Package Settings
=================================================================

sys-libs/pam-1.4.0_p20200829::gentoo was built with the following:
USE="berkdb filecaps nis pie (split-usr) -audit -debug (-selinux)" ABI_X86="(64) -32 (-x32)"
CFLAGS="-O2 -pipe"
CXXFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"


sys-auth/pambase-20201010::gentoo was built with the following:
USE="nullok pam_krb5 passwdqc sha512 -caps -debug -elogind -gnome-keyring -minimal -mktemp -pam_ssh -pwhistory -pwquality -securetty (-selinux) -systemd" ABI_X86="(64)"
CFLAGS="-O2 -pipe"
CXXFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
Comment 1 Manuel Mommertz 2020-10-13 09:44:45 UTC 
After looking at the source of pam_faillock, I realize, that it has nothing to do with the fail. pam_faillock looks at first for the conf-paremeter and uses it. But it does not drop it from its parameter list. After that a regular loop parses all parameters, but this loop does not know about 'conf'. So it outputs the warning, without any bad side-effect.

I reported the login-failure as separate Bug #748405
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-10-13 18:52:47 UTC 
Fixed in new release.