Merging /etc/pam.d lightdm-autologin.pacnew file

Hello,

I am posting an actualised post of the one I wrote regarding the .pacnew files in /etc/pam.d after the update of the 28th August.

I am wondering if I should only reimplace pam_tally.so by pam_faillock.so or reimplace the whole new lines namely:

  1. in /etc/pam.d/lightdm-autologin, should I
  • just reimplace pam_tally.so by pam_faillock.so

  • or reimplace the whole line by the line present in the .pacnew file

  • or should I merge them into one of these potential new lines (with preauth present in the .pacnew file, or with file=/var/log/faillog onerr=succeed present in my actual file)?

auth        required    pam_faillock.so preauth file=/var/log/faillog onerr=succeed
auth        required    pam_faillock.so file=/var/log/faillog onerr=succeed

The line present in my actual /etc/pam.d/lightdm-autologin file and that I had commented before this update of the 28th August:

#auth        required    pam_tally.so file=/var/log/faillog onerr=succeed

The same line in the .pacnew file is the following:

auth        required    pam_faillock.so preauth

For your knowledge, some information regarding the two following points: what I supposed that is the right thing to do, is apparently what is advised on the French forum by a certain @stephane(?):

  1. in /etc/pam.d/system-login , [I would] uncomment the following lines and reimplace, as @papajoke wrote, pam_tally2.so by pam_faillock.so:
#auth       required   pam_tally2.so        onerr=succeed file=/var/log/tallylog
#account    required   pam_tally2.so 
  1. in this same file, namely /etc/pam.d/system-login, [I would] add user_readenv=1 present in the .pacnew file to the line of my actual system-login file:
session    required   pam_env.so

Thanks for your attention!

Maybe this below will help you. :wink:

:arrow_down:

1 Like

Thanks for your answer @Aragorn! Are you then advising me to reimplace the whole line by the line present in the .pacnew file of lightdm-autologin having this line:

auth        required    pam_faillock.so preauth

and then removing from this line file=/var/log/faillog onerr=succeed?

@mezzo, since you had similar lines in your files, maybe you have tested something?
Thanks again

My own approach, if I were in your shoes and someone posted the three working files, would be to replace the content of the three files on my system by the content of those working files, and to then just delete the .pacnew files. :wink:

:man_shrugging:

(friendly note… with this advice… please ensure your systems are actually 1:1 applicable in this scenario…)

2 Likes

I know, but I sort of took the liberty of assuming that the OP hadn’t done any customizing to their PAM setup, based upon the very fact that they’re asking about it here. :wink:

Fair enough, but for example - some of this deals with autologin, and I dont even use lightdm … etc.
(these notes are also just as much for the tourists)

To be clear here - the issue is deprecated modules, such as pam_tally2.so , etc.
These need to be replaced by the new modules.
Some extra options might also be available.

You do not want to simply remove lines, replace files, etc.
You replace/add the correct components.

(edit … oops … I quoted the wrong module at first . heh)

Neither do I. I use sddm, and I have my personal objections to auto-login. :wink:

Of course. :slight_smile:

Well, the thing is that I myself didn’t have any .pacnew files under /etc/pam.d/, so I presume that my versions of the files as I’ve included them are not only fully functional, but also compatible with the upgrade to pambase that came as part of the update of 2020.08.28.

To make it more clear rather than an edit to the above:

Deprecate pam_cracklib, there are two better alternatives to this
obsolete module: pam_passwdqc from passwdqc project and pam_pwquality
Deprecate pam_tally and pam_tally2 in favour of pam_faillock.

Those are the 2 things that happened ^ thats this ‘issue’.


Even without pacnews … thats all you need to know really.
( though some extra jazz from the new files probably isnt wrong like me adding user_readenv=1 … as seen here: [Unstable Update] 2020-08-22 - Pamac, Mate 1.24.1, GCC 10.2, Python, Haskell )

AGAIN - it is important to note that this is all system dependent.

src: Deprecate pam_cracklib, pam_tally, and pam_tally2 · linux-pam/linux-pam@f49166c · GitHub

1 Like

Thanks for your interesting answers and your patience @Aragorn and @cscs!
As a newbie (or maybe tourist), my question was regarding mainly a line in lightdm-autologin and I can just see your sddm-autologin file in the post you were refering to.

My question was mainly what I should do with these possible options or configurations that I cannot understand, namely preauth in lightdm-autologin.pacnew and file=/var/log/faillog onerr=succeed in my actual file. In my final and new file, should I have both of them or just one of them, and if yes, which one?

I cannot remember having made changes in my pam configuration since the installation of my system in 2018.
If it can be somehow helpful, you can find below my

inxi --no-host -Fxzc0

System:
Kernel: 5.4.60-2-MANJARO x86_64 bits: 64 compiler: gcc v: 10.2.0
Desktop: Xfce 4.14.2 Distro: Manjaro Linux
Machine:
Type: Laptop System: Notebook product: N650DU v: N/A serial:
Mobo: Notebook model: N650DU serial: UEFI: American Megatrends
v: 5.12 date: 02/26/2018
Battery:
ID-1: BAT0 charge: 44.5 Wh condition: 44.5/62.2 Wh (72%)
model: Notebook BAT status: Full
CPU:
Topology: Quad Core model: Intel Core i5-7500T bits: 64 type: MCP
arch: Kaby Lake rev: 9 L2 cache: 6144 KiB
flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
bogomips: 21607
Speed: 1600 MHz min/max: 800/3300 MHz Core speeds (MHz): 1: 1600 2: 1600
3: 1600 4: 1600
Graphics:
Device-1: Intel HD Graphics 630 vendor: CLEVO/KAPOK driver: i915 v: kernel
bus ID: 00:02.0
Device-2: Chicony Chicony USB2.0 Camera type: USB driver: uvcvideo
bus ID: 1-6:2
Display: x11 server: X.org 1.20.8 driver: intel unloaded: modesetting
resolution:
OpenGL: renderer: Mesa Intel HD Graphics 630 (KBL GT2) v: 4.6 Mesa 20.1.6
direct render: Yes
Audio:
Device-1: Intel 100 Series/C230 Series Family HD Audio vendor: CLEVO/KAPOK
driver: snd_hda_intel v: kernel bus ID: 00:1f.3
Sound Server: ALSA v: k5.4.60-2-MANJARO
Network:
Device-1: Intel Wireless 8265 / 8275 driver: iwlwifi v: kernel port: f040
bus ID: 01:00.0
IF: wlp1s0 state: up mac:
Device-2: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet
vendor: CLEVO/KAPOK driver: r8168 v: 8.048.03-NAPI port: e000
bus ID: 05:00.0
IF: enp5s0 state: up speed: 1000 Mbps duplex: full mac:
Drives:
Local Storage: total: 1.14 TiB used: 612.12 GiB (52.6%)
ID-1: /dev/nvme0n1 vendor: Samsung model: SSD 960 EVO 250GB
size: 232.89 GiB
ID-2: /dev/sda vendor: Seagate model: ST1000LM048-2E7172 size: 931.51 GiB
Partition:
ID-1: / size: 227.24 GiB used: 34.20 GiB (15.0%) fs: ext4
dev: /dev/nvme0n1p2
ID-2: /home size: 911.95 GiB used: 577.92 GiB (63.4%) fs: ext4
dev: /dev/sda2
Swap:
ID-1: swap-1 type: file size: 8.00 GiB used: 1.03 GiB (12.9%)
file: /swapfile
Sensors:
System Temperatures: cpu: 66.0 C mobo: N/A
Fan Speeds (RPM): N/A
Info:
Processes: 198 Uptime: 5d 21h 17m Memory: 7.70 GiB used: 4.02 GiB (52.2%)
Init: systemd Compilers: gcc: 10.2.0 Packages: 1533 Shell: Bash v: 5.0.18
inxi: 3.1.05

Thanks again!

Again … I dont use lightdm …
But … if you just want a straight answer I think

auth        required    pam_tally.so file=/var/log/faillog onerr=succeed

Should become >>

auth        required    pam_faillock.so preauth file=/var/log/faillog onerr=succeed

…and from what I can tell from your OP point #2 and #3 - ‘yes’ to those.


EDIT - I must confess I am confused with your comments about #comments … please do not add or remove any #comments … just replace modules on lines where necessary.

1 Like

Sorry, haven’t had time to make changes for PAM yet. Will be working on it this weekend. I’ll post what worked for me once I get it working.

Good luck.

1 Like

Thanks @cscs! I have now rebooted and could login without any problem! Maybe this can interest you also @mezzo, if you have not already “worked” on it. Thanks also @Aragorn for your input!

So in the /system-login you replaced:

auth required pam_tally2.so onerr=succeed file=/var/log/tallylog
account required pam_tally2.so
session required pam_env.so

with the following:

auth required pam_faillock.so onerr=succeed file=/var/log/tallylog
account required pam_faillock.so
session required pam_env.so user_readenv=1

Then in your lightdm file you replaced:

auth required pam_tally.so file=/var/log/faillog onerr=succeed

with:

auth required pam_faillock.so preauth file=/var/log/faillog onerr
=succeed

Yes?

Exactly! It is what I have done and I could reboot and login once again!

Thanks for the quick reply!

I just did the update on my system. I would list the steps I took to “fix” the PAM issue but I didn’t need to make any changes. The changes were made for me “auto-magically”.

I think maybe someone on the manjaro team added a script that made the changes when I did the update.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.