I am posting an actualised post of the one I wrote regarding the .pacnew files in /etc/pam.d after the update of the 28th August.
I am wondering if I should only reimplace pam_tally.so by pam_faillock.so or reimplace the whole new lines namely:
in /etc/pam.d/lightdm-autologin, should I
just reimplace pam_tally.so by pam_faillock.so
or reimplace the whole line by the line present in the .pacnew file
or should I merge them into one of these potential new lines (with preauth present in the .pacnew file, or with file=/var/log/faillog onerr=succeed present in my actual file)?
The same line in the .pacnew file is the following:
auth required pam_faillock.so preauth
For your knowledge, some information regarding the two following points: what I supposed that is the right thing to do, is apparently what is advised on the French forum by a certain @stephane(?):
in /etc/pam.d/system-login , [I would] uncomment the following lines and reimplace, as @papajoke wrote, pam_tally2.so by pam_faillock.so:
in this same file, namely /etc/pam.d/system-login, [I would] add user_readenv=1 present in the .pacnew file to the line of my actual system-login file:
Thanks for your answer @Aragorn! Are you then advising me to reimplace the whole line by the line present in the .pacnew file of lightdm-autologin having this line:
auth required pam_faillock.so preauth
and then removing from this line file=/var/log/faillog onerr=succeed?
@mezzo, since you had similar lines in your files, maybe you have tested something?
Thanks again
My own approach, if I were in your shoes and someone posted the three working files, would be to replace the content of the three files on my system by the content of those working files, and to then just delete the .pacnew files.
I know, but I sort of took the liberty of assuming that the OP hadn’t done any customizing to their PAM setup, based upon the very fact that they’re asking about it here.
Fair enough, but for example - some of this deals with autologin, and I dont even use lightdm … etc.
(these notes are also just as much for the tourists)
To be clear here - the issue is deprecated modules, such as pam_tally2.so , etc.
These need to be replaced by the new modules.
Some extra options might also be available.
You do not want to simply remove lines, replace files, etc.
You replace/add the correct components.
(edit … oops … I quoted the wrong module at first . heh)
Neither do I. I use sddm, and I have my personal objections to auto-login.
Of course.
Well, the thing is that I myself didn’t have any .pacnew files under /etc/pam.d/, so I presume that my versions of the files as I’ve included them are not only fully functional, but also compatible with the upgrade to pambase that came as part of the update of 2020.08.28.
Thanks for your interesting answers and your patience @Aragorn and @cscs!
As a newbie (or maybe tourist), my question was regarding mainly a line in lightdm-autologin and I can just see your sddm-autologin file in the post you were refering to.
My question was mainly what I should do with these possible options or configurations that I cannot understand, namely preauth in lightdm-autologin.pacnew and file=/var/log/faillog onerr=succeed in my actual file. In my final and new file, should I have both of them or just one of them, and if yes, which one?
I cannot remember having made changes in my pam configuration since the installation of my system in 2018.
If it can be somehow helpful, you can find below my
…and from what I can tell from your OP point #2 and #3 - ‘yes’ to those.
EDIT - I must confess I am confused with your comments about #comments … please do not add or remove any #comments … just replace modules on lines where necessary.
Thanks @cscs! I have now rebooted and could login without any problem! Maybe this can interest you also @mezzo, if you have not already “worked” on it. Thanks also @Aragorn for your input!
I just did the update on my system. I would list the steps I took to “fix” the PAM issue but I didn’t need to make any changes. The changes were made for me “auto-magically”.
I think maybe someone on the manjaro team added a script that made the changes when I did the update.