On Sat, Mar 30, 2024 at 01:41:40AM +0100, Chris Hofstaedtler wrote: > Hi OpenSSH, shadow Maintainers, > > On Sat, Mar 30, 2024 at 01:32:08AM +0100, Chris Hofstaedtler wrote: > > On Fri, Mar 29, 2024 at 06:02:39PM +0100, Sven Joachim wrote: > > > It seems desirable to ship liblastlog2 in trixie, considering that the > > > /var/log/lastlog file is not Y2038-safe and pam in unstable has already > > > dropped pam_lastlog.so, meaning that non-ssh logins are no longer > > > recorded in /var/log/lastlog.
> [..] > > At the same time, all traditional writing to /var/log/lastlog should > > stop. > > So, after some of the current fog clears, src:util-linux could > > introduce new binary packages (at least libpam-lastlog2), but > > src:pam would need to add it to the common-* config files. > > Does this seem right? > Answering my own question, not quite. > Apparently, traditionally we have: > * sshd writes to /var/log/lastlog by itself. > * login has pam_lastlog.so in its PAM snippet. > Both of these would need to be replaced by pam_lastlog2.so. I don't > really know what the other distros are doing right now, and/or if > we should align on this. > So we could either put pam_lastlog2.so into a common-* file from > src:pam, or openssh and shadow should switch their setup. > What do we all think about that? pam should not be adding any modules to common-* that it itself does not ship. Instead they should be added via pam-auth-config. I don't have an opinion about this being done in common-* vs being done in sshd+login particularly; but putting it to common-* by default seems a behavior change that warrants broader discussion e.g. debian-devel. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature
