Your message dated Wed, 21 Mar 2018 17:18:42 +0000
with message-id <[email protected]>
and subject line Bug#892768: Removed package(s) from unstable
has caused the Debian Bug report #461230,
regarding gksu doesn't work when PAM requires multiple credential prompts.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
461230: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=461230
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gksu
Version: 2.0.0-4
If the configured PAM stack prompts more than once for a credential,
or for more than one type of credential, gksu fails. For example,
pam_krb5.so with PKINIT linked againt MIT Kerberos 1.6.3 prompts for
both the user's Kerberos password (which may be empty) and the user's
smartcard PIN (for PKINIT). If this fails, the Kerberos library may
prompt for the Kerberos password again. Finally, if pam_unix is in
the sudo auth stack, the user will be prompted for the user's local
password if Kerberos authentication fails.
For example, the prompts normally look like so:
krbuser@test:~$ sudo ls
[sudo] password for krbuser: <kerberos password>
TEST.USER PIN: <smartcard pin>
Password for [email protected]: <kerberos password>
Password: <local password>
Typically MIT Kerberos PKINIT users will see two prompts; one for the
password and one for the PIN. This enables auto-fallback to the
Kerberos password if PKINIT fails.
sudo properly sets the prompt on all these prompts:
krbuser@test:~$ sudo -p GNOME_SUDO_PASS ls
GNOME_SUDO_PASS
GNOME_SUDO_PASS
GNOME_SUDO_PASS
GNOME_SUDO_PASS
When multiple prompts are required by PAM, gksu collects only the first:
krbuser@test:~$ gksudo -d ls
No ask_pass set, using default!
xauth: /tmp/libgksu-jhwkpb/.Xauthority
STARTUP_ID: gksudo/ls/8452-0-test_TIME2283623798
cmd[0]: /usr/bin/sudo
cmd[1]: -H
cmd[2]: -S
cmd[3]: -p
cmd[4]: GNOME_SUDO_PASS
cmd[5]: -u
cmd[6]: root
cmd[7]: --
cmd[8]: ls
buffer: -
GNOME_SUDO_PASSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS-
brute force GNOME_SUDO_PASS ended...
Yeah, we're in...
GNOME_SUDO_PASS
xauth: /tmp/libgksu-jhwkpb/.Xauthority
xauth_env: /home/TEST/krbuser/.Xauthority
dir: /tmp/libgksu-jhwkpb
krbuser@test:~$
Other applications, such as Xscreensaver, gdm, login, etc. are
capable of handling multiple prompts. For example, when the screen
is locked for a PKINIT user, the first xscreensaver prompt is for the
user's password; when enter is struck, xscreensaver presents the next
prompt to the user, and so on until PAM completes authentication.
-- Tim
--- End Message ---
--- Begin Message ---
Version: 2.0.2-9+rm
Dear submitter,
as the package gksu has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/892768
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
