Control: tags -1 help On Sun, 19 Nov 2023 23:48:46 +0100 Alexander Bochmann <ab+de...@reg.gxis.de> wrote: > Package: systemd-homed > Version: 254.5-1~bpo12+2 > Followup-For: Bug #1056166 > > Hello, > > I can confirm this problem still exists in bookworm and > bookworm-backports: > > As soon as the Debian systemd-homed PAM configuration is activated > by pam-auth-update, it's not possible to change passwords of > users that come from /etc/passwd anymore. > > This seems to be due to a PAM misconfiguration. I don't understand > enough of the Debian PAM setup to say why it doesn't work, but > I tried replacing the rules with alternatives that I copied from > an openSUSE Tumbleweed install, and using those it's possible to > change details on users both from /etc/passwd and systemd-homed.
This is the pam config I ship:
# cat /usr/share/pam-configs/systemd-homed
Name: Enable user management by systemd-homed
Default: yes
Priority: 257
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_systemd_home.so
Account-Type: Primary
Account:
[success=end default=ignore] pam_systemd_home.so
Session-Type: Additional
Session:
optional pam_systemd_home.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_systemd_home.so
For some reason, this results in the following change being applied to
/etc/pam.d/common-password:
-password [success=1 default=ignore] pam_unix.so obscure yescrypt
+password [success=2 default=ignore] pam_systemd_home.so
+password [success=1 default=ignore] pam_unix.so obscure use_authtok
try_first_pass yescrypt
The first line is fine, but the second is the issue.
IE, use_authtok try_first_pass are added to pam_unix.so, which break
everything. Removing those manually fix things again. I have no idea
where they are coming from... PAM experts, any idea?
--
Kind regards,
Luca Boccassi
signature.asc
Description: This is a digitally signed message part
