On 2024-03-29 20:36 -0700, Steve Langasek wrote:
> On Sat, Mar 30, 2024 at 01:41:40AM +0100, Chris Hofstaedtler wrote:
>> Hi OpenSSH, shadow Maintainers,
>>
>> On Sat, Mar 30, 2024 at 01:32:08AM +0100, Chris Hofstaedtler wrote:
>> > On Fri, Mar 29, 2024 at 06:02:39PM +0100, Sven Joachim wrote:
>> > > It seems desirable to ship liblastlog2 in trixie, considering that the
>> > > /var/log/lastlog file is not Y2038-safe and pam in unstable has already
>> > > dropped pam_lastlog.so, meaning that non-ssh logins are no longer
>> > > recorded in /var/log/lastlog.
>
>> [..]
>> > At the same time, all traditional writing to /var/log/lastlog should
>> > stop.
Not sure why that would need to happen at the same time, unless there
are plans to import the contents of the lastlog file into the
liblastlog2 database on its first installation.
>> > So, after some of the current fog clears, src:util-linux could
>> > introduce new binary packages (at least libpam-lastlog2), but
>> > src:pam would need to add it to the common-* config files.
>
>> > Does this seem right?
>
>> Answering my own question, not quite.
>
>> Apparently, traditionally we have:
>
>> * sshd writes to /var/log/lastlog by itself.
>> * login has pam_lastlog.so in its PAM snippet.
>
>> Both of these would need to be replaced by pam_lastlog2.so. I don't
>> really know what the other distros are doing right now, and/or if
>> we should align on this.
I suppose that openSUSE will do that soon, they have already replaced
/var/log/wtmp with wtmpdb, written by the same author as liblastlog2.
>> So we could either put pam_lastlog2.so into a common-* file from
>> src:pam, or openssh and shadow should switch their setup.
>
>> What do we all think about that?
>
> pam should not be adding any modules to common-* that it itself does not
> ship. Instead they should be added via pam-auth-config.
I think you mean pam-auth-update here.
Cheers,
Sven
