Bug#1039873: pam-auth-update --disable does not work
> "Marc" == Marc Dequènes (duck) writes: Marc> Quack, Marc> Thanks for adding the feature in #1004000 but it unfortunately Marc> does not work. Um, yeah,:-( I finally got a chance to look into this. I think the following patch fixes my logic error. I've also added autopkgtests that detect all the ways in which the current version fails. diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update index b3de86e7..ac00b1c9 100644 --- a/debian/local/pam-auth-update +++ b/debian/local/pam-auth-update @@ -162,7 +162,9 @@ push(@enabled, # Disable anything explicitly disabled @enabled = grep {!$to_disable{$_} } @enabled; # And we've seen anything we disable -delete @seen{ keys %to_disable}; +foreach my $i (keys %to_disable) { +$seen{$i} = 1; +} # an empty module set is an error, so in that case grab all the defaults if (!@enabled) {
Bug#1039873: pam-auth-update --disable does not work
Quack, Sorry for the lag, I'm deep in Bookworm upgrades :-). On 2023-06-30 02:03, Sam Hartman wrote: I just tried: * pam-auth-update --enable mkhomedir * confirm pam_mkhomedir is in the config p * pam-auth-update --disable mkhomedir * Confirm that it is not in the config. Indeed it works… for mkhomedir, but still not for sss. Also the fact that used interactively it does not remember my setting from the command line is not right. Let's suppose I borked the config, then --remove which really works and reset the config clean (at least for the pam_sss lines), then --enable followed by --remove should work. I could reassign to libpam-sss but I did not see anything weird in /usr/share/pam-configs/sss, so I can only guess there's a problem with the matching when removing the lines. I'll try to have a deeper look when I'm clear of migrations. \_o< -- Marc Dequènes
Bug#1039873: pam-auth-update --disable does not work
> "Marc" == Marc Dequènes (duck) writes: Marc> I don't recall if I tested the feature extensively but I Marc> updated my Ansible rules and it is ineffective. After Marc> switching a machine to bookworm I still get the module I want Marc> disabled around (it is reenabled during upgrade) and that Marc> breaks authentication. Hmm. I just tried: * pam-auth-update --enable mkhomedir * confirm pam_mkhomedir is in the config p * pam-auth-update --disable mkhomedir * Confirm that it is not in the config. --Sam
Bug#1039873: pam-auth-update --disable does not work
Package: libpam-runtime Severity: normal Version: 1.5.2-6 Quack, Thanks for adding the feature in #1004000 but it unfortunately does not work. I don't recall if I tested the feature extensively but I updated my Ansible rules and it is ineffective. After switching a machine to bookworm I still get the module I want disabled around (it is reenabled during upgrade) and that breaks authentication. I then started to check manually: # grep sss /etc/pam.d/* /etc/pam.d/common-account:account [default=bad success=ok user_unknown=ignore] pam_sss.so /etc/pam.d/common-auth:auth [success=2 default=ignore] pam_sss.so use_first_pass /etc/pam.d/common-password:password sufficient pam_sss.so use_authtok /etc/pam.d/common-session:session optional pam_sss.so # pam-auth-update --disable sss => same result # pam-auth-update --force --disable sss => same result If I use pam-auth-update interactively and uncheck sss then it works. I then used `pam-auth-update --enable sss` and sss reappeared in the config and tried again --disable but to no avail. Could you please have a look? Regards. \_o< -- Marc Dequènes