Bug#1039873: pam-auth-update --disable does not work

[Sam Hartman]

> "Marc" == Marc Dequènes (duck)  writes:


Marc> Quack,

Marc> Thanks for adding the feature in #1004000 but it unfortunately
Marc> does not work.

Um, yeah,:-(
I finally got a chance to look into this.

I think the following patch fixes my logic error.
I've also added autopkgtests that detect all the ways in which the
current version fails.

diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update
index b3de86e7..ac00b1c9 100644
--- a/debian/local/pam-auth-update
+++ b/debian/local/pam-auth-update
@@ -162,7 +162,9 @@ push(@enabled,
 # Disable anything explicitly disabled
 @enabled = grep {!$to_disable{$_} } @enabled;
 # And we've seen anything we disable
-delete @seen{ keys %to_disable};
+foreach my $i (keys %to_disable) {
+$seen{$i} = 1;
+}
 
 # an empty module set is an error, so in that case grab all the defaults
 if (!@enabled) {

Bug#1039873: pam-auth-update --disable does not work

[duck]

Quack,

Sorry for the lag, I'm deep in Bookworm upgrades :-).

On 2023-06-30 02:03, Sam Hartman wrote:


I just tried:

* pam-auth-update --enable mkhomedir

* confirm pam_mkhomedir is in the config
p
* pam-auth-update --disable mkhomedir

* Confirm that it is not in the config.


Indeed it works… for mkhomedir, but still not for sss.

Also the fact that used interactively it does not remember my setting 
from the command line is not right.


Let's suppose I borked the config, then --remove which really works and 
reset the config clean (at least for the pam_sss lines), then --enable 
followed by --remove should work.


I could reassign to libpam-sss but I did not see anything weird in 
/usr/share/pam-configs/sss, so I can only guess there's a problem with 
the matching when removing the lines.


I'll try to have a deeper look when I'm clear of migrations.

\_o<

--
Marc Dequènes

Bug#1039873: pam-auth-update --disable does not work

[Sam Hartman]

> "Marc" == Marc Dequènes (duck)  writes:

Marc> I don't recall if I tested the feature extensively but I
Marc> updated my Ansible rules and it is ineffective. After
Marc> switching a machine to bookworm I still get the module I want
Marc> disabled around (it is reenabled during upgrade) and that
Marc> breaks authentication.

Hmm.
I just tried:

* pam-auth-update --enable mkhomedir

* confirm pam_mkhomedir is in the config
p
* pam-auth-update --disable mkhomedir

* Confirm that it is not in the config.

--Sam

Bug#1039873: pam-auth-update --disable does not work

[duck]

Package: libpam-runtime
Severity: normal
Version: 1.5.2-6


Quack,

Thanks for adding the feature in #1004000 but it unfortunately does not 
work.


I don't recall if I tested the feature extensively but I updated my 
Ansible rules and it is ineffective. After switching a machine to 
bookworm I still get the module I want disabled around (it is reenabled 
during upgrade) and that breaks authentication.


I then started to check manually:
# grep sss /etc/pam.d/*
/etc/pam.d/common-account:account	[default=bad success=ok 
user_unknown=ignore]	pam_sss.so
/etc/pam.d/common-auth:auth	[success=2 default=ignore]	pam_sss.so 
use_first_pass

/etc/pam.d/common-password:password sufficient  
pam_sss.so use_authtok
/etc/pam.d/common-session:session   optional
pam_sss.so
# pam-auth-update --disable sss
=> same result
# pam-auth-update --force --disable sss
=> same result

If I use pam-auth-update interactively and uncheck sss then it works.

I then used `pam-auth-update --enable sss` and sss reappeared in the 
config and tried again --disable but to no avail.


Could you please have a look?
Regards.
\_o<

--
Marc Dequènes