This bug was fixed in the package pam - 1.1.8-3.6ubuntu3 --------------- pam (1.1.8-3.6ubuntu3) cosmic; urgency=medium
* debian/patches-applied/fix-pam_tty_audit.patch: (LP: #1666203) Fix pam_tty_audit log_passwd support and regression. -- Eric Desrochers <eric.desroch...@canonical.com> Thu, 28 Feb 2019 01:20:35 +0000 ** Changed in: pam (Ubuntu Cosmic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1666203 Title: pam_tty_audit failed in pam_open_session Status in pam package in Ubuntu: Fix Released Status in pam source package in Xenial: In Progress Status in pam source package in Bionic: Fix Released Status in pam source package in Cosmic: Fix Released Status in pam package in Debian: Fix Released Bug description: [Impact] * Kernel keystroke auditing via pam_tty_audit.so not working * When Using the pam_tty_audit with other pam modules(ex, pam_ldap), it failed in pam_open_session. It was triggared by use uninitialized variable in pam_tty_audit.c::pam_open_session. [Test Case] 1) Open a shell & escalate to root 2) Update /etc/pam.d/common-session & /etc/pam.d/common-session-noninteractive and add the following line directly after the line: "session required pam_unix.so": "session required pam_tty_audit.so enable=*" 3) Start a second new shell session on the box and type a variety of commands 4) Exit the second shell session to flush the buffer? 5) In the root shell run "aureport -tty -i". The output should show the commands run in the other shell. [Regression Potential] * Low, we are simply including the missing header file and copy the old status as initialization of new. The fix is already found/part of Debian and Disco. [Pending SRU] All regressions found in Bionic and Cosmic looks like long standing ADT failure. Nothing has been introduce by this particular SRU. [Other Info] # Upstream fix: https://github.com/linux-pam/linux-pam/commit/c5f829931a22c65feffee16570efdae036524bee # git describe --contains c5f829931a22c65feffee16570efdae036524bee Linux-PAM-1_2_0~75 # rmadision pam => pam | 1.1.8-1ubuntu2.2 | trusty-updates | source => pam | 1.1.8-3.2ubuntu2 | xenial | source => pam | 1.1.8-3.2ubuntu2.1 | xenial-updates | source => pam | 1.1.8-3.6ubuntu2 | bionic | source => pam | 1.1.8-3.6ubuntu2 | cosmic | source pam | 1.3.1-5ubuntu1 | disco | source [Original Description] Dear Maintainer. I found a bug in pam_tty_audit. When Using the pam_tty_audit with other pam modules(ex, pam_ldap), it failed in pam_open_session. It was triggared by use uninitialized variable in pam_tty_audit.c::pam_open_session. * Enviroments Ubuntu 14.04.4 LTS linux-image-3.16.0-71-generic 3.16.0-71.92~14.04.1 libpam-ldap:amd64 184-8.5ubuntu3 libpam-modules:amd64 1.1.8-1ubuntu2.2 Ubuntu 16.04.2 TLS linux-image-4.4.0-62-generic 4.4.0-62.83 libpam-ldap:amd64 184-8.7ubuntu1 libpam-modules:amd64 1.1.8-3.2ubuntu2 * Reproduction method 1. Install libpam-ldap. 2. Add the following to the end of /etc/pam.d/common-sessions -------- session required pam_tty_audit.so enable=* open_only -------- 3. When logging in with ssh etc., pam_tty_audit will fail and login fails * Solution (== 2018/04/16 Link updated ==) apply upstream patch https://github.com/linux-pam/linux-pam/commit/c5f829931a22c65feffee16570efdae036524bee * Logs (on Ubuntu14.04) -- auth.log -- May 18 14:47:03 vm sshd[2272]: Accepted publickey for test from 10.99.0.1 port 51398 ssh2: RSA 8f:39:1c:3a:f4:9d:ca:99:67:fc:e3:fd:1e:0c:5b:a8 May 18 14:47:03 vm sshd[2272]: pam_unix(sshd:session): session opened for user test by (uid=0) May 18 14:47:03 vm sshd[2272]: pam_tty_audit(sshd:session): error setting current audit status: Invalid argument May 18 14:47:03 vm sshd[2272]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session May 18 14:47:03 vm sshd[2297]: Received disconnect from 10.99.0.1: 11: disconnected by user -- syslog -- May 18 14:47:03 vm audispd: node=vm type=USER_ACCT msg=audit(1463550423.399:58): pid=2272 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success' May 18 14:47:03 vm audispd: node=vm type=CRED_ACQ msg=audit(1463550423.403:59): pid=2272 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success' May 18 14:47:03 vm audispd: node=vm type=LOGIN msg=audit(1463550423.403:60): pid=2272 uid=0 old-auid=4294967295 auid=20299 old-ses=4294967295 ses=3 res=1 May 18 14:47:03 vm audispd: node=vm type=CONFIG_CHANGE msg=audit(1463550423.403:61): pid=2272 uid=0 auid=20299 ses=3 op=tty_set old-enabled=0 new-enabled=1 old-log_passwd=0 new-log_passwd=32743 res=0 May 18 14:47:03 vm audispd: node=vm type=USER_START msg=audit(1463550423.447:62): pid=2272 uid=0 auid=20299 ses=3 msg='op=PAM:session_open acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=failed' May 18 14:47:03 vm audispd: node=vm type=CRED_ACQ msg=audit(1463550423.447:63): pid=2297 uid=0 auid=20299 ses=3 msg='op=PAM:setcred acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success' May 18 14:47:03 vm audispd: node=vm type=CRED_DISP msg=audit(1463550423.451:64): pid=2272 uid=0 auid=20299 ses=3 msg='op=PAM:setcred acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success' Thanks regards. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1666203/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp