New PAM in experimental needs testing
Roger Leigh
rleigh at debian.org
Sun Aug 5 17:36:45 UTC 2007
Hi folks,
A new version of PAM (0.99.7.1-1) has been packaged and uploaded to
experimental. This is intended to replace 0.79-4. However, because
there have been quite a number of upstream changes, and all the
Debian-specific patches against the old one were painstakingly
re-diffed and updated by hand, and because a broken PAM means a rather
broken system, this new version needs some wider testing before it is
suitable for unstable.
The work for this was done by myself and Jan Christoph Nordholz, who
rewrote the @include patch, fixing a memory leak in the current code,
as well as doing a lot of testing, building and general reviewing of
the PAM packaging. It's thanks to Jan that it's ready for wider
review, since I did all the rediffing back in April, but lacked time
to squash the last few bugs.
If anyone could take the time to install it, test all the services
using PAM for authentication/authorisation still work as expected, and
report any defects, that would be much appreciated. If you want to
avoid breaking your system, it is advisable to install into a chroot.
However, we have tested that basic functionality does work (su and
passwd in particular), so it should be safe to install for real (but
no guarantees are given).
Additionally, all of the packages which Build-Depend, Depend or
Recommend PAM packages should be tested against the new packages. A
complete list is given below, and the maintainer's Bcc'd with this
message.
If you do hack on the PAM sources, note that the dpatch patch order is
important--later patches do rely on earlier patches being present.
Also, you need to run "debian/rules patch|unpatch" by hand, due to the
need to re-bootstrap the autotools. To do that "debian/rules
bootstrap" will do everything consistently, providing the patches are
applied.
Some bits which need wider review and discussion:
Several of the Debian-specific patches should probably be removed.
For example, the @include (Debian-specific) syntax should be replaced
by the include mechanism added by upstream; we should make this a
release goal for Lenny IMO. Maintaining Debian-specific hacks imposes
a real burden on the PAM maintainers--it took over 15 man hours to do
the main re-diffing, and the same again to get it working, which is
ridiculous and error-prone. We could easily be introducing
Debian-specific security bugs by doing so. Some checks such as the
obscure checks for pam_unix and chroot limits for pam_limits should be
dropped (who uses this functionality)? The obsure checks appear to
predate PAM, but should cracklib not be the replacement? This
non-standard stuff should really be deprecated, obsoleted, then
dropped. What do other people think about this?
The remaining patches should then really be pushed upstream, which
possible now we are synched with their latest stable release.
One other note: upstream now default to enabling cracklib in pam_unix
(in addition to pam_cracklib), which causes passwd to do all the extra
checks cracklib does. This has been disabled for now after discussion
with Jan, because it brings in quite a few dependencies into base, and
may not be generally wanted. It also breaks passwd if you don't have
cracklib-runtime *and* a wordlist *and* run update-cracklib, so this
needs some fixing of dependencies and coordination to do properly. It
might be worth re-adding, if there was consensus for that. I'm not
yet sure how this differs from the pam_cracklib functionality,
however.
Regards,
Roger
Laszlo Boszormenyi (GCS) <gcs at debian.hu>
gradm2
Stefan Hornburg (Racke) <racke at linuxia.de>
courier
courier-authlib
pure-ftpd
Richard A Nelson (Rick) <cowboy at debian.org>
libnss-ldap
libpam-ldap
Marco Presi (Zufus) <zufus at debian.org>
linesrv
Krzysztof Krzyzaniak (eloy) <eloy at debian.org>
popa3d
Russ Allbery <rra at debian.org>
libpam-afs-session
Sebastien Bacher <seb128 at debian.org>
libgnomesu
Carlos Barros <cbf at debian.org>
tac-plus
Dima Barsky <dima at debian.org>
python-pam
Vincent Bernat <bernat at luffy.cx>
xrdp
Michael Biebl <biebl at debian.org>
partimage
Laurent Bigonville <bigon at bigon.be>
pam-keyring
Blars Blarson <blarson at blars.org>
nntp
Primoz Bratanic <primoz at slo-tech.com>
pam-pgsql
Joachim Breitner <nomeata at debian.org>
poldi
Adrian Bridgett <bridgett at debian.org>
dante
Chris Butler <chrisb at debian.org>
wu-ftpd
Rubén Porras Campo <nahoo at inicia.es>
libpam-encfs
Pierre Chifflier <chifflier at inl.fr>
nufw
wzdftpd
Adam Conrad <adconrad at 0c3.net>
poppassd
Christopher Cramer <crayc at dapac.org>
usermode
Debian CUPS Maintainers <pkg-cups-devel at lists.alioth.debian.org>
cupsys
Debian Cyrus SASL Team <pkg-cyrus-sasl2-debian-devel at lists.alioth.debian.org>
cyrus-sasl2
cyrus-sasl2-heimdal
Debian Cyrus Team <pkg-cyrus-imapd-debian-devel at lists.alioth.debian.org>
cyrus-imapd-2.2
Debian Edu Developers <debian-edu at lists.debian.org>
debian-edu
Debian GNOME Maintainers <pkg-gnome-maintainers at lists.alioth.debian.org>
gdm
Debian Kolab Maintainers <pkg-kolab-devel at lists.alioth.debian.org>
kolab-cyrus-imapd
Debian Multimedia Team <debian-multimedia at lists.debian.org>
jack-audio-connection-kit
Debian OpenOffice Team <debian-openoffice at lists.debian.org>
openoffice.org
Debian OpenSSH Maintainers <debian-ssh at lists.debian.org>
openssh
Debian PHP Maintainers <pkg-php-maint at lists.alioth.debian.org>
php5
Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org>
kdeadmin
kdebase
Debian Samba Maintainers <pkg-samba-maint at lists.alioth.debian.org>
samba
Debian VoIP Team <pkg-voip-maintainers at lists.alioth.debian.org>
bayonne
Debian X Strike Force <debian-x at lists.debian.org>
xdm
Debian buildd-tools Developers <buildd-tools-devel at lists.alioth.debian.org>
schroot
Eric Dorland <eric at debian.org>
pam-p11
Paul Dwerryhouse <paul at dwerryhouse.com.au>
kannel
Peter Eisentraut <petere at debian.org>
pgpool
Rene Engelhard <rene at debian.org>
away
Exim4 Maintainers <pkg-exim4-maintainers at lists.alioth.debian.org>
exim4
Gerfried Fuchs <alfie at debian.org>
francine
Luigi Gangitano <luigi at debian.org>
squid
squid3
Bdale Garbee <bdale at gag.com>
sudo
Matthew Garrett <mjg59 at srcf.ucam.org>
libpam-foreground
Thomas Goirand <thomas at goirand.fr>
dtc
Stephen Gran <sgran at debian.org>
freeradius
Debian QA Group <packages at qa.debian.org>
pexts
Yu Guanghui <ygh at debian.org>
qpopper
Guido Guenther <agx at sigxcpu.org>
libpam-ccreds
Pierre Habouzit <madcoder at debian.org>
ldapscripts
Christian Hammers <ch at debian.org>
quagga
Sam Hartman <hartmans at debian.org>
libpam-krb5
openafs
pam
Tollef Fog Heen <tfheen at debian.org>
pam-passwdqc
pam-tmpdir
pam-umask
Henrique de Moraes Holschuh <hmh at debian.org>
fcron
Simon Horman <horms at debian.org>
heartbeat
perdition
Alberto Gonzalez Iniesta <agi at inittab.org>
linux-ftpd
netkit-rsh
openvpn
Joerg Jaspert <joerg at debian.org>
muddleftpd
Arthur de Jong <adejong at debian.org>
nss-ldapd
Guillem Jover <guillem at debian.org>
inetutils
lockvc
Stephan Kaufhold <s.kaufhold at 1stbna.com>
libpam-pwgen
Bastian Kleineidam <calvin at debian.org>
libpam-mount
Ivan Kohler <ivan-debian at 420.am>
libpam-unix2
Anand Kumria <wildfire at progsoc.org>
pam-http
Oliver Kurth <oku at debian.org>
pam-dotfile
Aurelien Labrosse <aurelien.labrosse at free.fr>
libpam-ssh
Asheesh Laroia <asheesh at asheesh.org>
alpine
Simon Law <sfllaw at debian.org>
lsh-utils
wvstreams
Jeff Licquia <licquia at debian.org>
diald
John Lightsey <lightsey at debian.org>
apt-watch
Francesco Paolo Lovergine <frankie at debian.org>
proftpd-dfsg
yardradius
Robert Luberda <robert at debian.org>
solid-pop3d
super
Dovecot Maintainers <jaldhar-dovecot at debian.org>
dovecot
OHURA Makoto <ohura at debian.org>
xemacs21
Jordi Mallach <jordi at debian.org>
mailutils
Roland Mas <lolando at debian.org>
gforge
Peter Mathiasson <peterm at debian.org>
pam-devperm
Martin Maurer <fireflier at gibraltar.at>
fireflier
Rene Mayrhofer <rmayr at debian.org>
openswan
strongswan
Steve McIntyre <93sam at debian.org>
cvs
Matthijs Mohlmann <matthijs at cacholong.nl>
libpam-heimdal
Ryan Murray <rmurray at debian.org>
at
Jaakko Niemi <liiwi at debian.org>
sfs
Fabio M. Di Nitto <fabbione at fabbione.net>
libpam-radius-auth
Jan Christoph Nordholz <hesso at pool.math.tu-berlin.de>
screen
Greg Norris <adric at debian.org>
libpam-pwdfile
Alvaro Lopez Ortega <alvaro at gnu.org>
cherokee
Erlang Packagers <erlang-pkg-devel at lists.berlios.de>
yaws
Peter Palfrader <weasel at debian.org>
uucp
vlock
Eloy A. Paris <peloy at debian.org>
ncpfs
Jose Parrella <joseparrella at cantv.net>
libpam-rsa
libpam-usb
Guilherme de S. Pastore <gpastore at debian.org>
gnome-screensaver
Javier Fernandez-Sanguino Pen~a <jfs at computer.org>
cron
libpam-chroot
Christian Perrier <bubulle at debian.org>
calife
Martin Pitt <mpitt at debian.org>
postgresql-8.1
postgresql-8.2
Cai Qian <caiqian at debian.org>
linux-ftpd-ssl
Florian Ragwitz <rafl at debianforum.de>
libauthen-pam-perl
Ganesan Rajagopal <rganesan at debian.org>
ipsec-tools
Sebastian Rittau <srittau at debian.org>
netatalk
Jose Luis Rivas <ghostbar38 at gmail.com>
xscreensaver
Ghe Rivero <ghe at upsa.es>
libuser
Piotr Roszatycki <dexter at debian.org>
libapache2-mod-auth-pam
Ludovic Rousseau <rousseau at debian.org>
muscleframework
Giuseppe Sacco <eppesuig at debian.org>
hylafax
Riccardo Setti <giskard at autistici.org>
aolserver4-nsimap
Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
shadow
Vladimir Shakhov <lumpen.intellectual at gmail.com>
wdm
Guus Sliepen <guus at debian.org>
rsh-redone
Jonas Smedegaard <dr at jones.dk>
libmail-cclient-perl
uw-imap
Roger So <rogerso at debian.org>
im-sdk
Manoj Srivastava <srivasta at debian.org>
policycoreutils
refpolicy
Riccardo Stagni <unriccio at email.it>
qingy
Michael Stone <mstone at debian.org>
libpam-opie
opie
xlockmore
Debian Shishi Team <help-shishi at gnu.org>
shishi
Andreas Tscharner <andy at vis.ethz.ch>
cvsnt
Utopia Maintenance Team <pkg-utopia-maintainers at lists.alioth.debian.org>
network-manager
Matej Vela <vela at debian.org>
vsftpd
Jelmer Vernooij <jelmer at samba.org>
pam-krb5-migrate
Paweł Więcek <coven at debian.org>
pam-mysql
Carsten Wolff <carsten at wolffcarsten.de>
php-auth-pam
Marco d'Itri <md at linux.it>
inn2
ppp
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/attachments/20070805/2b856732/attachment.pgp
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list