New PAM in experimental needs testing

Roger Leigh rleigh at debian.org
Sun Aug 5 17:36:45 UTC 2007


Hi folks,

A new version of PAM (0.99.7.1-1) has been packaged and uploaded to
experimental.  This is intended to replace 0.79-4.  However, because
there have been quite a number of upstream changes, and all the
Debian-specific patches against the old one were painstakingly
re-diffed and updated by hand, and because a broken PAM means a rather
broken system, this new version needs some wider testing before it is
suitable for unstable.

The work for this was done by myself and Jan Christoph Nordholz, who
rewrote the @include patch, fixing a memory leak in the current code,
as well as doing a lot of testing, building and general reviewing of
the PAM packaging.  It's thanks to Jan that it's ready for wider
review, since I did all the rediffing back in April, but lacked time
to squash the last few bugs.

If anyone could take the time to install it, test all the services
using PAM for authentication/authorisation still work as expected, and
report any defects, that would be much appreciated.  If you want to
avoid breaking your system, it is advisable to install into a chroot.
However, we have tested that basic functionality does work (su and
passwd in particular), so it should be safe to install for real (but
no guarantees are given).

Additionally, all of the packages which Build-Depend, Depend or
Recommend PAM packages should be tested against the new packages.  A
complete list is given below, and the maintainer's Bcc'd with this
message.


If you do hack on the PAM sources, note that the dpatch patch order is
important--later patches do rely on earlier patches being present.
Also, you need to run "debian/rules patch|unpatch" by hand, due to the
need to re-bootstrap the autotools.  To do that "debian/rules
bootstrap" will do everything consistently, providing the patches are
applied.


Some bits which need wider review and discussion:

Several of the Debian-specific patches should probably be removed.
For example, the @include (Debian-specific) syntax should be replaced
by the include mechanism added by upstream; we should make this a
release goal for Lenny IMO.  Maintaining Debian-specific hacks imposes
a real burden on the PAM maintainers--it took over 15 man hours to do
the main re-diffing, and the same again to get it working, which is
ridiculous and error-prone.  We could easily be introducing
Debian-specific security bugs by doing so.  Some checks such as the
obscure checks for pam_unix and chroot limits for pam_limits should be
dropped (who uses this functionality)?  The obsure checks appear to
predate PAM, but should cracklib not be the replacement?  This
non-standard stuff should really be deprecated, obsoleted, then
dropped.  What do other people think about this?

The remaining patches should then really be pushed upstream, which
possible now we are synched with their latest stable release.

One other note: upstream now default to enabling cracklib in pam_unix
(in addition to pam_cracklib), which causes passwd to do all the extra
checks cracklib does.  This has been disabled for now after discussion
with Jan, because it brings in quite a few dependencies into base, and
may not be generally wanted.  It also breaks passwd if you don't have
cracklib-runtime *and* a wordlist *and* run update-cracklib, so this
needs some fixing of dependencies and coordination to do properly.  It
might be worth re-adding, if there was consensus for that.  I'm not
yet sure how this differs from the pam_cracklib functionality,
however.


Regards,
Roger


Laszlo Boszormenyi (GCS) <gcs at debian.hu>
   gradm2

Stefan Hornburg (Racke) <racke at linuxia.de>
   courier
   courier-authlib
   pure-ftpd

Richard A Nelson (Rick) <cowboy at debian.org>
   libnss-ldap
   libpam-ldap

Marco Presi (Zufus) <zufus at debian.org>
   linesrv

Krzysztof Krzyzaniak (eloy) <eloy at debian.org>
   popa3d

Russ Allbery <rra at debian.org>
   libpam-afs-session

Sebastien Bacher <seb128 at debian.org>
   libgnomesu

Carlos Barros <cbf at debian.org>
   tac-plus

Dima Barsky <dima at debian.org>
   python-pam

Vincent Bernat <bernat at luffy.cx>
   xrdp

Michael Biebl <biebl at debian.org>
   partimage

Laurent Bigonville <bigon at bigon.be>
   pam-keyring

Blars Blarson <blarson at blars.org>
   nntp

Primoz Bratanic <primoz at slo-tech.com>
   pam-pgsql

Joachim Breitner <nomeata at debian.org>
   poldi

Adrian Bridgett <bridgett at debian.org>
   dante

Chris Butler <chrisb at debian.org>
   wu-ftpd

Rubén Porras Campo <nahoo at inicia.es>
   libpam-encfs

Pierre Chifflier <chifflier at inl.fr>
   nufw
   wzdftpd

Adam Conrad <adconrad at 0c3.net>
   poppassd

Christopher Cramer <crayc at dapac.org>
   usermode

Debian CUPS Maintainers <pkg-cups-devel at lists.alioth.debian.org>
   cupsys

Debian Cyrus SASL Team <pkg-cyrus-sasl2-debian-devel at lists.alioth.debian.org>
   cyrus-sasl2
   cyrus-sasl2-heimdal

Debian Cyrus Team <pkg-cyrus-imapd-debian-devel at lists.alioth.debian.org>
   cyrus-imapd-2.2

Debian Edu Developers <debian-edu at lists.debian.org>
   debian-edu

Debian GNOME Maintainers <pkg-gnome-maintainers at lists.alioth.debian.org>
   gdm

Debian Kolab Maintainers <pkg-kolab-devel at lists.alioth.debian.org>
   kolab-cyrus-imapd

Debian Multimedia Team <debian-multimedia at lists.debian.org>
   jack-audio-connection-kit

Debian OpenOffice Team <debian-openoffice at lists.debian.org>
   openoffice.org

Debian OpenSSH Maintainers <debian-ssh at lists.debian.org>
   openssh

Debian PHP Maintainers <pkg-php-maint at lists.alioth.debian.org>
   php5

Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org>
   kdeadmin
   kdebase

Debian Samba Maintainers <pkg-samba-maint at lists.alioth.debian.org>
   samba

Debian VoIP Team <pkg-voip-maintainers at lists.alioth.debian.org>
   bayonne

Debian X Strike Force <debian-x at lists.debian.org>
   xdm

Debian buildd-tools Developers <buildd-tools-devel at lists.alioth.debian.org>
   schroot

Eric Dorland <eric at debian.org>
   pam-p11

Paul Dwerryhouse <paul at dwerryhouse.com.au>
   kannel

Peter Eisentraut <petere at debian.org>
   pgpool

Rene Engelhard <rene at debian.org>
   away

Exim4 Maintainers <pkg-exim4-maintainers at lists.alioth.debian.org>
   exim4

Gerfried Fuchs <alfie at debian.org>
   francine

Luigi Gangitano <luigi at debian.org>
   squid
   squid3

Bdale Garbee <bdale at gag.com>
   sudo

Matthew Garrett <mjg59 at srcf.ucam.org>
   libpam-foreground

Thomas Goirand <thomas at goirand.fr>
   dtc

Stephen Gran <sgran at debian.org>
   freeradius

Debian QA Group <packages at qa.debian.org>
   pexts

Yu Guanghui <ygh at debian.org>
   qpopper

Guido Guenther <agx at sigxcpu.org>
   libpam-ccreds

Pierre Habouzit <madcoder at debian.org>
   ldapscripts

Christian Hammers <ch at debian.org>
   quagga

Sam Hartman <hartmans at debian.org>
   libpam-krb5
   openafs
   pam

Tollef Fog Heen <tfheen at debian.org>
   pam-passwdqc
   pam-tmpdir
   pam-umask

Henrique de Moraes Holschuh <hmh at debian.org>
   fcron

Simon Horman <horms at debian.org>
   heartbeat
   perdition

Alberto Gonzalez Iniesta <agi at inittab.org>
   linux-ftpd
   netkit-rsh
   openvpn

Joerg Jaspert <joerg at debian.org>
   muddleftpd

Arthur de Jong <adejong at debian.org>
   nss-ldapd

Guillem Jover <guillem at debian.org>
   inetutils
   lockvc

Stephan Kaufhold <s.kaufhold at 1stbna.com>
   libpam-pwgen

Bastian Kleineidam <calvin at debian.org>
   libpam-mount

Ivan Kohler <ivan-debian at 420.am>
   libpam-unix2

Anand Kumria <wildfire at progsoc.org>
   pam-http

Oliver Kurth <oku at debian.org>
   pam-dotfile

Aurelien Labrosse <aurelien.labrosse at free.fr>
   libpam-ssh

Asheesh Laroia <asheesh at asheesh.org>
   alpine

Simon Law <sfllaw at debian.org>
   lsh-utils
   wvstreams

Jeff Licquia <licquia at debian.org>
   diald

John Lightsey <lightsey at debian.org>
   apt-watch

Francesco Paolo Lovergine <frankie at debian.org>
   proftpd-dfsg
   yardradius

Robert Luberda <robert at debian.org>
   solid-pop3d
   super

Dovecot Maintainers <jaldhar-dovecot at debian.org>
   dovecot

OHURA Makoto <ohura at debian.org>
   xemacs21

Jordi Mallach <jordi at debian.org>
   mailutils

Roland Mas <lolando at debian.org>
   gforge

Peter Mathiasson <peterm at debian.org>
   pam-devperm

Martin Maurer <fireflier at gibraltar.at>
   fireflier

Rene Mayrhofer <rmayr at debian.org>
   openswan
   strongswan

Steve McIntyre <93sam at debian.org>
   cvs

Matthijs Mohlmann <matthijs at cacholong.nl>
   libpam-heimdal

Ryan Murray <rmurray at debian.org>
   at

Jaakko Niemi <liiwi at debian.org>
   sfs

Fabio M. Di Nitto <fabbione at fabbione.net>
   libpam-radius-auth

Jan Christoph Nordholz <hesso at pool.math.tu-berlin.de>
   screen

Greg Norris <adric at debian.org>
   libpam-pwdfile

Alvaro Lopez Ortega <alvaro at gnu.org>
   cherokee

Erlang Packagers <erlang-pkg-devel at lists.berlios.de>
   yaws

Peter Palfrader <weasel at debian.org>
   uucp
   vlock

Eloy A. Paris <peloy at debian.org>
   ncpfs

Jose Parrella <joseparrella at cantv.net>
   libpam-rsa
   libpam-usb

Guilherme de S. Pastore <gpastore at debian.org>
   gnome-screensaver

Javier Fernandez-Sanguino Pen~a <jfs at computer.org>
   cron
   libpam-chroot

Christian Perrier <bubulle at debian.org>
   calife

Martin Pitt <mpitt at debian.org>
   postgresql-8.1
   postgresql-8.2

Cai Qian <caiqian at debian.org>
   linux-ftpd-ssl

Florian Ragwitz <rafl at debianforum.de>
   libauthen-pam-perl

Ganesan Rajagopal <rganesan at debian.org>
   ipsec-tools

Sebastian Rittau <srittau at debian.org>
   netatalk

Jose Luis Rivas <ghostbar38 at gmail.com>
   xscreensaver

Ghe Rivero <ghe at upsa.es>
   libuser

Piotr Roszatycki <dexter at debian.org>
   libapache2-mod-auth-pam

Ludovic Rousseau <rousseau at debian.org>
   muscleframework

Giuseppe Sacco <eppesuig at debian.org>
   hylafax

Riccardo Setti <giskard at autistici.org>
   aolserver4-nsimap

Shadow package maintainers <pkg-shadow-devel at lists.alioth.debian.org>
   shadow

Vladimir Shakhov <lumpen.intellectual at gmail.com>
   wdm

Guus Sliepen <guus at debian.org>
   rsh-redone

Jonas Smedegaard <dr at jones.dk>
   libmail-cclient-perl
   uw-imap

Roger So <rogerso at debian.org>
   im-sdk

Manoj Srivastava <srivasta at debian.org>
   policycoreutils
   refpolicy

Riccardo Stagni <unriccio at email.it>
   qingy

Michael Stone <mstone at debian.org>
   libpam-opie
   opie
   xlockmore

Debian Shishi Team <help-shishi at gnu.org>
   shishi

Andreas Tscharner <andy at vis.ethz.ch>
   cvsnt

Utopia Maintenance Team <pkg-utopia-maintainers at lists.alioth.debian.org>
   network-manager

Matej Vela <vela at debian.org>
   vsftpd

Jelmer Vernooij <jelmer at samba.org>
   pam-krb5-migrate

Paweł Więcek <coven at debian.org>
   pam-mysql

Carsten Wolff <carsten at wolffcarsten.de>
   php-auth-pam

Marco d'Itri <md at linux.it>
   inn2
   ppp

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/attachments/20070805/2b856732/attachment.pgp 


More information about the Pkg-cyrus-sasl2-debian-devel mailing list