Bug#1056166: systemd-homed: `passwd` fails

Luca Boccassi bluca at debian.org
Sun May 26 19:01:30 BST 2024 

Control: tags -1 help

On Sun, 19 Nov 2023 23:48:46 +0100 Alexander Bochmann
<ab+debug at reg.gxis.de> wrote:
> Package: systemd-homed
> Version: 254.5-1~bpo12+2
> Followup-For: Bug #1056166
> 
> Hello,
> 
> I can confirm this problem still exists in bookworm and 
> bookworm-backports:
> 
> As soon as the Debian systemd-homed PAM configuration is activated 
> by pam-auth-update, it's not possible to change passwords of 
> users that come from /etc/passwd anymore.
> 
> This seems to be due to a PAM misconfiguration. I don't understand
> enough of the Debian PAM setup to say why it doesn't work, but 
> I tried replacing the rules with alternatives that I copied from 
> an openSUSE Tumbleweed install, and using those it's possible to 
> change details on users both from /etc/passwd and systemd-homed.

This is the pam config I ship:

# cat /usr/share/pam-configs/systemd-homed
Name: Enable user management by systemd-homed
Default: yes
Priority: 257
Auth-Type: Primary
Auth:
	[success=end default=ignore]	pam_systemd_home.so
Account-Type: Primary
Account:
	[success=end default=ignore]	pam_systemd_home.so
Session-Type: Additional
Session:
	optional	pam_systemd_home.so
Password-Type: Primary
Password:
	[success=end default=ignore]	pam_systemd_home.so


For some reason, this results in the following change being applied to
/etc/pam.d/common-password:

-password	[success=1 default=ignore]	pam_unix.so obscure yescrypt
+password	[success=2 default=ignore]	pam_systemd_home.so 
+password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt

The first line is fine, but the second is the issue.
IE, use_authtok try_first_pass are added to pam_unix.so, which break
everything. Removing those manually fix things again. I have no idea
where they are coming from... PAM experts, any idea?

-- 
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20240526/4e71476a/attachment.sig>

More information about the Pkg-systemd-maintainers mailing list