| Summary: | gdm still tries to load pam_cracklib which has been deprecated | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Marc Krämer <mageia> |
| Component: | RPM Packages | Assignee: | Marc Krämer <mageia> |
| Status: | REOPENED --- | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, jani.valimaa |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | gdm-43.0-1.mga9 | CVE: | |
| Status comment: | |||
|
Description
Marc Krämer
2022-12-16 14:58:00 CET
Just checked my own system journal, which shows also: Rha 16 20:03:40 gdm-password][2191]: PAM unable to dlopen(/usr/lib64/security/pam_cracklib.so): /usr/lib64/security/pam_cracklib.so: cannot open shared object file: No such file or directory Rha 16 20:03:40 gdm-password][2191]: PAM adding faulty module: /usr/lib64/security/pam_cracklib.so followed by: Rha 16 20:03:40 gdm-password][2191]: pam_succeed_if(gdm-password:auth): requirement "user ingroup nopasswdlogin" not met by user "lewis" This is using GDM to Xfce, but no adverse effects. I cannot find where this library comes from exactly. The nearest I found was: webmin:/usr/share/webmin/pam/pam_cracklib.so.pl but doubt this is the one. Assigning globally, but whatever it is it does not seem to matter. Summary:
PAM: log entry =>
PAM: errors in journal re '/usr/lib64/security/pam_cracklib.so' gdm still tries to load pam_cracklib which has been obsoleted and removed from lib64pam0. # grep -r cracklib /etc/pam.d/* /etc/pam.d/gdm-smartcard:password requisite pam_cracklib.so try_first_pass retry=3 type= Attempts to load the library been removed from sddm, but not from gdm. Source RPM:
pam-1.5.2-2.mga9.src.rpm =>
gdm-43.0-1.mga9 so it should be removed from gdm-pam plugin as well. (In reply to Marc Krämer from comment #3) > so it should be removed from gdm-pam plugin as well. Yes.
Marc Krämer
2022-12-17 18:59:50 CET
Assignee:
pkg-bugs =>
mageia It is just an an mga patch from 2016. building. Status:
NEW =>
RESOLVED Reopening, but feel free to close again if there's a technical justification for it. pam_pwquality replaced pam_cracklib so I think simply removing all pam_cracklib occurrences isn't what we really want. According to pam_pwquality man page: "This module can be plugged into the password stack of a given service to provide some plug-in strength-checking for passwords. The code was originally based on pam_cracklib module and the module is backwards compatible with its options." CC:
(none) =>
jani.valimaa @Jani: if we want this, shouldn't it be added to system-auth instead of every service itself? (In reply to Marc Krämer from comment #8) > @Jani: if we want this, shouldn't it be added to system-auth instead of > every service itself? It's already there, but 'every service itself' must have at least 'password include system-auth' to make it to work. hmm, ok. So we have to check for every service in /etc/pam.d if it includes this and update that package? I'd say, go ahead - I don't usally change pam, so I might make mistakes here. I don't think there are many such pkgs left, but at least the patch in gdm should be reviewed. |