Bug #2873
[i686/pambase] 20200721.1-2.nonsystemd1.any introduces system breakage across the board due to pam missing 'pam_faillock.so' module in pam.1.3.1-1.3.par1.i686
0%
Description
Changes in /etc/pam.d/system-auth present in the 20200721.1-2.nonsystemd1 package for pambase causes 'Module is unknown' errors from all tools and services authenticating via it, as it attempts to invoke pam_faillock.so, which does not exist in the most recent pam version for 32 bit (still at 1.3.1-1.3 – whereas pam_faillock was introduced in 1.4.0.)
e.g:
- sudo[29894]: martin : PAM authentication error: Module is unknown ; TTY=pts/9 ; PWD=/home/martin ; USER=root ; COMMAND=/usr/bin/pwd - dovecot[21651]: auth-worker(21713): pam(martin,192.168.2.1, <Rup9NYutxLTAqAIB>): pam_authenticate() failed: Module is unknown
This is quite serious; as it prevents anyone from authenticating to the system once the pam.d changes are in place. Please ensure that the corresponding pam package is upgraded at the same time or even before introducing system-breaking changes such as this.
History
Updated by bill-auger over 3 years ago
- Assignee set to Megver83
- Description updated (diff)
i think this is caused by pam 1.3.1 in i686 [libre] - https://www.parabola.nu/packages/libre/i686/pam/
pam 1.4.0-3.0 is in i686 [core] though, so you can probably fix this by installing it explicitly
# pacman -Sy core/pam
'pam' is not on the blacklist; so im not sure why 'pam' was ever in [libre]; but it has not been upgraded since 2018 - i noticed that (1.3.1) is still the version of 'lib32-pam' in x86_64 [multilib] though
Updated by bill-auger over 3 years ago
- Subject changed from [!!] pambase 20200721.1-2.nonsystemd1.any introduces system breakage across the board due to pam missing 'pam_faillock.so' module in pam.1.3.1-1.3.par1.i686 to [i686/pambase] 20200721.1-2.nonsystemd1.any introduces system breakage across the board due to pam missing 'pam_faillock.so' module in pam.1.3.1-1.3.par1.i686
Updated by Megver83 over 3 years ago
this was announced in the Arch Linux 32 news: https://bbs.archlinux32.org/viewtopic.php?pid=7335#p7335
solution is to downgrade pambase or update to pam 1.4
As bill-auger says, it might be libre/pam, which idk why is it there (maybe due to a past issue like this?). I just removed it. Try doing pacman -Syu from a live USB/CD and reboot, I did that and it worked.
Updated by Drag0nFly over 3 years ago
This was indeed the issue. I did check the Parabola news site, which came up empty. Saw the comment regarding the Arch Linux 32 news site just now. Whenever this happens any proposed solution(s) will go to /dev/null temporarily as this server is acting as the primary gateway and firewall (no internet during outage).
Thanks for the quick replies. Could this not also have been achieved by adding a dependency to pam_faillock in the PKGBUILD? -
e.g:
package_pambase {
depends=(
security/pam_faillock.so
or something similar.
Updated by bill-auger over 3 years ago
i assume that .so was not in the previous pam package - they needed to be upgraded together