Watch out: `pam` 1.4.0 may require manual intervention (pam_tally dropped)

jonathon · August 19, 2020, 8:32pm

pam has been updated and the tally and tally2 modules were dropped. If these modules are present in your /etc/pam.d/system-login then your login will fail despite a correct user/pass (both in DM and terminal).

If you have altered the file contents in the past (e.g. you set up login via fingerprint reader) then pacman won’t replace it with the new version.

If you don’t make the change before rebooting then entering single-user mode (or using a chroot) will get you into the system, where you can edit /etc/pam.d/system-login:

 #%PAM-1.0
 
-auth       required   pam_tally2.so        onerr=succeed file=/var/log/tallylog
 auth       required   pam_shells.so
 auth       requisite  pam_nologin.so
 auth       include    system-auth
 
-account    required   pam_tally2.so 
 account    required   pam_access.so
 account    required   pam_nologin.so

(remove the highlighted lines!)

You can also remove /var/log/tallylog if it’s still present.

Bug report here: https://bugs.archlinux.org/task/67641

Solution: merge the pacnew,

keybreak · August 19, 2020, 8:34pm

Are you sure you haven’t accidentaly sudo rm -rf /etc/shadow ?

Thx for headsup!

manuel · August 19, 2020, 8:46pm

I have updated pam in a VM, and login is OK.
I don’t have /etc/pam.d/system-login.pacnew, if that is what you are referring to.

joekamprad · August 19, 2020, 8:49pm

i will see that on 3 systems now …

jonathon · August 19, 2020, 8:52pm

It might depend how old the installation is, and therefore how old the system-login file was?

manuel · August 19, 2020, 8:55pm

It was probably from May.

jonathon · August 19, 2020, 8:56pm

Mine was from… uh… 2017?

manuel · August 19, 2020, 8:58pm

OK, I’ll reboot my main machine now. If I never come here again, this is the reason!

Kresimir · August 19, 2020, 9:00pm

It’s been an honour, and a pleasure, sir! Godspeed!

manuel · August 19, 2020, 9:00pm

That reboot was too easy…

Kresimir · August 19, 2020, 9:01pm

Well, that was a bit anticlimactic…

BONK · August 19, 2020, 9:02pm

All is well here on plasma.

pebcak · August 19, 2020, 9:10pm

No problem on Cinnamon.
Installation yet to turn three weeks.

jonathon · August 19, 2020, 9:12pm

Ah, I know why it’s not affecting most people - I must have edited the file at some point (something to do with cgfs…?), so pacman didn’t automatically replace it. Setting up e.g. a fingerprint reader would have the same effect.

If you’ve never edited the file then pacman will happily replace it without creating a pacnew.

Makes sense.

Bryanpwo · August 19, 2020, 9:21pm

I wanted to react before, because I have an installation from late 2016 and I didn’t have any issues either with the pam update.

Mr_Ecks · August 19, 2020, 9:33pm

I can confirm that everything is kool* here on Plasma.

*joke with KDE on the receiving end (Kool Desktop Environment); I kid you not!).

anon22434355 · August 20, 2020, 1:33am

After updating, I checked /etc/pam.d/system-login. The lines mentioning pam_tally2.so are gone without manual intervention.

otherbarry · August 20, 2020, 5:34am

Getting PAM systemd-homed errors on boot after PAM and SDDM update.

systemd[1108]: pam_systemd_home(systemd-user:account): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
sddm-helper[1247]: pam_systemd_home(sddm:account): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
systemd[1249]: pam_systemd_home(systemd-user:account): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.

Apparently they are benign, caused by the systemd-homed service not running. Doesn’t take into account if you don’t use systemd-homed.

https://bbs.archlinux.org/viewtopic.php?id=258297

Annoying to have so many errors on boot, benign or not.

EDIT :

Also getting sudo PAM errors referencing the non existent systemd-homed service.

sudo[2029]: pam_systemd_home(sudo:auth): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
sudo[2029]: pam_systemd_home(sudo:auth): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
sudo[2029]: pam_systemd_home(sudo:account): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
sudo[2107]: pam_systemd_home(sudo:account): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
sudo[2250]: pam_systemd_home(sudo:account): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
sudo[2387]: pam_systemd_home(sudo:account): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.

Sudo commands working fine though, error message is also benign.