diff options
| -rw-r--r-- | debian/libpam-modules.preinst | 13 | ||||
| -rw-r--r-- | debian/libpam-modules.templates | 12 |
2 files changed, 23 insertions, 2 deletions
diff --git a/debian/libpam-modules.preinst b/debian/libpam-modules.preinst index 3102b6a6..25623fe8 100644 --- a/debian/libpam-modules.preinst +++ b/debian/libpam-modules.preinst @@ -36,7 +36,18 @@ handle_profiles_with_removed_modules() { if dpkg --compare-versions "$2" lt-nl 1.4.0-2; then db_version 2.0 - handle_profiles_with_removed_modules pam_tally + handle_profiles_with_removed_modules pam_tally + # We have a generic template for removing pam-profiles because + # there is a sane automatic action. If we detect the modules in + # user configurations we want a specific template so we can + # recommend a replacement + # /dev/null reference is to make sure we don't grep stdin if + # somehow ls returns empty + if grep -qe '^[^#]*pam_tally' $(ls -1d /etc/pam.d/* | grep -e '^/etc/pam.d/[0-9a-zA-Z/]*$' ) /dev/null ; then + db_input critical libpam-modules/deprecate-tally ||true + db_go ||true + exit 2 + fi if pidof xscreensaver xlockmore >/dev/null; then db_input critical libpam-modules/disable-screensaver || true diff --git a/debian/libpam-modules.templates b/debian/libpam-modules.templates index 491bc5c1..fcc9e2d6 100644 --- a/debian/libpam-modules.templates +++ b/debian/libpam-modules.templates @@ -15,4 +15,14 @@ _Description: PAM Profiles with Deprecated Modules Disabled modules. These modules have been removed from PAM. Leaving these PAM profiles enabled would prevent users from accessing your system. As a result, these profiles have been disabled. -
\ No newline at end of file + +Template: libpam-modules/deprecate-tally +Type: error +_Description: you are using pam_Tally or pam_tally2 in your configuration + The pam_tally and pam_tally2 modules have been removed from PAM. You + are using one of these modules in your PAM configuration in + /etc/pam.d. You must remove the uses of these modules before PAM can + be upgraded; including these modules in your PAM configuration after + the upgrade will stop users from being able to log into the system. + . + Consider the pam_faillock module as a replacement for pam_tally. |