[Bug 2063257] [NEW] Noble: default pam config for login tries do load non-existent pam_lastlog.so

Andreas Hasenack 2063257 at bugs.launchpad.net
Tue Apr 23 20:26:24 UTC 2024 

Public bug reported:

pam_lastlog.so was dropped by upstream in 1.5.3[1][4]. It's still there
in the code, but not built by default.

And indeed, in noble (1.5.3) we don't have it, while mantic (1.5.2)
does.

This does not prevent console logins, but generates an error in the logs:
Apr 23 20:02:09 n1 login[835]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory
Apr 23 20:02:09 n1 login[835]: PAM adding faulty module: pam_lastlog.so

Debian's shadow package is also still shipping this config[2].

If you think we should re-enable pam_lastlog, then this becomes a bug in
the src:pam package, but keep in mind upstream is keen on removing it,
and we might be better off switching to an alternative, perhaps
pam_lastlog2[3].

1. https://github.com/linux-pam/linux-pam/blob/cec36a8cd2c69cc87eacc21da471334fbef128ee/NEWS#L65
2. https://salsa.debian.org/debian/shadow/-/blob/master/debian/login.pam?ref_type=heads#L82
3. https://wiki.debian.org/PamLastlog2
4. https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816

** Affects: shadow (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: shadow (Ubuntu Noble)
     Importance: Undecided
         Status: New

** Affects: shadow (Debian)
     Importance: Unknown
         Status: Unknown

** Summary changed:

- Default pam config for login tries do load non-existent pam module pam_lastlog.so
+ Noble: default pam config for login tries do load non-existent pam module pam_lastlog.so

** Also affects: shadow (Ubuntu Noble)
   Importance: Undecided
       Status: New

** Summary changed:

- Noble: default pam config for login tries do load non-existent pam module pam_lastlog.so
+ Noble: default pam config for login tries do load non-existent pam_lastlog.so

** Description changed:

  pam_lastlog.so was dropped by upstream in 1.5.3[1]. It's still there in
  the code, but not built by default.
  
  And indeed, in noble (1.5.3) we don't have it, while mantic (1.5.2)
  does.
  
- 
  This does not prevent console logins, but generates an error in the logs:
  Apr 23 20:02:09 n1 login[835]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory
  Apr 23 20:02:09 n1 login[835]: PAM adding faulty module: pam_lastlog.so
  
+ Debian's shadow package is also still shipping this config[2].
  
- Debian's shadow package is also still shipping this config[2].
+ If you think we should re-enable pam_lastlog, then this becomes a bug in
+ the src:pam package, but keep in mind upstream is keen on removing it,
+ and we might be better off switching to an alternative, perhaps
+ pam_lastlog2[3].
  
  
  1. https://github.com/linux-pam/linux-pam/blob/cec36a8cd2c69cc87eacc21da471334fbef128ee/NEWS#L65
  2. https://salsa.debian.org/debian/shadow/-/blob/master/debian/login.pam?ref_type=heads#L82
+ 3. https://wiki.debian.org/PamLastlog2

** Bug watch added: Debian Bug tracker #1068229
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068229

** Also affects: shadow (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068229
   Importance: Unknown
       Status: Unknown

** Description changed:

- pam_lastlog.so was dropped by upstream in 1.5.3[1]. It's still there in
- the code, but not built by default.
+ pam_lastlog.so was dropped by upstream in 1.5.3[1][4]. It's still there
+ in the code, but not built by default.
  
  And indeed, in noble (1.5.3) we don't have it, while mantic (1.5.2)
  does.
  
  This does not prevent console logins, but generates an error in the logs:
  Apr 23 20:02:09 n1 login[835]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory
  Apr 23 20:02:09 n1 login[835]: PAM adding faulty module: pam_lastlog.so
  
  Debian's shadow package is also still shipping this config[2].
  
  If you think we should re-enable pam_lastlog, then this becomes a bug in
  the src:pam package, but keep in mind upstream is keen on removing it,
  and we might be better off switching to an alternative, perhaps
  pam_lastlog2[3].
  
- 
  1. https://github.com/linux-pam/linux-pam/blob/cec36a8cd2c69cc87eacc21da471334fbef128ee/NEWS#L65
  2. https://salsa.debian.org/debian/shadow/-/blob/master/debian/login.pam?ref_type=heads#L82
  3. https://wiki.debian.org/PamLastlog2
+ 4. https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/2063257

Title:
  Noble: default pam config for login tries do load non-existent
  pam_lastlog.so

Status in shadow package in Ubuntu:
  New
Status in shadow source package in Noble:
  New
Status in shadow package in Debian:
  Unknown

Bug description:
  pam_lastlog.so was dropped by upstream in 1.5.3[1][4]. It's still
  there in the code, but not built by default.

  And indeed, in noble (1.5.3) we don't have it, while mantic (1.5.2)
  does.

  This does not prevent console logins, but generates an error in the logs:
  Apr 23 20:02:09 n1 login[835]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory
  Apr 23 20:02:09 n1 login[835]: PAM adding faulty module: pam_lastlog.so

  Debian's shadow package is also still shipping this config[2].

  If you think we should re-enable pam_lastlog, then this becomes a bug
  in the src:pam package, but keep in mind upstream is keen on removing
  it, and we might be better off switching to an alternative, perhaps
  pam_lastlog2[3].

  1. https://github.com/linux-pam/linux-pam/blob/cec36a8cd2c69cc87eacc21da471334fbef128ee/NEWS#L65
  2. https://salsa.debian.org/debian/shadow/-/blob/master/debian/login.pam?ref_type=heads#L82
  3. https://wiki.debian.org/PamLastlog2
  4. https://github.com/linux-pam/linux-pam/commit/357a4ddbe9b4b10ebd805d2af3e32f3ead5b8816

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2063257/+subscriptions

More information about the foundations-bugs mailing list