Product SiteDocumentation Site

1.168.  pam

1.168.1.  RHBA-2009:1358: bug fix and enhancement update

Updated pam packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 5.
Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies without having to recompile programs that handle authentication.
These updated pam packages provide fixes for the following bugs:
  • when called from a screensaver running under a non-zero UserID, the pam_tally2 module could repeatedly prompt for the user's password and then log the following error to syslog: "Error opening /var/log/tallylog for update: Permission denied". With this update, pam_tally2 correctly ignores failures to open the tallylog in this situation. (BZ#429169)
  • the pam_access module unnecessarily attempted to resolve entries listed in the access.conf file through DNS lookups, even if the service was not called from a network. The pam_access module has been changed so that it does not attempt to resolve the origins of entries in access.conf which do not contain an IP address or an IP addresses and a netmask value. (BZ#459057)
  • the pam_keyinit module did not save the UserID (UID) of the process during session close, which made it unable to switch back to that original UID. An error message was output to the system log in that case. The UID is now correctly saved with these updated packages, which makes the spurious log message disappear. (BZ#466411)
  • the pam_filter module was not able to open a new pseudoterminal, which prevented the module from functioning properly. With this update, pam_filter is able to open new pseudoterminals. (BZ#473970)
  • when the "open_tty" module was used in combination with the "pam_tty_audit" module in the system-auth pam configuration file, pam_tty_audit could segmentation fault if the "open_only" option was set and the open_tty module was called by the "su" command or another utility. (BZ#476833)
  • the "smbpasswd" utility allows a user to change their encrypted SMB password, which is stored in the smbpasswd file. However, it was not possible for non-root users to change their password with "smbpasswd" due to overly strict checking in the helper of the pam_unix module. This has been corrected so that users can once again change their SMB passwords using "smbpasswd". (BZ#476904)
  • the coreutils package was listed incorrectly as a prerequisite requirement for the pam packages instead of a post-install requirement. This dependency statement has been corrected in these updated packages. (BZ#497570)
In addition, these updated packages provide the following enhancements:
  • Gnome Display Manager's (GDM's) accessibility features did not function correctly when an audio device was not properly configured. The configuration file for console device modes now sets audio devices as owned by the "audio" group if there is no console user. This provides support for accessible login with GDM. (BZ#244688)
  • the pam_tally2 module now supports a new option that allows serialized access to the /var/log/tallylog file. Enabling this option prevents possible failed authentication when two separate processes attempt to authenticate nearly simultaneously when the lock_time option ("always deny for n seconds after a failed attempt") is set to a value of one or greater. (BZ#455217)
  • these updated pam packages provide a new PAM module, pam_faildelay, which can read the "FAIL_DELAY" value from the /etc/login.defs configuration file and set the amount of delay between login prompts following a failed login attempt to that value. (BZ#476217)
  • these updated pam packages provide a new PAM module, pam_pwhistory, which saves the last passwords for each user in order to force password change history and keep the user from alternating between the same password too frequently. (BZ#451085)
Users are advised to upgrade to these updated pam packages, which resolve these issues and add these enhancements.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.