RFE: Update pam to 0.99 or greater

 status Rejected

Dapper is in upstream version freeze. Please follow the correct process
for requesting an exception.

This request said nothing of Dapper. If it isn't fixed until after Dapper, that's fine. I don't know the procedure for requesting an exception, though I'm sure I could find it. But, it's probably not worth the risk for one little pam module. For now, I'm going to investigate packaging an older version of pam_keyring (before the changes which require pam >= 0.99).

Anyway, in summary, I don't see why we can't keep this item open.

pam_keyring would be really nice to be enabled by default, to give the user more of a "just works" sensation. If pam needs to be upgraded, it should be so in edgy. Maybe a specification for this ought to be written?

pam-keyring would be great... now edgy is out, can work on this get started there are no freezes, nothing stands in its way!

We don't have the resources at the moment to do this ourselves; we're reliant on Debian for the vast majority of our pam packaging, and they're not going to upgrade pam until etch is out. Once that's done, I expect we'll be able to move to 0.99 or greater.

It's possible to use libpam-keyring in feisty with /etc/pam.d/gdm this way (quoting /usr/share/doc/libpam-keyring/README.Debian ):

To enable this pam module, add the following line
at the end of every config file of pam services you use for logging in:
   @include common-pamkeyring
These config files are located in /etc/pam.d/

For more informations, please read /etc/pam.d/common-pamkeyring

There are some known limitations with this package:
  - The password of the "default" keyring must be the same as your login password.
  - There is currently no way to change the password of a gnome keyring.

 -- Laurent Bigonville <email address hidden> Thu, 8 Feb 2007 04:24:07 +0100

Since there seems to be no other reason to upgrade pam than to use pam_keyring and that's included in Feisty (http://packages.ubuntu.com/feisty/admin/libpam-keyring), I'm closing this. Feel free to reopen if necessary.

The point is to offer this functionality by default. I am not interested in third party solutions from the universe repo, I am interested in making Ubuntu a good experience out of the box. Unless you move the package from universe to the main repository and CD, I consider this bug unfixed.

I think we need a simple solution for everyone that works out of the box.

There are other potential reasons for updating pam to a newer version. One is that it's a security-related module, and there are bound to have been security fixes in the mean time. Another is new functionality; for example I need pam_exec -- which was added in 0.99.4.0 -- to solve https://answers.beta.launchpad.net/ubuntu/+ticket/4443

Some usuability bugs about the gnome-keyring have been reported as duplicates of this bug as well.

In general, I would rather expect arguments for _not_ using the latest package.
Upstream usually have good reasons to create a new version. They add functionality and bug-fixes. I'm a bit surprised that the proposed default here is to stick with the old package _again_. (this dates back to dapper)

In this case, it concerns stuff like not having to provide a default password for the keyring, nor being asked to supply one. Especially for laptop users, this fixes many crucial annoyances.

On 3/31/07, Ralf Nieuwenhuijsen <email address hidden> wrote:
> In this case, it concerns stuff like not having to provide a default
> password for the keyring, nor being asked to supply one. Especially for
> laptop users, this fixes many crucial annoyances.

libpam-keyring works fine in Feisty as is.

Andrew Conkling wrote:
> libpam-keyring works fine in Feisty as is.

Three usability bugs have been marked a duplicate of this bug.
This suggests updating pam/libpam-kerying would fix _those_ bugs.

So, there are two possibilities:

  - either the duplicate bugs are not really duplicates: the bug triager made a mistake
  - an updated version of libpam-keyring fixes those bugs

Which one is it? Please look at the duplicates for more information.

Does anyone know whether this will be in Gutsy in the future? At the present I still have to type in a lot of duplicate passwords.

The Debian Bug ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=360460 ) also has no new information.

Have a look at http://lists.debian.org/debian-devel/2007/06/msg00719.html

Debian patches has been merged with the last upstream version, but broke something. if someone with enough skills could have a look

I've started getting the 0.99 merge with Debian done. The first pass is available for testing with Gutsy for those interested: http://people.ubuntu.com/~kees/gutsy/

great :)

pam (0.99.7.1-4ubuntu1~ppa1) gutsy; urgency=low

  * Resynchronise with Debian (LP: #43169, #14505, #80431). Remaining changes:
    - debian/control, debian/local/common-session{,md5sums}: use
      libpam-foreground for session management.
    - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
      The nis package handles overriding this as necessary.
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
      present there or in /etc/security/pam_env.conf.
    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
      type rather than __u8.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
      RLIMIT_NICE from below as well as from above. Fix off-by-one error when
      converting RLIMIT_NICE to the range of values used by the kernel.
      (Originally patch 101; converted to quilt.)
  * Dropped:
    - debian/rules: bashism fixes (merged upstream).
    - debian/control: Conflict on ancient nis (expired with Breezy).
    - debian/libpam-runtime.postinst: check for ancient pam (expired with
      Breezy).
    - debian/patches-applied/ubuntu-user_defined_environment: Look at
      ~/.pam_environment too, with the same format as
      /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
      Left out of "series" for now (LP: #113586).

pam (0.99.7.1-4) unstable; urgency=low

  * libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted
    to fix the library skew, only reloaded; special-case this daemon in the
    postinst and remove the mention of it from the debconf template, also
    tightening the language of the debconf template in the process.
    Closes: #440074.
  * Add courier-authdaemon to the list of services that need to be
    restarted; thanks to Micah Anderson for reporting.
  * New patch pam_env_ignore_garbage.patch: fix pam_env to really skip over
    garbage lines in /etc/environment and log an error, instead of failing
    with an obscure error; and ignore any PAM_BAD_ITEM values returned
    by pam_putenv(), since this is the expected error return when trying
    to delete a non-existent var. Closes: #439984.
  * Yet another thinko in hurd_no_setfsuid and in
    029_pam_limits_capabilities; this code should really be Hurd-safe at
    last...
  * getline() returns -1 on EOF, not 0; check this appropriately, to fix
    an infinite loop in pam_rhosts_auth. Thanks to Stephan Springl
    <email address hidden> for the fix. Closes: #440019.
  * Use ${misc:Depends} for libpam0g, so we get a proper dependency on
    debconf.
  * 019_pam_listfile_quiet: per discussion with upstream, don't suppress
    errors about missing files or files with wrong permissions; these are
    real errors that should not be buried.
  * Drop the remainder of 061_pam_issue_double_free, not required for the
    original bugfix.
  * Drop patch 064_pam_unix_cracklib_dictpath, which is not needed now that
    we define CRACKLIB_DICTS in debian/rules.
  * Drop patch 063_paswd_segv, superseded by a different upstream fix
  * Split 047_pam_limits_chr...

Bleh. PPA upload caused this to auto-close. :(

For those of you interested in testing a gutsy PAM 0.99 package, please read and comment on bug 138047. Thanks!

pam (0.99.7.1-4ubuntu1) gutsy; urgency=low

  * Resynchronise with Debian (LP: #43169, #14505, #80431). Remaining changes:
    - debian/control, debian/local/common-session{,md5sums}: use
      libpam-foreground for session management.
    - debian/rules: install unix_chkpwd setgid shadow instead of setuid root.
      The nis package handles overriding this as necessary.
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
      present there or in /etc/security/pam_env.conf.
    - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
      type rather than __u8.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits. Bound
      RLIMIT_NICE from below as well as from above. Fix off-by-one error when
      converting RLIMIT_NICE to the range of values used by the kernel.
      (Originally patch 101; converted to quilt.)
    - debian/patches-applied/ubuntu-user_defined_environment: Look at
      ~/.pam_environment too, with the same format as
      /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
  * Dropped:
    - debian/rules: bashism fixes (merged upstream).
    - debian/control: Conflict on ancient nis (expired with Breezy).
    - debian/libpam-runtime.postinst: check for ancient pam (expired with
      Breezy).

pam (0.99.7.1-4) unstable; urgency=low

  * libpam0g.postinst, libpam0g.templates: gdm doesn't need to be restarted
    to fix the library skew, only reloaded; special-case this daemon in the
    postinst and remove the mention of it from the debconf template, also
    tightening the language of the debconf template in the process.
    Closes: #440074.
  * Add courier-authdaemon to the list of services that need to be
    restarted; thanks to Micah Anderson for reporting.
  * New patch pam_env_ignore_garbage.patch: fix pam_env to really skip over
    garbage lines in /etc/environment and log an error, instead of failing
    with an obscure error; and ignore any PAM_BAD_ITEM values returned
    by pam_putenv(), since this is the expected error return when trying
    to delete a non-existent var. Closes: #439984.
  * Yet another thinko in hurd_no_setfsuid and in
    029_pam_limits_capabilities; this code should really be Hurd-safe at
    last...
  * getline() returns -1 on EOF, not 0; check this appropriately, to fix
    an infinite loop in pam_rhosts_auth. Thanks to Stephan Springl
    <email address hidden> for the fix. Closes: #440019.
  * Use ${misc:Depends} for libpam0g, so we get a proper dependency on
    debconf.
  * 019_pam_listfile_quiet: per discussion with upstream, don't suppress
    errors about missing files or files with wrong permissions; these are
    real errors that should not be buried.
  * Drop the remainder of 061_pam_issue_double_free, not required for the
    original bugfix.
  * Drop patch 064_pam_unix_cracklib_dictpath, which is not needed now that
    we define CRACKLIB_DICTS in debian/rules.
  * Drop patch 063_paswd_segv, superseded by a different upstream fix
  * Split 047_pam_limits_chroot_string_value up between
    008_modules_pam_limits_...