Bug 1171003 - use common-auth/common-account for pam configuration
use common-auth/common-account for pam configuration
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Virtualization:Tools
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Kirk Allan
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-01 22:12 UTC by Oliver Kurth
Modified: 2020-08-03 14:37 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Kurth 2020-05-01 22:12:04 UTC
Currently, open-vm-tools ships with a simple pam config that tries to work in different OSes. However, if a user intends to configure pam authentication for a range of services in the VM, they would need to edit the vmtoolsd pam config file too. To make it easier, the package should install this for /etc/pam.d/vmtoolsd:

auth     required       pam_shells.so
auth     requisite      pam_nologin.so
auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]    pam_securetty.so
auth     include        common-auth
account  include        common-account

This is as recommended in this kb article: https://kb.vmware.com/s/article/78251

For future versions of open-vm-tools we are planning to ship pam config files that are suited for specific OSes, like SLE/OpenSuSE and others.
Comment 1 Kirk Allan 2020-05-07 14:37:42 UTC
Just to make sure I'm understanding correctly, we want to replace the contents of scripts/linux/pam.d/vmtoolsd with the lines mentioned here in the bug.  Then when open-vm-tools is installed/updated, the new vmtoolds will be placed in /etc/pam.d.  Is this correct?

Thanks.
Comment 2 Oliver Kurth 2020-05-07 16:29:56 UTC
Yes. /etc/pam.d/vmtoolsd should be replaced with the shown content.

The idea is that the settings in 'common-auth' and 'common-account' will be used by the 'include' statement.
Comment 3 Kirk Allan 2020-05-12 16:58:23 UTC
Created patch with the contents from the description.
Comment 6 Kirk Allan 2020-06-15 15:33:29 UTC
Is this patch causing the Bug 1172693?
Comment 7 Oliver Kurth 2020-06-16 22:46:31 UTC
(In reply to Kirk Allan from comment #6)
> Is this patch causing the Bug 1172693?

As per PM, yes confirmed.

We did additional tests with the pam config with the line containing "pam_securetty" removed, and it fixes the problem with bug #1172693. So please go ahead with that line removed.

Sorry for missing this earlier.
Comment 8 Kirk Allan 2020-06-17 18:09:36 UTC
Removed line 'pam_securetty.so' from the pam patch and submitted.
Comment 11 Sergio Rafael Lemke 2020-07-13 12:55:33 UTC
Hello, Im curently testing the open-vm-tools update candidate for SLE15.1 and would like to double check on the output:

open-vm-tools: 11.0.5-3.14.1
d208:~ # grep pam /etc/pam.d/vmtoolsd
auth       required         pam_shells.so
auth       sufficient       pam_unix.so shadow
auth       required         pam_unix_auth.so shadow
account    required         pam_shells.so
account    sufficient       pam_unix.so
account    required         pam_unix_acct.so
d208:~ #

--------

open-vm-tools: 11.1.0-3.17.1
d208:/var/log # grep pam /etc/pam.d/vmtoolsd
auth     required       pam_shells.so
auth     requisite      pam_nologin.so
d208:/var/log # 

thanks!
Comment 12 Kirk Allan 2020-07-13 14:25:09 UTC
(In reply to Sergio Rafael Lemke from comment #11)
> Hello, Im curently testing the open-vm-tools update candidate for SLE15.1
> and would like to double check on the output:
> 
> open-vm-tools: 11.0.5-3.14.1
> d208:~ # grep pam /etc/pam.d/vmtoolsd
> auth       required         pam_shells.so
> auth       sufficient       pam_unix.so shadow
> auth       required         pam_unix_auth.so shadow
> account    required         pam_shells.so
> account    sufficient       pam_unix.so
> account    required         pam_unix_acct.so
> d208:~ #
> 
> --------
> 
> open-vm-tools: 11.1.0-3.17.1
> d208:/var/log # grep pam /etc/pam.d/vmtoolsd
> auth     required       pam_shells.so
> auth     requisite      pam_nologin.so
> d208:/var/log # 

Yes that is the correct output. See bug #1172693 and kb article: https://kb.vmware.com/s/article/78251

> 
> thanks!
Comment 13 Swamp Workflow Management 2020-07-15 13:21:11 UTC
SUSE-RU-2020:1916-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1171003,1171764,1171765,1172693
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    open-vm-tools-11.1.0-4.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    open-vm-tools-11.1.0-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-07-15 13:22:12 UTC
SUSE-RU-2020:1917-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1171003,1171764,1171765,1172693
CVE References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    open-vm-tools-11.1.0-4.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-07-17 19:13:56 UTC
SUSE-RU-2020:1951-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1171003,1171764,1171765,1172693
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    open-vm-tools-11.1.0-3.17.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    open-vm-tools-11.1.0-3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-07-18 22:16:27 UTC
openSUSE-RU-2020:0995-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1171003,1171764,1171765,1172693
CVE References: 
Sources used:
openSUSE Leap 15.2 (src):    open-vm-tools-11.1.0-lp152.3.3.1
Comment 17 Swamp Workflow Management 2020-07-23 10:20:52 UTC
openSUSE-RU-2020:1038-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1171003,1171764,1171765,1172693
CVE References: 
Sources used:
openSUSE Leap 15.1 (src):    open-vm-tools-11.1.0-lp151.2.15.1
Comment 18 Kirk Allan 2020-08-03 14:37:22 UTC
The pam update should now be available in TW and SLES maintenance channels.