system-auth file - virtualmin modified?

kato · April 15, 2009, 11:08am

Hi, I got the following warnings during an update:

[code:1]warning: /etc/yum.repos.d/CentOS-Base.repo created as /etc/yum.repos.d/CentOS-Base.repo.rpmnew
warning: /etc/pam.d/system-auth created as /etc/pam.d/system-auth.rpmnew
warning: /etc/modprobe.d/blacklist-firewire created as /etc/modprobe.d/blacklist-firewire.rpmnew
warning: /etc/smartd.conf created as /etc/smartd.conf.rpmnew[/code:1]

Of particular note to me was the system-auth changes. I’m not really sure what the “pam_succeed_if.so uid >= 500 quiet” et al are for. Here’s what the diff looks like…

[code:1][root@server etc]# diff /etc/pam.d/system-auth /etc/pam.d/system-auth.rpmnew
5,6c5
< auth sufficient pam_unix.so nullok try_first_pass
< auth requisite pam_succeed_if.so uid >= 500 quiet

> auth sufficient pam_unix.so try_first_pass nullok
10,11d8
< account sufficient pam_succeed_if.so uid < 500 quiet
< account required pam_permit.so
13,14c10,11
< password requisite pam_cracklib.so try_first_pass retry=3
< password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

> password required pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow[/code:1]

Anyone know if it’s okay for me to apply the new rpm? Are any of these settings related to virtualmin?

Joe · April 15, 2009, 2:38pm

None are related to Virtualmin.

I’m sure the CentOS/RHEL folks know what they’re doing. At least, I hope so, since we’re all trusting them.

ronald · April 15, 2009, 3:21pm

I see this file too
can I just rename /etc/pam.d/system-auth to /etc/pam.d/system-auth.old
and
/etc/pam.d/system-auth.rpmnew to /etc/pam.d/system-auth ?

Joe · April 15, 2009, 4:03pm

Yeah, that’d work. I’m not sure what it’s intended to correct, but, again, I guess they know what they’re doing.

Joe · April 15, 2009, 4:07pm

Oh, but even though we trust the Red Hat folks, I would suggest testing logins after making the change before ending your root session (e.g. start up another ssh session and make sure you can login). I don’t think system-auth has any impact on Webmin’s logins, even if you’re using PAM with Webmin, so you could probably fix any problems via Webmin…but better to be safe when talking about a remote server and PAM.

(For those having no idea what I’m talking about: PAM is the pluggable authentication modules system, which provides the mechanisms by with users are authenticated, or logged into, a Linux or UNIX system. If PAM is broken, logins will be broken. So, it is a potentially dangerous thing to tinker with.)

system-auth file - virtualmin modified?

[code:1][root@server etc]# diff /etc/pam.d/system-auth /etc/pam.d/system-auth.rpmnew 5,6c5 < auth sufficient pam_unix.so nullok try_first_pass < auth requisite pam_succeed_if.so uid >= 500 quiet

> auth sufficient pam_unix.so try_first_pass nullok 10,11d8 < account sufficient pam_succeed_if.so uid < 500 quiet < account required pam_permit.so 13,14c10,11 < password requisite pam_cracklib.so try_first_pass retry=3 < password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok

[code:1][root@server etc]# diff /etc/pam.d/system-auth /etc/pam.d/system-auth.rpmnew
5,6c5
< auth sufficient pam_unix.so nullok try_first_pass
< auth requisite pam_succeed_if.so uid >= 500 quiet

> auth sufficient pam_unix.so try_first_pass nullok
10,11d8
< account sufficient pam_succeed_if.so uid < 500 quiet
< account required pam_permit.so
13,14c10,11
< password requisite pam_cracklib.so try_first_pass retry=3
< password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok