libxcrypt:

  • New upstream release.
  • Add a patch to fix o_size calculation for gensalt_yescrypt_rn.

pam:

  • Add a patch to not use crypt_checksalt for password expiration.

Reboot Required
After installing this update it is required that you reboot your system to ensure the changes supplied by this update are applied properly.

How to install

sudo dnf upgrade --advisory=FEDORA-2021-e6916d6758

This update has been submitted for testing by besser82.

5 months ago

This update's test gating status has been changed to 'failed'.

5 months ago

This update's test gating status has been changed to 'waiting'.

5 months ago

This update's test gating status has been changed to 'failed'.

5 months ago
User Icon adamwill commented & provided feedback 5 months ago
karma

There appears to be a real bug here that openQA is catching. Somehow, live images built with this update included just do not boot successfully, neither KDE or GNOME ones. They get stuck partway through boot.

It really does seem to be specific to this update, because the same tests run on both earlier and later updates have passed; if the bug was introduced by some other change, the tests would be failing on other updates too.

To test, grab https://openqa.stg.fedoraproject.org/tests/1199611/asset/iso/01199611-Fedora-Workstation-Live-x86_64-FEDORA-2021-e6916d6758.iso (an affected ISO generated by openQA with this update included). I tested that locally and it fails to boot to a graphical environment. Booting with systemd.debug-shell=1 gives you a console on tty9 where you can poke around. I see these errors from gdm.service in the journal:

May 27 01:00:04 localhost-live systemd[1]: Starting GNOME Display Manager...
May 27 01:00:04 localhost-live systemd[1]: Started GNOME Display Manager.
May 27 01:00:05 localhost-live gdm-autologin][1422]: pam_unix(gdm-autologin:account): expired password for user liveuser (root enforced)
May 27 01:00:05 localhost-live gdm[1403]: Gdm: gdm_session_handle_secret_info_query: assertion 'self->user_verifier_interface != NULL' failed
May 27 01:00:05 localhost-live gdm-autologin][1422]: pam_pwquality(gdm-autologin:chauthtok): conversation failed
May 27 01:00:05 localhost-live gdm-autologin][1422]: pam_pwquality(gdm-autologin:chauthtok): user aborted password change

This update has been pushed to testing.

5 months ago

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

5 months ago
User Icon bojan commented & provided feedback 5 months ago
karma

Works.

besser82 edited this update.

New build(s):

  • libxcrypt-4.4.22-1.fc34

Removed build(s):

  • libxcrypt-4.4.21-1.fc34

Karma has been reset.

5 months ago

This update has been submitted for testing by besser82.

5 months ago

This update's test gating status has been changed to 'passed'.

5 months ago

This update's test gating status has been changed to 'failed'.

5 months ago

This update's test gating status has been changed to 'passed'.

5 months ago
User Icon khaytsus commented & provided feedback 5 months ago

Some users on IRC are saying they are getting a forced password change on login and they've set no such thing up and don't see a reason for it to be trying to do this. They said downgrading this package seemed to make it stop, so there may be something wrong here.

User Icon adamwill commented & provided feedback 5 months ago

@khaytsus was that with 4.4.21 or 4.4.22?

User Icon khaytsus commented & provided feedback 5 months ago

@adamwill One user on x86 was using 4.4.22 and different user was on 4.4.21 on aarrrch64.

This update has been pushed to testing.

5 months ago
User Icon bojan commented & provided feedback 5 months ago

My machines still work, but not leaving karma.

User Icon andilinux commented & provided feedback 5 months ago
karma

works for me

User Icon andilinux commented & provided feedback 5 months ago
karma

works for me

User Icon besser82 commented & provided feedback 4 months ago

Some users on IRC are saying they are getting a forced password change on login and they've set no such thing up and don't see a reason for it to be trying to do this. They said downgrading this package seemed to make it stop, so there may be something wrong here.

@khaytsus, @adamwill:

That might happen to users, who didn't change their passwords since 2007 or so, as libxcrypt now reports the use of very unsafe hash methods to PAM.

User Icon jeeb commented & provided feedback 4 months ago

That might happen to users, who didn't change their passwords since 2007 or so, as libxcrypt now reports the use of very unsafe hash methods to PAM.

That is interesting, since this happened with a ~2016 server install, which has been slowly upgraded as time went by. Specifically this was with the 4.4.21 version

    Upgrade       libxcrypt-4.4.21-1.fc34.x86_64                      @updates-testing
    Upgraded      libxcrypt-4.4.20-2.fc34.x86_64                      @@System
    Upgrade       libxcrypt-compat-4.4.21-1.fc34.x86_64               @updates-testing
    Upgraded      libxcrypt-compat-4.4.20-2.fc34.x86_64               @@System

Afterwards, at every login prompt it would just prompt me to change my password. The first time it popped back up it was weird, but I went along with it. It logged me out and I attempted to log in again. I hit the same thing, and at this point I decided it was in a loop. Thankfully I had some free time now to utilize a recovery image and chroot into my actual sysroot, and downgrade back to 4.4.20.

Excerpts from journal:

  1. Initial login, password change:
May 27 20:07:02 das-hostname systemd[1]: Starting User Manager for UID USER_ID...
May 27 20:07:02 das-hostname systemd[695]: pam_unix(systemd-user:account): expired password for user das_user (root enforced)
May 27 20:07:02 das-hostname systemd[695]: PAM failed: Authentication token is no longer valid; new one required
May 27 20:07:02 das-hostname systemd[695]: user@USER_ID.service: Failed to set up PAM session: Operation not permitted
May 27 20:07:02 das-hostname systemd[695]: user@USER_ID.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
May 27 20:07:02 das-hostname systemd[1]: user@USER_ID.service: Main process exited, code=exited, status=224/PAM
May 27 20:07:02 das-hostname systemd[1]: user@USER_ID.service: Failed with result 'exit-code'.
May 27 20:07:02 das-hostname systemd[1]: Failed to start User Manager for UID USER_ID.
May 27 20:07:02 das-hostname systemd[1]: Started Session 1 of user das_user.
May 27 20:07:02 das-hostname sshd[692]: pam_unix(sshd:session): session opened for user das_user(uid=USER_ID) by (uid=0)

May 27 20:17:28 das-hostname passwd[697]: pam_unix(passwd:chauthtok): password changed for das_user
  1. Second attempt
May 27 20:17:31 das-hostname systemd[1]: Starting User Manager for UID USER_ID...
May 27 20:17:31 das-hostname systemd[709]: pam_unix(systemd-user:account): expired password for user das_user (root enforced)
May 27 20:17:31 das-hostname systemd[709]: PAM failed: Authentication token is no longer valid; new one required
May 27 20:17:31 das-hostname systemd[709]: user@USER_ID.service: Failed to set up PAM session: Operation not permitted
May 27 20:17:31 das-hostname systemd[709]: user@USER_ID.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
May 27 20:17:31 das-hostname systemd[1]: user@USER_ID.service: Main process exited, code=exited, status=224/PAM
May 27 20:17:31 das-hostname systemd[1]: user@USER_ID.service: Failed with result 'exit-code'.
May 27 20:17:31 das-hostname systemd[1]: Failed to start User Manager for UID USER_ID.
May 27 20:17:31 das-hostname systemd[1]: Started Session 2 of user das_user.
May 27 20:17:31 das-hostname sshd[706]: pam_unix(sshd:session): session opened for user das_user(uid=USER_ID) by (uid=0)

I have not tested 4.4.22 yet, if that improves things. Additionally, are there any hints in f.ex. password -S das_user which would give a hint to the user that they would be hitting issues?

besser82 edited this update.

New build(s):

  • libxcrypt-4.4.22-2.fc34
  • pam-1.5.1-6.fc34

Removed build(s):

  • libxcrypt-4.4.22-1.fc34

Karma has been reset.

4 months ago

This update has been submitted for testing by besser82.

4 months ago

besser82 edited this update.

4 months ago

This update's test gating status has been changed to 'failed'.

4 months ago

This update's test gating status has been changed to 'passed'.

4 months ago

This update has been pushed to testing.

4 months ago

This update has been submitted for stable by bodhi.

4 months ago

This update has been pushed to stable.

4 months ago

Please login to add feedback.

Metadata
Type
bugfix
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-5
Stable by Karma
2
Stable by Time
14 days
Dates
submitted
5 months ago
in testing
4 months ago
in stable
4 months ago
modified
4 months ago
BZ#1965149 Live images built with libxcrypt 4.4.21 fail to reach login screen
0
0
BZ#1965345 out of root access on local system
0
0
BZ#1967150 pam_unix(crond:account): expired password for user wwwcron (root enforced)
0
0

Automated Test Results