• Bug#1102643: libpam-wtmpdb: Coordinating openssh wtmpdb support

    From Colin Watson@21:1/5 to All on Fri Apr 11 14:10:01 2025
    Package: libpam-wtmpdb
    Version: 0.72.0-2
    Severity: normal
    Affects: openssh-server

    I'm considering enabling the native wtmpdb support in OpenSSH 10.0,
    because it provides better information in "wtmpdb last": it records the
    correct tty rather than just "ssh". However, if I do that at the
    moment, I end up with duplicate entries in "wtmpdb last":

    cjwatson pts/2 fd42:85b1:6650:a Fri Apr 11 11:52 - still logged in
    cjwatson ssh fd42:85b1:6650:a Fri Apr 11 11:52 - still logged in

    I'd like to arrange for the less-informative "ssh" one to be skipped.
    This can be done by adding "skip_if=sshd" to libpam_wtmpdb's options,
    and https://build.opensuse.org/projects/Linux-PAM/packages/wtmpdb/files/wtmpdb.spec shows that openSUSE is configuring it that way (thanks to Chris
    Hofstaedtler for pointing that out). Should we do the same in Debian's libpam-wtmpdb package, or is there a way to do it entirely in
    openssh-server somehow?

    Thanks,

    --
    Colin Watson (he/him) [cjwatson@debian.org]

    -- System Information:
    Debian Release: trixie/sid
    APT prefers testing
    APT policy: (500, 'testing')
    Architecture: amd64 (x86_64)

    Kernel: Linux 6.12.21-amd64 (SMP w/12 CPU threads; PREEMPT)
    Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages libpam-wtmpdb depends on:
    ii libc6 2.41-6
    ii libpam-runtime 1.7.0-3
    ii libpam0g 1.7.0-3
    ii libwtmpdb0 0.72.0-2

    Versions of packages libpam-wtmpdb recommends:
    ii wtmpdb 0.72.0-2

    libpam-wtmpdb suggests no packages.

    -- no debconf information

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew Bower@21:1/5 to Colin Watson on Sat Apr 12 00:10:01 2025
    Hi Colin,

    On Fri, Apr 11, 2025 at 01:06:00PM +0100, Colin Watson wrote:
    I'd like to arrange for the less-informative "ssh" one to be skipped.
    This can be done by adding "skip_if=sshd" to libpam_wtmpdb's options,
    and https://build.opensuse.org/projects/Linux-PAM/packages/wtmpdb/files/wtmpdb.spec
    shows that openSUSE is configuring it that way (thanks to Chris
    Hofstaedtler for pointing that out). Should we do the same in Debian's libpam-wtmpdb package, or is there a way to do it entirely in
    openssh-server somehow?

    The latter would clearly be preferrable but I can't see that the pam
    config framework provides the expressivity to do so cleanly so I suppose skip_if is a reasonable plan and it will have to be up to users of other
    ssh servers to override the configuration - I've prepared a readme note
    to that effect.

    I've tried the combination out. Are you ready to upload a version of src:openssh with the change?

    Andrew

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Colin Watson@21:1/5 to Andrew Bower on Tue Apr 15 15:30:01 2025
    On Fri, Apr 11, 2025 at 11:05:00PM +0100, Andrew Bower wrote:
    On Fri, Apr 11, 2025 at 01:06:00PM +0100, Colin Watson wrote:
    I'd like to arrange for the less-informative "ssh" one to be skipped.
    This can be done by adding "skip_if=sshd" to libpam_wtmpdb's options,
    and
    https://build.opensuse.org/projects/Linux-PAM/packages/wtmpdb/files/wtmpdb.spec
    shows that openSUSE is configuring it that way (thanks to Chris
    Hofstaedtler for pointing that out). Should we do the same in Debian's
    libpam-wtmpdb package, or is there a way to do it entirely in
    openssh-server somehow?

    The latter would clearly be preferrable but I can't see that the pam
    config framework provides the expressivity to do so cleanly so I suppose >skip_if is a reasonable plan and it will have to be up to users of other
    ssh servers to override the configuration - I've prepared a readme note
    to that effect.

    I've tried the combination out. Are you ready to upload a version of >src:openssh with the change?

    Sorry for the delay - I was quite busy over the weekend and then had
    some other things to fix first. I've uploaded both openssh and your
    wtmpdb changes now.

    Thanks!

    --
    Colin Watson (he/him) [cjwatson@debian.org]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)