Hi,

I am trying to change the bug #383889 to serious and make it release
critical. I have explained in it why I want it RC and the document at
http://release.debian.org/etch_rc_policy.txt lists that

* makes unrelated software on the system (or the whole system)
break

is a reason for rc-bug. In this case, the whole desktop locks and there
is no easy way to unlock it. (Which is effectively breaking the system).

So how do I do that?

thanks

jacques

[ Post a follow-up to this message ]

Jacques Normand <jnormand@nerim.net> writes:

> So how do I do that?

Much information about the Debian BTS is available at its website:

<URL:http://www.debian.org/Bugs/>

That page has a link to the information on manipulating bug reports
via email:

<URL:http://www.debian.org/Bugs/server-control>

--
\       "Ice Water? Get some onions - that'll make your eyes water!"  |
`\                                                   -- Groucho Marx |
_o__)                                                                  |
Ben Finney


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.or
g

[ Post a follow-up to this message ]

severity 383889 important
thanks

On Wed, Jan 24, 2007 at 07:44:35PM -0600, Jacques Normand wrote:
> I am trying to change the bug #383889 to serious and make it release
> critical. I have explained in it why I want it RC and the document at
> http://release.debian.org/etch_rc_policy.txt lists that

> * makes unrelated software on the system (or the whole system)
>   break

> is a reason for rc-bug. In this case, the whole desktop locks and there
> is no easy way to unlock it. (Which is effectively breaking the system).

> So how do I do that?

You seem to have gotten your answer on the procedure, but your rationale for
upgrading this particular bug is flawed.  The package doesn't render the
system unusable, it's your misconfiguration of PAM that does so.

I've tested gnome-screensaver here and it work fine with this config.

/etc/pam.d/common-auth:
auth    sufficient                      pam_krb5.so ignore_root
auth    required                        pam_unix.so try_first_pass nullok_se
cure

/etc/pam.d/common-account:
account sufficient      pam_krb5.so
account required        pam_unix.so


Note that the default /etc/pam.d/gnome-screensaver shipped is misleading; it
doesn't mention that this service will query the authorization functions
("acct") in addition to the authorization functions.  You may need to check
there for the source of your authentication problem.

--
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.or
g

[ Post a follow-up to this message ]

Steve Langasek <vorlon@debian.org> writes:
> On Wed, Jan 24, 2007 at 07:44:35PM -0600, Jacques Normand wrote:
 
[vbcol=seagreen] 
[vbcol=seagreen] 
[vbcol=seagreen] 
[vbcol=seagreen]
> You seem to have gotten your answer on the procedure, but your rationale
> for upgrading this particular bug is flawed.  The package doesn't render
> the system unusable, it's your misconfiguration of PAM that does so.

You cannot enable verify_ap_req_nofail unless everything that's going to
do PAM configuration can read the system keytab file.  Most of the screen
savers run as a normal user and can't read the keytab unless it's readable
by the user running the screen saver.

Later versions of pam-krb5 will support configuring it to look at a
different keytab so that you can provide a lower-privilege world-readable
keytab for this purpose.  Until then, you either want to leave the
Kerberos library default, which will verify the tickets if the keytab is
readable and otherwise skip that step, or make the system keytab readable
by any user who may run the screen saver.

For more information, see:

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=399002>

The support alluded to in that bug is already implemented in the upstream
version of pam-krb5, but I also incorporated PKINIT support and the code
has been rather unstable.  I'm holding off upgrading the Debian package
until after the etch release.

--
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.or
g

[ Post a follow-up to this message ]