#979973 libpam-yubico does not use multiarch paths

Package:
libpam-yubico
Source:
yubico-pam
Description:
two-factor password and YubiKey OTP PAM module
Submitter:
VA
Date:
2024-05-04 12:21:12 UTC
Severity:
important
Tags:
#979973#5
Date:
2021-01-12 12:28:00 UTC
From:
To:
I use pam_yubico.so in /etc/pam.d/sshd

This is the error I now get:

xxx sshd[x]: PAM unable to dlopen(pam_yubico.so):
/lib/x86_64-linux-gnu/security/pam_yubico.so: cannot open shared object
file: No such file or directory
xxx sshd[x]: PAM adding faulty module: pam_yubico.so

It seems the file is in /lib/security/pam_yubico.so

This command seems to solve the problem but the package seems unusable
as is:
ln -s /lib/security/pam_yubico.so /lib/x86_64-linux-gnu/security

#979973#10
Date:
2021-01-18 11:04:16 UTC
From:
To:
Dear Maintainer,

I have updated my system this morning which led the Yubico gdm
authentication and sudo  to be broken. When trying to sudo the
following error appears on STDERR : Module unknown.
This is due to the fact that Debian is not taking /lib/security path
into account anymore to fetch the pam_yubico.so module. A symbolic link
in /usr/lib/x86_64-linux-gnu/security fixes it.

#979973#15
Date:
2021-02-21 05:13:53 UTC
From:
To:
Dear Maintainer,

I've upgraded one of my systems where I use pam_yubico and hit the problem.
I'd like to see the issue fixed for bullseye since it might have
security implications or might render people to be unable to login.

Please consider the attached patch to debian packaging.

Do we need to talk to the release team and/or raise the bug severity?

<#part type="text/x-diff" filename="~/work/GNU/libpam-yubico-fix-debian-bug-979973.diff" disposition=inline>
<#/part>

Thanks for considering.
Jochen

#979973#20
Date:
2021-02-21 05:17:40 UTC
From:
To:
Dear Maintainer,

I missed adding the path. Here it is:

diff -ur yubico-pam-2.26.orig/debian/changelog yubico-pam-2.26/debian/changelog
--- yubico-pam-2.26.orig/debian/changelog	2021-02-21 05:40:48.000000000 +0100
+++ yubico-pam-2.26/debian/changelog	2021-02-21 06:01:59.000000000 +0100
@@ -1,3 +1,10 @@
+yubico-pam (2.26-1.2~jochen1+1) unstable; urgency=low
+
+  * Move pam_yubico.so from /lib/security to /lib/x86_64-linux-gnu/security
+    (Closes: 979973)
+
+ -- Jochen Kellner <jochen@jochen.org>  Sun, 21 Feb 2021 17:37:57 +0100
+
 yubico-pam (2.26-1.1) unstable; urgency=low

   * Non-maintainer upload.
diff -ur yubico-pam-2.26.orig/debian/rules yubico-pam-2.26/debian/rules
--- yubico-pam-2.26.orig/debian/rules	2021-02-21 05:40:48.000000000 +0100
+++ yubico-pam-2.26/debian/rules	2021-02-21 05:58:17.000000000 +0100
@@ -7,14 +7,14 @@

 override_dh_auto_configure:
 	dh_auto_configure -- \
-		--with-pam-dir=$(DESTDIR)/lib/security \
+		--with-pam-dir=$(DESTDIR)/lib/x86_64-linux-gnu/security \
 		--includedir=/usr/include/libpam-yubico

 override_dh_install:
 	install -D -m 0644 debian/pam-auth-update \
 		debian/libpam-yubico/usr/share/libpam-yubico/pam-auth-update.template
 	chrpath -d debian/libpam-yubico/usr/bin/ykpamcfg
-	chrpath -d debian/libpam-yubico/lib/security/pam_yubico.so
-	rm debian/libpam-yubico/lib/security/pam_yubico.la
+	chrpath -d debian/libpam-yubico/lib/x86_64-linux-gnu/security/pam_yubico.so
+	rm debian/libpam-yubico/lib/x86_64-linux-gnu/security/pam_yubico.la
 	rm -rf debian/libpam-yubico/usr/include
 	dh_install --fail-missing

#979973#25
Date:
2021-06-28 12:30:26 UTC
From:
To:
This may not be a bug in this package but instead a bug in pam (which
I've reported but not got a bug number for yet). pam should be checking
/lib/security for the module.

The afore mentioned patch suggests switching to x86_64-linux-gnu whcih
is a multi arch directory, if this package is to be converted to
multiarch then $(DEB_HOST_MULTIARCH) should be used which can be set using

DEB_HOST_MULTIARCH  ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)

(copied from the pam package rules file)

#979973#62
Date:
2021-07-14 17:15:19 UTC
From:
To:
libpam-yubico not using multiarch paths should no longer be a problem
for bullseye with #990790 fixed/workarounded.

cu
Adrian

#979973#75
Date:
2024-05-04 12:20:46 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
yubico-pam, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 979973@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Winnertz <winnie@debian.org> (supplier of updated yubico-pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 04 May 2024 13:48:35 +0200
Source: yubico-pam
Architecture: source
Version: 2.27-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Authentication Maintainers <pkg-auth-maintainers@lists.alioth.debian.org>
Changed-By: Patrick Winnertz <winnie@debian.org>
Closes: 979973 1064121 1066579
Changes:
 yubico-pam (2.27-1) unstable; urgency=medium
 .
   [Simon Josefsson]
   * New upstream version (Closes: #1066579)
   * Drop myself from Uploader's.
 .
   [Michael Biebl]
   * Install PAM module into multiarch path in /usr. (Closes: #1064121)
 .
   [Patrick Winnertz]
   * Bump debhelper dependency to 12
   * Add myself to the uploaders and remove both upstream authors
     from there after private discussion with Klas Lindfors
   * Library is installed in multiarch path (Closes: #979973)
   * Bump standards version to 4.7.0 - no changes needed.
   * Remove compat file and use build-depends instead.
   * Remove hardcoded depends which are not longer available and use the correct build-deps instead.
   * remove dh_install --fail-missing which was removed in compat level 12
   * Bump version of uscan to 4 - no further changes needed.
   * Use the same upstream-signing key mechanism as in the pam-u2f package.
Checksums-Sha1:
 f8107a95d38f6d03baef0b5cd0714bec47a66554 2393 yubico-pam_2.27-1.dsc
 398b2413e8e28329098e4f62bba278cb65d9f526 454512 yubico-pam_2.27.orig.tar.gz
 3a74c31582843799c57a1c0176c33c03717ec939 488 yubico-pam_2.27.orig.tar.gz.asc
 e6d280b2e8615ef488ba6da99ddc08bd7fb9a617 66480 yubico-pam_2.27-1.debian.tar.xz
 36dbb6587551334ac03d171786623d693bcc7ea1 7391 yubico-pam_2.27-1_amd64.buildinfo
Checksums-Sha256:
 4a4c4f2a221eeee855ed82358f5b00083d16010ff2055a11884d61bcba275bdf 2393 yubico-pam_2.27-1.dsc
 63d02788852644d871746e1a7a1d16c272c583c226f62576f5ad232a6a44e18c 454512 yubico-pam_2.27.orig.tar.gz
 ee1a304e4897fcb4e56d70dd941cd909a5888e159e568e1b43eb21f23e533f03 488 yubico-pam_2.27.orig.tar.gz.asc
 45b7ec0b0a9d9a184636e6748f8164030c3bf5eb82c24cee31c4ce60f0e39d88 66480 yubico-pam_2.27-1.debian.tar.xz
 21c748f543ce89d52daf2e3ac6c3d62bd466d56d2eea53c6f7a8ab8c421064d7 7391 yubico-pam_2.27-1_amd64.buildinfo
Files:
 e820742139afe6e936a5f1ecff1406c3 2393 admin optional yubico-pam_2.27-1.dsc
 7a8cbac9f60260a6298062717a2f43e1 454512 admin optional yubico-pam_2.27.orig.tar.gz
 5314776cb1b4e4f65b1e5b864d78310d 488 admin optional yubico-pam_2.27.orig.tar.gz.asc
 ba255f5d5f3ce1e9e91681647a10446a 66480 admin optional yubico-pam_2.27-1.debian.tar.xz
 aed2b3f42d9c7c08094d736135770364 7391 admin optional yubico-pam_2.27-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEE8s7HdaJ514A0GZEJjUsraXJJeKIFAmY2JJcSHHdpbm5pZUBk
ZWJpYW4ub3JnAAoJEI1LK2lySXiiKukP/05FhlgmtMfQHfSMwaKkxyeDY+TpA1kx
iSNCb6okHOGMofLFGD/kmmmv8xD7Qm0yiREHknp8zw00oNvJ/8ccySzsmY68zYYJ
tuDTyI6cCuclKbUOuTIkp+8Ub82BSvEB/ZfLRfmMm4SME+/eWAdYhb2mOuwpnSGc
4/+DhuJYTvb2x0bN5fU8em1vkO0HUxeNwgXW/6ghIGCvem5q8VyUtqi9Knb53gja
Hs0CaIt99bOz4/nwwH5DOjTJPUciyg5n3QrP1HXrWdQrcQ9FrN47gWEFPWot8lB9
1Wo3pRP06vQujx/wfshMcYjK+lS5qLIPv8EIiMI90dfI+Z7tg53bw7KfQFEvt+/h
HYbrDRqRAxvjftAO0TBAKxGC4CeOGfCDcWkkOWgGfJVcOWXUz2mBIjrTPTHDwh26
KGI9gz99/1hyM+8iM9w9hr/oEzYC4roN49zk1MRrFzDA8z0Wka0pRR0jHWaLaP9l
HRmleutWXDpfFL3pJ6k8m8W2T6975KO3awpGeef73815sMpVbuScd3ryOWnF9Lpe
10Cy5n02oxnrAvWGj2Y1dyuTMgshT7g/OnUHgr0LPrLvl3h/50NsNOdUKmpjZn0z
Uq4ooT3WPXQIVB2KwIp6zeR3z8I3Vk0n1v1ojB09f9NjFKdMGmgURovcgsnWTDOI
cOrUv1MesMm5
=OUj/
-----END PGP SIGNATURE-----