Debian
pam package

pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory

Bug #1860826 reported by Seth Arnold
320
This bug affects 70 people
Affects Status Importance Assigned to Milestone
pam (Debian)
Fix Released
Unknown
pam (Ubuntu)
Fix Released
Low
Unassigned
Focal
Fix Released
Low
Unassigned
Groovy
Won't Fix
Low
Unassigned

Bug Description

[Impact]
Removal of the /etc/securetty file from the system results in useless log messages whenever pam_unix is invoked, which for some systems is quite a lot of logging. /etc/securetty is not coming back, and this is not an error.

[Test Plan]
1. Run 'sudo -s'. Confirm that 'journalctl | grep sudo.*securetty' returns a line 'sudo[...]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory'.
2. Install libpam-modules update from -proposed.
3. Confirm that 'grep nullok_secure' /etc/pam.d/common-auth returns no lines.
4. Run 'sudo -k'.
5. Run 'sudo -s' again.
6. Confirm that sudo succeeds and gives you a root shell.
7. Confirm that 'journalctl | grep sudo.*securetty' does not show any new lines.

[Where problems could occur]
PAM is a sensitive package because it's used in all authentication operations on the system. A bug here could render a user unable to log in to their system.

Risks are mitigated by:
- including a patch that treats the obsolete 'nullok_secure' as an alias for 'nullok' to ensure any user-edited configurations continue to work rather than throwing errors about unknown options
- editing the system-managed /etc/pam.d/common-auth config to use 'nullok' instead of 'nullok_secure' for future compatibility.

Because we are editing the system config, this could also cause issues on future upgrades with undesirable prompts to the user. However, the maintainer scripts are not meant to prompt on changes to the pam-config, and this code has been in Debian for a while with no reports of problems.

[Original description]
Hello, after upgrading to focal I found the following in my journalctl output:

Jan 24 23:07:00 millbarge sudo[32120]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
Jan 24 23:07:01 millbarge sudo[32120]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory

The login package stopped packaging this file:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731656
and now forcibly removes the file:
https://paste.ubuntu.com/p/myh9cGWrHD/

However, the pam package's pam_unix.so module has not yet been adapted to ignore this file:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674857#25

Thanks

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: libpam-modules 1.3.1-5ubuntu4
ProcVersionSignature: Ubuntu 5.4.0-9.12-generic 5.4.3
Uname: Linux 5.4.0-9-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu15
Architecture: amd64
Date: Fri Jan 24 23:35:33 2020
ProcEnviron:
 TERM=rxvt-unicode-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: pam
UpgradeStatus: Upgraded to focal on 2020-01-24 (0 days ago)

See original description
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Seth Arnold (seth-arnold)
tags: added: champagne
Revision history for this message
Sebastien Bacher (seb128) wrote :

Looks like Balint has been looking at that problem from the Debian side, assigning to him

@Balint, feel free to unassign if I got that wrong :)

Changed in pam (Ubuntu):
assignee: nobody → Balint Reczey (rbalint)
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
Balint Reczey (rbalint) wrote :

@seb128 reading the referenced bug further reveals that I'm waiting for PAM maintainers' input on this.

Changed in pam (Ubuntu):
assignee: Balint Reczey (rbalint) → nobody
Bug Watch Updater (bug-watch-updater)
Changed in pam (Debian):
status: Unknown → New
Francis Ginther (fginther)
tags: added: id-5ebd60b9e10a724ad7cbaffe
Revision history for this message
Joshua Peisach (itzswirlz) wrote :

I would say there is probably a missing dependency-/etc/securetty doesn't exist in Ubuntu and looks like it could be a typo.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Joshua, it's not a typo, and not a missing dependency:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674857#25

Thanks

Brian Murray (brian-murray)
tags: removed: champagne
Revision history for this message
Francesco Minnocci (qwerty1214) wrote :

So is it safe for an user to just remove "nullok_secure" as suggested in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931899 ?

Revision history for this message
ITEAS (info-tux-pc) wrote :

Same here after focal Update with local sudoers. With sudoers over ActiveDirectory (SSS) it is working, but all local entries are ignored @20.04.

Revision history for this message
xibbvngcey (bhfbiibii) wrote :

does it cause the lock screen to freeze during unlock?

My lock screen during unlock freezes occasionally (once every 2 weeks), and this is one of 3 logs having recent updates:
Aug 27 18:37:02 PCName gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
Aug 27 18:37:12 PCName gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory
Aug 27 18:37:12 PCName gdm-password]: gkr-pam: unlocked login keyring

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 1860826] Re: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory

On Thu, Aug 27, 2020 at 06:02:33PM -0000, bood wrote:
> does it cause the lock screen to freeze during unlock?

No. Please file a separate bug for your issue.

Revision history for this message
Sterling Butters (sterlingbutters) wrote :

Would this bug cause a gnome-session initialization delay? My logs have this error and technically everything "works" correctly but initialization of the user session takes > 1 min. The greeter isn't exactly fast either but definitely more tolerable. My systemd analysis looks fine too. Really hoping this bug is the issue.

Revision history for this message
Steve Langasek (vorlon) wrote :

On Tue, Sep 01, 2020 at 01:53:00AM -0000, Sterling Butters wrote:
> Would this bug cause a gnome-session initialization delay?

No, it would not. The sum totality of the impact of this bug is the extra
warning messages in the log files.

Revision history for this message
Sterling Butters (sterlingbutters) wrote :

> No, it would not. The sum totality of the impact of this bug is the extra
warning messages in the log files.

Damn...

Matthieu Clemenceau (mclemenceau)
tags: added: fr-14
Revision history for this message
Tero Gusto (tero-gusto) wrote :

I am still seeing this in Ubuntu 20.04.1:

Oct 23 17:29:10 comp gdm-password][1766]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No such file or directory

Revision history for this message
Zach H (no.ones.there) wrote :

Hi, just to confirm that this may be a bigger issue than first anticipated - on Ubuntu Server 20.04 this is causing issues with logins via sftp/ftp. Because of this, the migration of a number of our servers has had to be halted until this bug has been completed. Copy-pasting the Securetty file could be an option, but a more permanent solution is preferred.

Revision history for this message
Steve Langasek (vorlon) wrote :

On Tue, Oct 27, 2020 at 03:49:30AM -0000, Zach H wrote:
> Hi, just to confirm that this may be a bigger issue than first
> anticipated - on Ubuntu Server 20.04 this is causing issues with logins
> via sftp/ftp.

Why do you believe your issue is caused by this bug? The only known effect
of this bug is the extraneous log entries; it is not known to cause pam
modules to return different results.

You can test this by temporarily editing /etc/pam.d/common-auth to list
'nullok' instead of 'nullok_secure'. If your problem persists, then it is
unrelated to this bug.

Revision history for this message
spec (playaspec) wrote :

It also appears to affect cups.

# systemctl status cups.service
● cups.service - CUPS Scheduler
     Loaded: loaded (/lib/systemd/system/cups.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2020-11-05 15:45:21 EST; 32min ago
TriggeredBy: ● cups.path
             ● cups.socket
       Docs: man:cupsd(8)
   Main PID: 1216169 (cupsd)
      Tasks: 3 (limit: 76795)
     Memory: 12.3M
     CGroup: /system.slice/cups.service
             ├─1216169 /usr/sbin/cupsd -l
             ├─1216235 /usr/lib/cups/notifier/dbus dbus://
             └─1216236 /usr/lib/cups/notifier/dbus dbus://

Nov 05 15:45:21 Cortex1 systemd[1]: Started CUPS Scheduler.
Nov 05 15:45:50 Cortex1 cupsd[1216169]: pam_unix(cups:auth): Couldn't open /etc/securetty: No such file or directory
Nov 05 15:45:50 Cortex1 cupsd[1216169]: pam_unix(cups:auth): Couldn't open /etc/securetty: No such file or directory
Nov 05 15:45:55 Cortex1 cupsd[1216169]: pam_unix(cups:auth): Couldn't open /etc/securetty: No such file or directory
Nov 05 15:45:55 Cortex1 cupsd[1216169]: pam_unix(cups:auth): Couldn't open /etc/securetty: No such file or directory
Nov 05 15:47:57 Cortex1 cupsd[1216169]: pam_unix(cups:auth): Couldn't open /etc/securetty: No such file or directory
Nov 05 15:47:57 Cortex1 cupsd[1216169]: pam_unix(cups:auth): Couldn't open /etc/securetty: No such file or directory
Nov 05 15:50:01 Cortex1 cupsd[1216169]: pam_unix(cups:auth): Couldn't open /etc/securetty: No such file or directory
Nov 05 15:50:01 Cortex1 cupsd[1216169]: pam_unix(cups:auth): Couldn't open /etc/securetty: No such file or directory

I created an empty file to silence the error, but I'm a bit dismayed that this file was removed without coordination with the pam project, or at least patching or configuring pam to avoid this error. Clearly this impacts more than just a deprecated telnet.

Revision history for this message
David Ward (dpward) wrote :

Despite what Launchpad is showing here, the upstream Debian bugs were fixed over a month ago:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936071#23
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674857#61

Ubuntu maintainers: please add the "Focal" series for this bug.

Revision history for this message
David Ward (dpward) wrote :

In fact the comments above explicitly say "Closes: #674857, #936071, LP: #1860826 [this bug]".

Bug Watch Updater (bug-watch-updater)
Changed in pam (Debian):
status: New → Fix Released
Revision history for this message
Robie Basak (racb) wrote :

I'm adding a Focal task as requested in #ubuntu-bugs. However, please don't take this as an endorsement for a Focal SRU. If it's just spurious log entries, I'm not sure if an SRU would be appropriate or not.

David Ward (dpward)
Changed in pam (Ubuntu Focal):
status: New → Confirmed
Revision history for this message
Bin Li (binli) wrote :

After I upgraded libpam-runtime from 1.3.1-5ubuntu4.1 to 1.3.1-5ubuntu4.2, I also met this error.

Revision history for this message
Elliott Balsley (elliottbalsley) wrote :

This also spams the vsftpd log several times per minute

Steve Langasek (vorlon)
Changed in pam (Ubuntu Groovy):
status: Confirmed → Won't Fix
Changed in pam (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.3.1-5ubuntu11

---------------
pam (1.3.1-5ubuntu11) impish; urgency=medium

  * extrausers.patch: update for compatibility with the removal of
    nullok_secure.

 -- Steve Langasek <email address hidden> Wed, 15 Sep 2021 22:39:58 -0700

Changed in pam (Ubuntu):
status: Fix Committed → Fix Released
Steve Langasek (vorlon)
Changed in pam (Ubuntu Focal):
status: Confirmed → In Progress
Steve Langasek (vorlon)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Seth, or anyone else affected,

Accepted pam into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pam/1.3.1-5ubuntu4.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in pam (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Simon Déziel (sdeziel) wrote :

It works:

# witness the original bug while running `sudo -i` in another session:
sdeziel@xeon:~$ tail -f /var/log/auth.log | grep pam
Sep 28 16:56:52 xeon sudo: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
Sep 28 16:56:53 xeon sudo: pam_unix(sudo:session): session opened for user root by (uid=0)

# install from -proposed:
root@xeon:~# apt-get install libpam0g libpam-runtime libpam-modules-bin libpam-modules
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
   libpam-doc (1.3.1-5ubuntu4.3)
Recommended packages:
   update-motd (3.6-0ubuntu6.1)
The following packages will be upgraded:
   libpam-modules (1.3.1-5ubuntu4.2 => 1.3.1-5ubuntu4.3)
   libpam-modules-bin (1.3.1-5ubuntu4.2 => 1.3.1-5ubuntu4.3)
   libpam-runtime (1.3.1-5ubuntu4.2 => 1.3.1-5ubuntu4.3)
   libpam0g (1.3.1-5ubuntu4.2 => 1.3.1-5ubuntu4.3)
4 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Need to get 394 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu focal-proposed/main amd64 libpam0g amd64 1.3.1-5ubuntu4.3 [55.4 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu focal-proposed/main amd64 libpam-modules-bin amd64 1.3.1-5ubuntu4.3 [41.2 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu focal-proposed/main amd64 libpam-modules amd64 1.3.1-5ubuntu4.3 [260 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu focal-proposed/main amd64 libpam-runtime all 1.3.1-5ubuntu4.3 [37.3 kB]
Fetched 394 kB in 1s (477 kB/s)
Preconfiguring packages ...
(Reading database ... 53805 files and directories currently installed.)
Preparing to unpack .../libpam0g_1.3.1-5ubuntu4.3_amd64.deb ...
Unpacking libpam0g:amd64 (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam0g:amd64 (1.3.1-5ubuntu4.3) ...
(Reading database ... 53805 files and directories currently installed.)
Preparing to unpack .../libpam-modules-bin_1.3.1-5ubuntu4.3_amd64.deb ...
Unpacking libpam-modules-bin (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam-modules-bin (1.3.1-5ubuntu4.3) ...
(Reading database ... 53805 files and directories currently installed.)
Preparing to unpack .../libpam-modules_1.3.1-5ubuntu4.3_amd64.deb ...
Unpacking libpam-modules:amd64 (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam-modules:amd64 (1.3.1-5ubuntu4.3) ...
(Reading database ... 53805 files and directories currently installed.)
Preparing to unpack .../libpam-runtime_1.3.1-5ubuntu4.3_all.deb ...
Unpacking libpam-runtime (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam-runtime (1.3.1-5ubuntu4.3) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.3) ...
...

# confirm the fix by opening another session with `sudo -i`:
sdeziel@xeon:~$ tail -f /var/log/auth.log | grep pam
Sep 28 18:28:51 xeon sudo: pam_unix(sudo:session): session opened for user root by (uid=0)

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Download full text (7.5 KiB)

Worked for me on my daily workstation:

⏚ [sarnold:~/trees] 100 $ sudo apt install -tfocal-proposed libpam0g libpam-runtime libpam-modules-bin libpam-modules
Reading package lists... Done
Building dependency tree
Reading state information... Done
Recommended packages:
  update-motd
The following packages will be upgraded:
  libpam-modules libpam-modules-bin libpam-runtime libpam0g
4 upgraded, 0 newly installed, 0 to remove and 50 not upgraded.
Need to get 394 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://192.168.0.27/ubuntu focal-proposed/main amd64 libpam0g amd64 1.3.1-5ubuntu4.3 [55.4 kB]
Get:2 http://192.168.0.27/ubuntu focal-proposed/main amd64 libpam-modules-bin amd64 1.3.1-5ubuntu4.3 [41.2 kB]
Get:3 http://192.168.0.27/ubuntu focal-proposed/main amd64 libpam-modules amd64 1.3.1-5ubuntu4.3 [260 kB]
Get:4 http://192.168.0.27/ubuntu focal-proposed/main amd64 libpam-runtime all 1.3.1-5ubuntu4.3 [37.3 kB]
Fetched 394 kB in 0s (10.6 MB/s)
Preconfiguring packages ...
(Reading database ... 233861 files and directories currently installed.)
Preparing to unpack .../libpam0g_1.3.1-5ubuntu4.3_amd64.deb ...
Unpacking libpam0g:amd64 (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam0g:amd64 (1.3.1-5ubuntu4.3) ...
(Reading database ... 233861 files and directories currently installed.)
Preparing to unpack .../libpam-modules-bin_1.3.1-5ubuntu4.3_amd64.deb ...
Unpacking libpam-modules-bin (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam-modules-bin (1.3.1-5ubuntu4.3) ...
(Reading database ... 233861 files and directories currently installed.)
Preparing to unpack .../libpam-modules_1.3.1-5ubuntu4.3_amd64.deb ...
Unpacking libpam-modules:amd64 (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam-modules:amd64 (1.3.1-5ubuntu4.3) ...
(Reading database ... 233861 files and directories currently installed.)
Preparing to unpack .../libpam-runtime_1.3.1-5ubuntu4.3_all.deb ...
Unpacking libpam-runtime (1.3.1-5ubuntu4.3) over (1.3.1-5ubuntu4.2) ...
Setting up libpam-runtime (1.3.1-5ubuntu4.3) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...
⏚ [sarnold:~/trees] 7s $ sudo -k ; sudo ls
[sudo] password for sarnold:
...

recent journal entries:
Sep 28 20:24:43 millbarge sudo[540916]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
Sep 28 20:24:45 millbarge sudo[540916]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory

and journal entries from an authentication performed after installing the update:

Sep 28 20:27:14 millbarge audit[548532]: SYSCALL arch=c000003e syscall=59 success=yes exit=0 a0=55bfed873130 a1=55bfed6fa4f0 a2=55bfed8b1910 a3=8 items=2 ppid=19448 pid=548532 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=4 comm="sudo" exe="/usr/bin/sudo" key="execpriv"
Sep 28 20:27:14 millbarge audit: EXECVE argc=2 a0="sudo" a1="-k"
Sep 28 20:27:14 millbarge audit: CWD cwd="/home/sarnold/trees"
Sep 28 20:27:14 millbarge audit: PATH item=0 name="/usr/bin/sudo" inode=814680 dev=00:1c mode=0104755 ouid=0 ogid=...

Read more...

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (pam/1.3.1-5ubuntu4.3)

All autopkgtests for the newly accepted pam (1.3.1-5ubuntu4.3) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

kopanocore/8.7.0-7ubuntu1 (arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#pam

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Mathew Hodson (mhodson)
Changed in pam (Ubuntu Focal):
importance: Undecided → Low
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for pam has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.3.1-5ubuntu4.3

---------------
pam (1.3.1-5ubuntu4.3) focal; urgency=medium

  * Correctly document current VCS in debian/control.
  * Drop patches to implement "nullok_secure" option for pam_unix.
    Closes: #674857, #936071, LP: #1860826.
  * debian/patches-applied/nullok_secure-compat.patch: Support
    nullok_secure as a deprecated alias for nullok.
  * debian/pam-configs/unix: use nullok, not nullok_secure.
  * extrausers.patch: update for compatibility with the removal of
    nullok_secure.

 -- Steve Langasek <email address hidden> Thu, 16 Sep 2021 23:14:49 -0700

Changed in pam (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.