This Time Self-Hosted
dark mode light mode Search

Refreshing the pam-login and shadow problem

To increase visibility (not to hide it this time ;)) as now shadow is stable, I think I’ll report here an old post of mine :

**The shadow and pam-login conflict**

Okay this is not news, but seems like it’s still a problem for someone, so I’m following fox2mike’s suggestion (from yesterday.. I initially forgot about doing so), and I’m blogging about it…

So many people using ~arch or some packages out of ~arch might have seen that a new update to shadow (>=4.0.12-r2) blocks pam-login, and pam-login blocks newer versions of shadow.

Why this? Well it’s simple to say for me, as I know the background, but might be less easy to understand without knowing that.
So let’s start with the reason why /bin/login was not provided by shadow when using pam (thing that happens on most desktop systems)… to be honest, I don’t know that for sure, probably it’s just that shadow weren’t providing a PAM-enabled /bin/login or it had problems in the past.. so we just gone using pam-login package from SuSE (in the good days when people *provided* the tarballs for other distributions to use), the 3.x series.

This was all good until shadow 4.0.something started providing a valid /bin/login, so we just had pam-login ebuild to build /bin/login from shadow source code.. but that meant we had to build the same code two times, and maintain patches for two packages instead of one.
So as this was planned for a while but Azarah hasn’t had time to handle that, I decided to do the merge between the two: since shadow 4.0.14-r2 the single sys-apps/shadow package replaces both shadow AND the old pam-login package. This means that they block each other now, so you have to do something like:

emerge -C pam-login && emerge -u shadow

if you want to have your system working fine. If you just unmerge pam-login but NOT update shadow, you won’t be able to login in the system if you restart (although already running sessions, already waiting login prompts, xdm and variants and ssh won’t be affected).

Please also note that you need a recent version of util-linux, that dropped the pam useflag, if you want to be sure that it won’t request you to merge pam-login again; ~arch version is fine. For older versions you might want to just set util-linux to use -pam with package.use as it doesn’t change anything anyway.

Now, don’t start asking for better way to handle this, as portage does not provide anything to improve this. This works without strange surprises, so just drop pam-login and you’ll be fine 🙂

Comments 2
  1. portage should handle such things similar to an update of a package. What I mean is first install the new package than remove the old (blocking) package. By that way nobody has to be afraid about a lost/bin/login after unmerging the old package followed by a problem emerging the next package.

  2. ok, so what should I do with these two?This is how they are set in ipv6 pam tcpd ldapnet-fs/samba -acl -async automount cups -doc -examples kerberos ldap ldapsam libclamav mysql oav pam -postgres python -quotas readline -swat syslog -winbind xml xml2Since I have the latest util linux installed I don’t want to be asked again to have pam-login installed.sys-apps/util-linux Latest version available: 2.12r-r3 Latest version installed: 2.12r-r3/Kim

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.