When upgrading a system (especially from older distributions like Ubuntu 14.04), you might encounter conflicts in PAM (Pluggable Authentication Modules) configuration files. The system detects local modifications in /etc/pam.d/common-* files and asks whether to keep them or overwrite with package maintainer's version.
To compare your local changes with the upstream version, you can use these methods:
# Method 1: Use dpkg-divert to check the original files
sudo dpkg-divert --list | grep pam.d
# Method 2: Compare with package-provided files
for file in auth account password session; do
echo "===== common-$file ====="
diff /etc/pam.d/common-$file /usr/share/pam-configs/common-$file
done
# Method 3: Use apt-get to download the package files
apt-get download libpam-modules
dpkg -x libpam-modules*.deb /tmp/pam-original
For more complex scenarios, consider these approaches:
# Generate checksums of current files
find /etc/pam.d/ -name "common-*" -exec md5sum {} \;
# View change history using apt-log
grep pam.d /var/log/apt/history.log
# Use debsums to verify package files
sudo apt-get install debsums
debsums -s libpam-modules
Before making any changes, create backups:
sudo cp -a /etc/pam.d /etc/pam.d.backup-$(date +%Y%m%d)
To merge changes intelligently:
# Install merge tools
sudo apt-get install meld
# Compare interactively
for file in auth account password session; do
meld /etc/pam.d/common-$file /usr/share/pam-configs/common-$file
done
For system administrators managing multiple servers:
#!/bin/bash
# Script to document PAM changes across servers
SERVER_LIST="server1 server2 server3"
OUTPUT_FILE="pam_diff_report_$(date +%Y%m%d).txt"
for server in $SERVER_LIST; do
echo "===== $server =====" >> $OUTPUT_FILE
ssh $server "for f in /etc/pam.d/common-*; do
echo \"\$f:\";
diff \$f /usr/share/pam-configs/\$(basename \$f) || echo 'No differences';
done" >> $OUTPUT_FILE
done
Consider these best practices:
- Document all PAM modifications in a change log
- Use configuration management tools (Ansible, Puppet, Chef)
- Create custom packages for your modified configurations
- Set up monitoring for critical auth files
When upgrading Ubuntu systems (particularly older versions like 14.04), you might encounter PAM configuration conflicts during package updates. The warning typically appears when system files in /etc/pam.d/common-* have been modified locally but the package manager wants to install newer versions.
To compare your local changes with the new package versions:
# First find where the package files are stored
sudo apt-get download libpam-modules
dpkg -x libpam-modules*.deb /tmp/pam-new
# Then compare each file
diff -u /etc/pam.d/common-auth /tmp/pam-new/etc/pam.d/common-auth
diff -u /etc/pam.d/common-account /tmp/pam-new/etc/pam.d/common-account
diff -u /etc/pam.d/common-password /tmp/pam-new/etc/pam.d/common-password
diff -u /etc/pam.d/common-session /tmp/pam-new/etc/pam.d/common-session
PAM conflicts often occur when:
- Control panel software (like Plesk) modifies PAM for specific authentication requirements
- System administrators implement custom authentication policies
- Previous upgrades were handled manually
Option 1: Manual Merge
For complex environments where both local and package changes are needed:
# Create backups first
sudo cp -a /etc/pam.d /etc/pam.d.backup
# Use interactive diff merge tool
sudo apt-get install meld
sudo meld /etc/pam.d/common-auth /tmp/pam-new/etc/pam.d/common-authOption 2: Package Override
If you're confident the package versions are correct:
sudo pam-auth-update --forceAfter making changes, always test your PAM configuration:
# Test SSH authentication (in another session!)
sudo pam-auth-update --test
sudo tail -f /var/log/auth.log
# Check specific module behavior
sudo pam_exec -v -d -7 /etc/pam.d/common-authFor systems with custom PAM configurations, consider using dpkg helpers:
# Create /etc/apt/apt.conf.d/80pam-config
DPkg {
Options {
"--force-confdef";
"--force-confold";
};
};For Plesk-managed systems, additional steps may be needed:
# Rebuild Plesk configuration after PAM changes
sudo /usr/local/psa/bin/init_conf --clean
sudo /usr/local/psa/admin/sbin/mchk --with-spam