tctl broken with PAM enabled

[cgoubert]

Expected behavior:

$ tctl version
Teleport v9.1.1 git:v9.1.1-0-gb0129ff5e go1.17.9
$ sudo tctl status
Cluster  teleport-staging
Version  9.2.1
Host CA  never updated
User CA  never updated
Jwt CA   never updated
CA pin   sha256:
$ sudo tctl users add test --roles=ssh
User "test" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:

Current behavior:

$ tctl version
Teleport v9.2.1 git:v9.2.1-0-gc6daeda62 go1.17.9
$ sudo tctl status
ERROR: Unable to start Teleport: PAM was enabled in file configuration but this 
Teleport binary was built without PAM support. To continue either download a 
Teleport binary build with PAM support from https://goteleport.com/teleport 
or disable PAM in file configuration.
$ sudo tctl users add test --roles=ssh
ERROR: Unable to start Teleport: PAM was enabled in file configuration but this 
Teleport binary was built without PAM support. To continue either download a 
Teleport binary build with PAM support from https://goteleport.com/teleport 
or disable PAM in file configuration.

When removing PAM configuration from teleport.yaml

$ sudo tctl status
Cluster  teleport-staging
Version  9.2.1
Host CA  never updated
User CA  never updated
Jwt CA   never updated
CA pin   sha256:

Bug details:

• Teleport v9.2.1 git:v9.2.1-0-gc6daeda62 go1.17.9
• Installed from debian package
• Only on tctl, PAM motd display via tsh ssh login works
• Connecting from tctl version 9.1.1 to a teleport auth server version 9.2.1 works, the reverse doesn't
• Debug logs say nothing interesting
• It is impossible to downgrade as the debian repository only makes the latest release available

[strideynet]

This issue looks related to this PR: #11666

I have been able to reproduce this issue locally.

[strideynet]

For users with this issue, the latest working version is 9.1.2

[cgoubert]

Regarding leaving the former releases up on the apt repository, should I make a separate issue? Having the option to deploy a known-working fixed version via packages would be nice.

[strideynet]

Regarding leaving the former releases up on the apt repository, should I make a separate issue? Having the option to deploy a known-working fixed version via packages would be nice.

Yeah, feel free to open a separate feature request for that and it's something we might be able to look into in the future.

[ravicious]

@cgoubert Yes, please make a separate issue, this would be very helpful.

I did a quick search to see if we don't have an issue for that already, but I couldn't find anything. These two issues might be related to the fact that only the most recent version is available through apt:

• Deb repo inconsistent versions available #8166
• Conditionally publish deb packages #9496

[strideynet]

Actually, it looks like this may be included as part of work on #9770 @ravicious / @cgoubert

[strideynet]

Once this backport (#12572) goes in, we will cut a new release sometime soon in which this should be fixed.

[cgoubert]

Actually, it looks like this may be included as part of work on #9770 @ravicious / @cgoubert

Yes, it looks like it, and issues like mine have already been linked. I'll subscribe to it, thanks.

[ravicious]

9.2.3 is out, it should fix the issue with PAM.

[cgoubert]

Confirm, issue is fixed. Thanks all.