Debian Bug report logs - #807990
allow users absent from users.oath to login

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: allow users absent from users.oath to login

Date: Tue, 15 Dec 2015 00:02:57 -0500

Package: libpam-oath
Version: 2.4.1-1
Severity: wishlist

Since only root can (and should) update /etc/users.oath, it's pretty
inconvenient to deploy pam-oath in any environment, as it
automatically kicks out any user using password authentication.

It would be good if there was an option in the pam module that would
allow authentication to succeed if the user is *not* present in the
users file.

Thanks!

-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-oath depends on:
ii  libc6           2.19-18+deb8u1
ii  liboath0        2.4.1-1
ii  libpam-runtime  1.1.8-3.1
ii  libpam0g        1.1.8-3.1

libpam-oath recommends no packages.

libpam-oath suggests no packages.

-- no debconf information

Message #10 received at 807990@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: 807990@bugs.debian.org

Subject: patch

Date: Tue, 15 Dec 2015 00:19:53 -0500

Control: tags -1 +patch

Here's patch that, I think, may fix that problem.

--- pam_oath/pam_oath.c.orig	2015-12-15 00:15:32.070364666 -0500
+++ pam_oath/pam_oath.c	2015-12-15 00:15:33.462364695 -0500
@@ -72,6 +72,7 @@
   char *usersfile;
   unsigned digits;
   unsigned window;
+  int missingok;
 };
 
 static void
@@ -86,6 +87,7 @@
   cfg->usersfile = NULL;
   cfg->digits = -1;
   cfg->window = 5;
+  cfg->missingok = 0;
 
   for (i = 0; i < argc; i++)
     {
@@ -103,6 +105,8 @@
 	cfg->digits = atoi (argv[i] + 7);
       if (strncmp (argv[i], "window=", 7) == 0)
 	cfg->window = atoi (argv[i] + 7);
+      if (strcmp (argv[i], "missingok") == 0)
+    cfg->missingok = 1;
     }
 
   if (cfg->digits != 6 && cfg->digits != 7 && cfg->digits != 8)
@@ -126,6 +130,7 @@
       D (("usersfile=%s", cfg->usersfile ? cfg->usersfile : "(null)"));
       D (("digits=%d", cfg->digits));
       D (("window=%d", cfg->window));
+      D (("missingok=%d", cfg->missingok));
     }
 }
 
@@ -312,7 +317,7 @@
 	  oath_strerror (rc), ctime (&last_otp)));
   }
 
-  if (rc != OATH_OK)
+  if (rc != OATH_OK && !(cfg->missingok && rc == OATH_UNKNOWN_USER)) 
     {
       DBG (("One-time password not authorized to login as user '%s'", user));
       retval = PAM_AUTH_ERR;
--- pam_oath/README.orig	2015-12-15 00:18:18.886368111 -0500
+++ pam_oath/README	2015-12-15 00:18:07.298367872 -0500
@@ -224,6 +224,9 @@
   "window": Specify search depth, an integer typically from 5 to 50
             but other values can be useful too.
 
+  "missingok": If specified, users missing from the "usersfile" will be
+               considered authentified.
+
 SSH Configuration
 -----------------
 
Feedback/testing welcome.

-- 
Thoughtcrime does not entail death: thoughtcrime IS death.
                        - Winston Smith, 1984

Message #17 received at 807990@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: 807990@bugs.debian.org

Subject: Re: patch

Date: Tue, 15 Dec 2015 00:54:50 -0500

This patch has two problems:

 1. it doesn't compile (follows a fixed version)

 2. it's pretty dumb: it will work only if the user enters actually the
    right number of digits - ie. the code currently checks if the users
    exists only if other parameters are filled in correctly

So basically, it doesn't work. Maybe the file check would need to be
done earlier, ironically enough...

--- oath-toolkit-2.6.1.orig/pam_oath/README
+++ oath-toolkit-2.6.1/pam_oath/README
@@ -224,6 +224,9 @@ List of all parameters
   "window": Specify search depth, an integer typically from 5 to 50
             but other values can be useful too.
 
+  "missingok": If specified, users missing from the "usersfile" will be
+               considered authentified.
+
 SSH Configuration
 -----------------
 
--- oath-toolkit-2.6.1.orig/pam_oath/pam_oath.c
+++ oath-toolkit-2.6.1/pam_oath/pam_oath.c
@@ -72,6 +72,7 @@ struct cfg
   char *usersfile;
   unsigned digits;
   unsigned window;
+  int missingok;
 };
 
 static void
@@ -86,6 +87,7 @@ parse_cfg (int flags, int argc, const ch
   cfg->usersfile = NULL;
   cfg->digits = -1;
   cfg->window = 5;
+  cfg->missingok = 0;
 
   for (i = 0; i < argc; i++)
     {
@@ -103,6 +105,8 @@ parse_cfg (int flags, int argc, const ch
 	cfg->digits = atoi (argv[i] + 7);
       if (strncmp (argv[i], "window=", 7) == 0)
 	cfg->window = atoi (argv[i] + 7);
+      if (strcmp (argv[i], "missingok") == 0)
+    cfg->missingok = 1;
     }
 
   if (cfg->digits != 6 && cfg->digits != 7 && cfg->digits != 8)
@@ -126,6 +130,7 @@ parse_cfg (int flags, int argc, const ch
       D (("usersfile=%s", cfg->usersfile ? cfg->usersfile : "(null)"));
       D (("digits=%d", cfg->digits));
       D (("window=%d", cfg->window));
+      D (("missingok=%d", cfg->missingok));
     }
 }
 
@@ -312,7 +317,7 @@ pam_sm_authenticate (pam_handle_t * pamh
 	  oath_strerror (rc), ctime (&last_otp)));
   }
 
-  if (rc != OATH_OK)
+  if (rc != OATH_OK && !(cfg.missingok && rc == OATH_UNKNOWN_USER)) 
     {
       DBG (("One-time password not authorized to login as user '%s'", user));
       retval = PAM_AUTH_ERR;

-- 
Omnis enim ex infirmitate feritas est.
All cruelty springs from weakness.
                         - Lucius Annaeus Seneca (58 AD)

Message #22 received at 807990@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: 807990@bugs.debian.org

Subject: third patch, fails more gracefully

Date: Mon, 01 Aug 2016 12:40:20 -0400

the following patch makes use of the PAM_USER_UNKNONWN flag in a more
graceful way, and checks before prompting the password. it could be
using more direct parsing functions, but that turned out to be harder
because the parse_usersfile function has a more complicated signature
than the actual authentication function.

diff --git a/pam_oath/README b/pam_oath/README
index bef4265..a6cbe56 100644
--- a/pam_oath/README
+++ b/pam_oath/README
@@ -23,7 +23,7 @@ window open before making any changes!
 
 ---------
 # head -1 /etc/pam.d/su
-auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20
+auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20 [user_unknown=ignore]
 #
 ---------
 
diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
index 2820318..25a3452 100644
--- a/pam_oath/pam_oath.c
+++ b/pam_oath/pam_oath.c
@@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh,
     }
   DBG (("get user returned: %s", user));
 
+  // quick check to skip unconfigured users before prompting for password
+  {
+    time_t last_otp;
+    otp[0] = '\0';
+    rc = oath_authenticate_usersfile (cfg.usersfile,
+                                      user,
+                                      otp, cfg.window, onlypasswd, &last_otp);
+
+    DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc,
+          oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN",
+          oath_strerror (rc), ctime (&last_otp)));
+    if (rc == OATH_UNKNOWN_USER)
+      {
+        return PAM_USER_UNKNOWN;
+      }
+  }
+
   if (cfg.try_first_pass || cfg.use_first_pass)
     {
       retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);

it still parses the file twice, but i'm not sure how to fix that short
of loading the whole file in memory, which isn't the way the library
works now.

a.
-- 
We have no friends but the mountains.
                        - Kurdish saying

Message #29 received at 807990@bugs.debian.org (full text, mbox, reply):

From: anarcat@debian.org (Antoine Beaupré)

To: 807990@bugs.debian.org

Cc: Ilkka Virta <itvirta@iki.fi>

Subject: fail gracefully for missing users: redid the patch

Date: Fri, 19 Aug 2016 22:10:36 -0400

[Message part 1 (text/plain, inline)]

i changed the patch a little because it turns out that my pam.d sample
config wasn't actually working as expected - the user_unknown=ignore
block needs to *replace* the "required" keyword, and not simply be
appended in the end.

here's a new patch that changes the README slightly.

[0001-fail-gracefully-for-missing-users.patch (text/x-diff, inline)]

From 509c4cda7e08384d7cd16dfdb3917b4373f1e36e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Mon, 1 Aug 2016 12:25:10 -0400
Subject: [PATCH] fail gracefully for missing users

when the pam module is enabled, it forces *all* users to immediately
start using OATH, or they can't login at all.

a more progressive approach would seem more reasonable to me,
especially since each user need to get an admin user to update the
central file for them.

this patch adds an early check to the users file and makes sure the
user exists before prompting for a password.

if the user is missing, it exits early with a standard error code
(PAM_USER_UNKNOWN) which can then be ignored in the PAM configuration
(as shown in the README file). this leaves the policy decision up to
the admin (and defaults to "fail closed").

if the user is present, the code path remains the same except the
usersfile is scanned twice, which may be a performance penalty on very
slow filesystems or very large files. the only workaround I can think
of for this would be to load the whole file into memory, but this
could have significant memory impact on large files.

the function used (`oath_authenticate_usersfile`) is a little overkill
as it actually goes and tries to authenticate the user with an empty
password. this is harmless because the file isn't updated if the OTP
is incorrect and because no warning is sent to syslog.

a possible improvement on this would be to have a warning shown to the
user inciting them to configure OATH or to warn them about a possible
typo in their username before they enter their regular passphrase
---
 pam_oath/README     |  2 +-
 pam_oath/pam_oath.c | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/pam_oath/README b/pam_oath/README
index bef4265..24b9f8b 100644
--- a/pam_oath/README
+++ b/pam_oath/README
@@ -23,7 +23,7 @@ window open before making any changes!
 
 ---------
 # head -1 /etc/pam.d/su
-auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20
+auth [user_unknown=ignore success=ok] pam_oath.so debug usersfile=/etc/users.oath window=20
 #
 ---------
 
diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
index 2820318..25a3452 100644
--- a/pam_oath/pam_oath.c
+++ b/pam_oath/pam_oath.c
@@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh,
     }
   DBG (("get user returned: %s", user));
 
+  // quick check to skip unconfigured users before prompting for password
+  {
+    time_t last_otp;
+    otp[0] = '\0';
+    rc = oath_authenticate_usersfile (cfg.usersfile,
+                                      user,
+                                      otp, cfg.window, onlypasswd, &last_otp);
+
+    DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc,
+          oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN",
+          oath_strerror (rc), ctime (&last_otp)));
+    if (rc == OATH_UNKNOWN_USER)
+      {
+        return PAM_USER_UNKNOWN;
+      }
+  }
+
   if (cfg.try_first_pass || cfg.use_first_pass)
     {
       retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
-- 
2.1.4

[Message part 3 (text/plain, inline)]

i would like to do a NMU for this to deploy this change, any objections?

a.
-- 
I prefer the tumult of liberty to the quiet of servitude.
                        - Thomas Jefferson

Message #34 received at 807990@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: 807990@bugs.debian.org

Cc: Ilkka Virta <itvirta@iki.fi>

Subject: Re: fail gracefully for missing users: redid the patch

Date: Sun, 21 Aug 2016 08:22:46 -0400

[Message part 1 (text/plain, inline)]

On 2016-08-19 22:10:36, Antoine Beaupré wrote:
> i would like to do a NMU for this to deploy this change, any objections?

Here's the debdiff of the package I would upload:

[oath2.6.1-1.1.debdiff (text/x-diff, inline)]

diff -Nru oath-toolkit-2.6.1/debian/changelog oath-toolkit-2.6.1/debian/changelog
--- oath-toolkit-2.6.1/debian/changelog	2015-07-31 17:10:44.000000000 -0400
+++ oath-toolkit-2.6.1/debian/changelog	2016-08-20 09:53:10.000000000 -0400
@@ -1,3 +1,10 @@
+oath-toolkit (2.6.1-1.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * patch: fail gracefully for missing users (Closes: #807990)
+
+ -- Antoine Beaupré <anarcat@debian.org>  Sat, 20 Aug 2016 09:51:41 -0400
+
 oath-toolkit (2.6.1-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch
--- oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch	1969-12-31 19:00:00.000000000 -0500
+++ oath-toolkit-2.6.1/debian/patches/0001-fail-gracefully-for-missing-users.patch	2016-08-20 09:53:10.000000000 -0400
@@ -0,0 +1,83 @@
+From 509c4cda7e08384d7cd16dfdb3917b4373f1e36e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
+Date: Mon, 1 Aug 2016 12:25:10 -0400
+Subject: [PATCH] fail gracefully for missing users
+
+when the pam module is enabled, it forces *all* users to immediately
+start using OATH, or they can't login at all.
+
+a more progressive approach would seem more reasonable to me,
+especially since each user need to get an admin user to update the
+central file for them.
+
+this patch adds an early check to the users file and makes sure the
+user exists before prompting for a password.
+
+if the user is missing, it exits early with a standard error code
+(PAM_USER_UNKNOWN) which can then be ignored in the PAM configuration
+(as shown in the README file). this leaves the policy decision up to
+the admin (and defaults to "fail closed").
+
+if the user is present, the code path remains the same except the
+usersfile is scanned twice, which may be a performance penalty on very
+slow filesystems or very large files. the only workaround I can think
+of for this would be to load the whole file into memory, but this
+could have significant memory impact on large files.
+
+the function used (`oath_authenticate_usersfile`) is a little overkill
+as it actually goes and tries to authenticate the user with an empty
+password. this is harmless because the file isn't updated if the OTP
+is incorrect and because no warning is sent to syslog.
+
+a possible improvement on this would be to have a warning shown to the
+user inciting them to configure OATH or to warn them about a possible
+typo in their username before they enter their regular passphrase
+---
+ pam_oath/README     |  2 +-
+ pam_oath/pam_oath.c | 17 +++++++++++++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/pam_oath/README b/pam_oath/README
+index bef4265..24b9f8b 100644
+--- a/pam_oath/README
++++ b/pam_oath/README
+@@ -23,7 +23,7 @@ window open before making any changes!
+ 
+ ---------
+ # head -1 /etc/pam.d/su
+-auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20
++auth [user_unknown=ignore success=ok] pam_oath.so debug usersfile=/etc/users.oath window=20
+ #
+ ---------
+ 
+diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
+index 2820318..25a3452 100644
+--- a/pam_oath/pam_oath.c
++++ b/pam_oath/pam_oath.c
+@@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh,
+     }
+   DBG (("get user returned: %s", user));
+ 
++  // quick check to skip unconfigured users before prompting for password
++  {
++    time_t last_otp;
++    otp[0] = '\0';
++    rc = oath_authenticate_usersfile (cfg.usersfile,
++                                      user,
++                                      otp, cfg.window, onlypasswd, &last_otp);
++
++    DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc,
++          oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN",
++          oath_strerror (rc), ctime (&last_otp)));
++    if (rc == OATH_UNKNOWN_USER)
++      {
++        return PAM_USER_UNKNOWN;
++      }
++  }
++
+   if (cfg.try_first_pass || cfg.use_first_pass)
+     {
+       retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
+-- 
+2.1.4
+
diff -Nru oath-toolkit-2.6.1/debian/patches/series oath-toolkit-2.6.1/debian/patches/series
--- oath-toolkit-2.6.1/debian/patches/series	1969-12-31 19:00:00.000000000 -0500
+++ oath-toolkit-2.6.1/debian/patches/series	2016-08-20 09:53:10.000000000 -0400
@@ -0,0 +1 @@
+0001-fail-gracefully-for-missing-users.patch

[Message part 3 (text/plain, inline)]

thanks

-- 
To be naive and easily deceived is impermissible, today more than
ever, when the prevailing untruths may lead to a catastrophe because
they blind people to real dangers and real possibilities.
                        - Erich Fromm

Message #49 received at 807990@bugs.debian.org (full text, mbox, reply):

From: anarcat <anarcat@debian.org>

To: 807990@bugs.debian.org

Subject: oath-toolkit: diff for NMU version 2.6.1-1.4

Date: Fri, 13 Mar 2020 20:29:38 -0400

[Message part 1 (text/plain, inline)]

Control: tags 807990 + pending

Dear maintainer,

I've prepared an NMU for oath-toolkit (versioned as 2.6.1-1.4) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

Regards.

[oath-toolkit-2.6.1-1.4-nmu.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #56 received at 807990@bugs.debian.org (full text, mbox, reply):

From: anarcat <anarcat@debian.org>

To: 807990@bugs.debian.org

Subject: oath-toolkit: diff for NMU version 2.6.1-1.4

Date: Fri, 13 Mar 2020 21:44:48 -0400

[Message part 1 (text/plain, inline)]

[this is a resend: the prevous version had the wrong date in
debian/changelog]

Dear maintainer,

I've prepared an NMU for oath-toolkit (versioned as 2.6.1-1.4) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

Regards.


-- 

[oath-toolkit-2.6.1-1.4-nmu.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #61 received at 807990-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 807990-close@bugs.debian.org

Subject: Bug#807990: fixed in oath-toolkit 2.6.1-1.4

Date: Tue, 24 Mar 2020 02:58:12 +0000

Source: oath-toolkit
Source-Version: 2.6.1-1.4
Done: =?utf-8?q?Antoine_Beaupr=C3=A9?= <anarcat@debian.org>

We believe that the bug you reported is fixed in the latest version of
oath-toolkit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 807990@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré <anarcat@debian.org> (supplier of updated oath-toolkit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 13 Mar 2020 20:30:26 -0400
Source: oath-toolkit
Architecture: source
Version: 2.6.1-1.4
Distribution: unstable
Urgency: medium
Maintainer: OATH Toolkit Team <oath-toolkit-help@nongnu.org>
Changed-By: Antoine Beaupré <anarcat@debian.org>
Closes: 807990
Changes:
 oath-toolkit (2.6.1-1.4) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * patch: fail gracefully for missing users (Closes: #807990)
   * push to salsa
Checksums-Sha1:
 1882f71449d75aafc472fb4a52295a7d72b82bde 1893 oath-toolkit_2.6.1-1.4.dsc
 07c2e676de609666a0bb324c7f279965ec66c12c 21796 oath-toolkit_2.6.1-1.4.debian.tar.xz
 d70b6514f4dbcd021fca19d7be726869cf25b135 10664 oath-toolkit_2.6.1-1.4_amd64.buildinfo
Checksums-Sha256:
 163f17747428d4169d8657ef81b526bc0802d3555e2d110ab91569f017e02479 1893 oath-toolkit_2.6.1-1.4.dsc
 212d1f10fb2ca849295c1a2c0f449ead9da9169f74ad2fc52979c4bf4b7eb0b7 21796 oath-toolkit_2.6.1-1.4.debian.tar.xz
 5ddd1b0097ddccb8714ae544add772ef8652ab77a0735b35f6469fece25cc14a 10664 oath-toolkit_2.6.1-1.4_amd64.buildinfo
Files:
 a9a1aa53b16472c0fd74001da6ed966e 1893 devel optional oath-toolkit_2.6.1-1.4.dsc
 939bd854393fb40ab2c97a3a71b01de4 21796 devel optional oath-toolkit_2.6.1-1.4.debian.tar.xz
 a7dde57fb1f1b2de0017abedb26597b4 10664 devel optional oath-toolkit_2.6.1-1.4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAl5sNuMACgkQPqHd3bJh
2XtnZwf+PlwQTAmawVy8aLzApqunp0Z3Zkg0q0/zLs4XgHEiHS8cv/4XFHWywlmg
0cMZBHbzVUfBn8nN9V9P0KG+0JHYt5x8EeMtift/oSfpcDFCRqUBFFwAT8/Emcb8
3mWygpSPCuEphOgw3UPzW8WO65X6/kEbfnxweCJpMuLU6riEhKRhYQ6fd303N2Lm
yrLLgoKF4rIBmW6WFrNRIBigRSxo0lUFCFrutyH48Ddu5lDLjqXCWVWxaU3YxMBd
hBUKIjKJyE5iMVDBXB6ihGg0cSLMXGeGvA7tUzYqt5WfnH0V+u3N8QUxI7VF78ej
fjRJudPZM5xqj9l+F30Behd8zDuugQ==
=GamI
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.