Commit Graph

168 Commits

Author SHA256 Message Date
Thorsten Kukuk
e352b2c661 - Update to version 1.6.0
- Added support of configuration files with arbitrarily long lines.
  - build: fixed build outside of the source tree.
  - libpam: added use of getrandom(2) as a source of randomness if available.
  - libpam: fixed calculation of fail delay with very long delays.
  - libpam: fixed potential infinite recursion with includes.
  - libpam: implemented string to number conversions validation when parsing
    controls in configuration.
  - pam_access: added quiet_log option.
  - pam_access: fixed truncation of very long group names.
  - pam_canonicalize_user: new module to canonicalize user name.
  - pam_echo: fixed file handling to prevent overflows and short reads.
  - pam_env: added support of '\' character in environment variable values.
  - pam_exec: allowed expose_authtok for password PAM_TYPE.
  - pam_exec: fixed stack overflow with binary output of programs.
  - pam_faildelay: implemented parameter ranges validation.
  - pam_listfile: changed to treat \r and \n exactly the same in configuration.
  - pam_mkhomedir: hardened directory creation against timing attacks.
  - Please note that using *at functions leads to more open file handles
    during creation.
  - pam_namespace: fixed potential local DoS (CVE-2024-22365).
  - pam_nologin: fixed file handling to prevent short reads.
  - pam_pwhistory: helper binary is now built only if SELinux support is
    enabled.
  - pam_pwhistory: implemented reliable usernames handling when remembering
    passwords.
  - pam_shells: changed to allow shell entries with absolute paths only.
  - pam_succeed_if: fixed treating empty strings as numerical value 0.
  - pam_unix: added support of disabled password aging.
  - pam_unix: synchronized password aging with shadow.

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=280
2024-01-18 09:18:10 +00:00
Thorsten Kukuk
add873f61e Accepting request 1105450 from home:kukuk:no-utmp
- Fix building without SELinux

OBS-URL: https://build.opensuse.org/request/show/1105450
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=279
2023-08-23 09:38:24 +00:00
Thorsten Kukuk
8fc5e81cde - pam_access backports from upstream:
- pam_access-doc-IPv6-link-local.patch:
    Document only partial supported IPv6 link local addresses
  - pam_access-hostname-debug.patch:
    Don't print error if we cannot resolve a hostname, does not
    need to be a hostname
  - pam_shells-fix-econf-memory-leak.patch:
    Free econf keys variable
  - disable-examples.patch:
    Don't build examples

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=278
2023-08-07 10:24:04 +00:00
341833cbf9 Accepting request 1085746 from home:kukuk:cleanup
- Update to final 1.5.3 release:
  - configure: added --enable-logind option to use logind instead of utmp
    in pam_issue and pam_timestamp.
  - pam_modutil_getlogin: changed to use getlogin() from libc instead of
    parsing utmp.
  - Added libeconf support to pam_env and pam_shells.
  - Added vendor directory support to pam_access, pam_env, pam_group,
    pam_faillock, pam_limits, pam_namespace, pam_pwhistory, pam_sepermit,
    pam_shells, and pam_time.
  - pam_limits: changed to not fail on missing config files.
  - pam_pwhistory: added conf= option to specify config file location.
  - pam_pwhistory: added file= option to specify password history file
    location.
  - pam_shells: added shells.d support when libeconf and vendordir are enabled.
  - Deprecated pam_lastlog: this module is no longer built by default because
    it uses utmp, wtmp, btmp and lastlog, but none of them are Y2038 safe,
    even on 64bit architectures.
    pam_lastlog will be removed in one of the next releases, consider using
    pam_lastlog2 (from https://github.com/thkukuk/lastlog2) and/or
    pam_wtmpdb (from https://github.com/thkukuk/wtmpdb) instead.
  - Deprecated _pam_overwrite(), _pam_overwrite_n(), and _pam_drop_reply()
    macros provided by _pam_macros.h; the memory override performed by these
    macros can be optimized out by the compiler and therefore can no longer
    be relied upon.

OBS-URL: https://build.opensuse.org/request/show/1085746
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=277
2023-05-09 16:04:51 +00:00
Thorsten Kukuk
81568528fd Accepting request 1080765 from home:kukuk:cleanup
- pam-extra: add split provide

OBS-URL: https://build.opensuse.org/request/show/1080765
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=276
2023-04-20 10:12:45 +00:00
Thorsten Kukuk
e1066a3a40 Accepting request 1078636 from home:kukuk:cleanup
- pam-userdb: add split provide

OBS-URL: https://build.opensuse.org/request/show/1078636
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=275
2023-04-12 11:48:48 +00:00
Thorsten Kukuk
f6b50ba88e Accepting request 1078360 from home:kukuk:cleanup
- Drop pam-xauth_ownership.patch, got fixed in sudo itself
- Drop pam-bsc1177858-dont-free-environment-string.patch, was a 
  fix for above patch

- Use bcond selinux to disable SELinux
- Remove old pam_unix_* compat symlinks
- Move pam_userdb to own pam-userdb sub-package
- pam-extra contains now modules having extended dependencies like
  libsystemd
- Update to 1.5.3.90 git snapshot
- Drop merged patches:
  - pam-git.diff
  - docbook5.patch
  - pam_pwhistory-docu.patch
  - pam_xauth_data.3.xml.patch
- Drop Linux-PAM-1.5.2.90.tar.xz as we have to rebuild all
  documentation anyways and don't use the prebuild versions
- Move all devel manual pages to pam-manpages, too. Fixes the 
  problem that adjusted defaults not shown correct.

  docbook5
- For buggy bot: Makefile-pam_unix-nis.diff belonged to the other
- add macros.pam to abstract directory for pam modules
- pam-limit-nproc.patch: increased process limit to help
  Chrome/Chromuim users with really lots of tabs. New limit gets
- Update to current git (Linux-PAM-git-20140127.diff), which
- Explicitly add pam_systemd.so to list of modules in
- Remove pam_unix-login.defs.diff, not needed anymore
- Added libtool as BuildRequire, and autoreconf -i option to fix
  * manpage is left intact, as it was

OBS-URL: https://build.opensuse.org/request/show/1078360
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=274
2023-04-11 08:24:03 +00:00
Thorsten Kukuk
d8677436cd - Add common-session-nonlogin and postlogin-* pam.d config files
for https://github.com/SUSE/pam-config/pull/16, pam_lastlog2
  and upcoming pam_wtmpdb.

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=273
2023-03-20 10:36:11 +00:00
b0799e0d72 Accepting request 1070768 from home:gbelinassi
- Enable livepatching support on x86_64.

OBS-URL: https://build.opensuse.org/request/show/1070768
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=272
2023-03-15 09:05:09 +00:00
7d61bc6b2a Accepting request 1060632 from home:schubi2
OBS-URL: https://build.opensuse.org/request/show/1060632
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=271
2023-01-25 10:56:16 +00:00
Dominique Leuenberger
a19e1ad91c - Also obsolete pam_unix-32bit to have clean upgrade path.
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=270
2022-12-24 13:32:42 +00:00
Thorsten Kukuk
0d564d8dbe Accepting request 1043306 from home:kukuk:tiu
- Merge pam_unix back into pam, seperate package not needed anymore

- Update pam-git.diff to current upstream
  - pam_env: Use vendor specific pam_env.conf and environment as fallback
  - pam_shells: Use the vendor directory
  obsoletes pam_env_econf.patch
- Refresh docbook5.patch

OBS-URL: https://build.opensuse.org/request/show/1043306
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=268
2022-12-16 09:50:49 +00:00
Thorsten Kukuk
5aa4f5ad81 Accepting request 1041655 from home:kukuk:tiu
- pam_pwhistory-docu.patch, docbook5.patch: convert docu to
  docbook5 
- pam-git.diff: update to current git
  - obsoletes pam-hostnames-in-access_conf.patch
  - obsoletes tst-pam_env-retval.c
- pam_env_econf.patch refresh

OBS-URL: https://build.opensuse.org/request/show/1041655
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=267
2022-12-08 14:52:25 +00:00
Thorsten Kukuk
f8d6ec4fd6 Accepting request 1037574 from home:kukuk:tiu
- Move pam_env config files below /usr/etc

OBS-URL: https://build.opensuse.org/request/show/1037574
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=266
2022-11-23 12:21:53 +00:00
Thorsten Kukuk
7c469f81fb Accepting request 1010229 from home:schubi2
- pam_env: Using libeconf for reading configuration and environment
  files. (Patch: pam_env_econf.patch; Testcase: tst-pam_env-retval.c)

OBS-URL: https://build.opensuse.org/request/show/1010229
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=265
2022-10-13 11:58:41 +00:00
Thorsten Kukuk
a7257563cb Accepting request 1010118 from home:schubi2
- pam_env: Using libeconf for reading configuration and environment
  files.

OBS-URL: https://build.opensuse.org/request/show/1010118
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=264
2022-10-12 09:48:57 +00:00
Thorsten Kukuk
99fd8d508e Accepting request 983463 from home:kukuk:tiu
- Keep old directory in filelist for migration

OBS-URL: https://build.opensuse.org/request/show/983463
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=263
2022-06-17 15:30:56 +00:00
Thorsten Kukuk
d59ee3f1e1 - Move PAM config files from /usr/etc/pam.d to /usr/lib/pam.d
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=260
2022-06-01 11:43:49 +00:00
Thorsten Kukuk
656f9b5474 Accepting request 961064 from home:kukuk:tiu
- pam-hostnames-in-access_conf.patch: update with upstream
  submission. Fixes several bugs including memory leaks.
- Move group.conf and faillock.conf to /usr/etc/security
- Update to current git for enhanced vendordir support (pam-git.diff)
  Obsoletes:
  - 0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch
  - 0002-Only-include-vendordir-in-manual-page-if-set-401.patch
  - 0003-Use-vendor-specific-limits.conf-as-fallback-402.patch

OBS-URL: https://build.opensuse.org/request/show/961064
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=259
2022-03-11 11:29:42 +00:00
Thorsten Kukuk
945f25a7ae Accepting request 940243 from home:kukuk:tiu
- Drop pam_umask-usergroups-login_defs.patch, does more harm
  than helps. If not explizit specified as module option, we
  use UMASK from login.defs unmodified.

OBS-URL: https://build.opensuse.org/request/show/940243
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=258
2021-12-13 13:17:12 +00:00
Thorsten Kukuk
4b7b9d93e4 Accepting request 934493 from home:kukuk:tiu
- Don't define doc/manpages packages in main build

OBS-URL: https://build.opensuse.org/request/show/934493
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=257
2021-11-29 09:46:08 +00:00
Thorsten Kukuk
16f5bfc375 Accepting request 933489 from home:kukuk:tiu
- Add missing recommends and split provides
- Use multibuild to build docu with correct paths and available
  features.
- common-session: move pam_systemd to first position as if the
  file would have been generated with pam-config
- Add vendordir fixes and enhancements from upstream:
  - pam_xauth_data.3.xml.patch
  - 0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch
  - 0002-Only-include-vendordir-in-manual-page-if-set-401.patch
  - 0003-Use-vendor-specific-limits.conf-as-fallback-402.patch
- For buggy bot: Makefile-pam_unix-nis.diff belonged to the other 
  spec file.
- Update pam-login_defs-check.sh regexp and
  login_defs-support-for-pam symbol to version 1.5.2
  (new variable HMAC_CRYPTO_ALGO).
- Add /run/pam_timestamp to pam.tmpfiles
- Corrected macro definition of %_pam_moduledir:
  %_pam_moduledir %{_libdir}/security
  [macros.pam]
- Prepend a slash to the expansion of %{_lib} in macros.pam as
  this are defined without a leading slash!
- Rename motd.tmpfiles to pam.tmpfiles
  - Add /run/faillock directory
- pam-login_defs-check.sh: adjust for new login.defs variable usages
- Update to 1.5.2
  Noteworthy changes in Linux-PAM 1.5.2:
  * pam_exec: implemented quiet_log option.
  * pam_mkhomedir: added support of HOME_MODE and UMASK from
    /etc/login.defs.
  * pam_timestamp: changed hmac algorithm to call openssl instead
    of the bundled sha1 implementation if selected, added option
    to select the hash algorithm to use with HMAC.
  * Added pkgconfig files for provided libraries.
  * Added --with-systemdunitdir configure option to specify systemd
    unit directory.
  * Added --with-misc-conv-bufsize configure option to specify the
    buffer size in libpam_misc's misc_conv() function, raised the
    default value for this parameter from 512 to 4096.
  * Multiple minor bug fixes, portability fixes, documentation
    improvements, and translation updates.
  pam_tally2 has been removed upstream, remove pam_tally2-removal.patch
  pam_cracklib has been removed from the upstream sources. This
  obsoletes pam-pam_cracklib-add-usersubstr.patch and
  pam_cracklib-removal.patch.
  The following patches have been accepted upstream and, so,
  are obsolete:
  - pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
  - pam_securetty-don-t-complain-about-missing-config.patch
  - bsc1184358-prevent-LOCAL-from-being-resolved.patch
  - revert-check_shadow_expiry.diff
  [Linux-PAM-1.5.2-docs.tar.xz, Linux-PAM-1.5.2-docs.tar.xz.asc,
   Linux-PAM-1.5.2.tar.xz, Linux-PAM-1.5.2.tar.xz.asc,
   pam-pam_cracklib-add-usersubstr.patch, pam_cracklib-removal.patch,
   pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch,
   pam_securetty-don-t-complain-about-missing-config.patch,
   bsc1184358-prevent-LOCAL-from-being-resolved.patch,
   revert-check_shadow_expiry.diff]
- pam_umask-usergroups-login_defs.patch: Deprecate pam_umask
  explicit "usergroups" option and instead read it from login.def's
  "USERGROUP_ENAB" option if umask is only defined there.
  [bsc#1189139]
- package man5/motd.5 as a man-pages link to man8/pam_motd.8
  [bsc#1188724]
- revert-check_shadow_expiry.diff: revert wrong
  CRYPT_SALT_METHOD_LEGACY check.
- Create /run/motd.d
- Remove legacy pre-usrmerge compat code (removed pam-usrmerge.diff)
- Backport patch to not install /usr/etc/securetty (boo#1033626) ie
  no distro defaults and don't complain about it missing
  (pam_securetty-don-t-complain-about-missing-config.patch)
- add debug bcond to be able to build pam with debug output easily
- add macros file to allow other packages to stop hardcoding
  directory names. Compatible with Fedora.
- In the 32-bit compatibility package for 64-bit architectures,
  require "systemd-32bit" to be also installed as it contains
  pam_systemd.so for 32 bit applications.
  [bsc#1185562, baselibs.conf]
- If "LOCAL" is configured in access.conf, and a login attempt from
  a remote host is made, pam_access tries to resolve "LOCAL" as
  a hostname and logs a failure.
  Checking explicitly for "LOCAL" and rejecting access in this case
  resolves this issue.
  [bsc#1184358, bsc1184358-prevent-LOCAL-from-being-resolved.patch]
- pam_limits: "unlimited" is not a legitimate value for "nofile"
  (see setrlimit(2)). So, when "nofile" is set to one of the
  "unlimited" values, it is set to the contents of
  "/proc/sys/fs/nr_open" instead.
  Also changed the manpage of pam_limits to express this.
  [bsc#1181443, pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch]
- Add missing conflicts for pam_unix-nis
- Split out pam_unix module and build without NIS support
- Update to 1.5.1
  - pam_unix: fixed CVE-2020-27780 - authentication bypass when a user
    doesn't exist and root password is blank [bsc#1179166]
  - pam_faillock: added nodelay option to not set pam_fail_delay
  - pam_wheel: use pam_modutil_user_in_group to check for the group membership
    with getgrouplist where it is available
- add macros.pam to abstract directory for pam modules 
- Update to 1.5.0
  - obsoletes pam-bsc1178727-initialize-daysleft.patch
  - Multiple minor bug fixes, portability fixes, and documentation improvements.
  - Extended libpam API with pam_modutil_check_user_in_passwd function.
  - pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
  - pam_motd: read motd files with target user credentials skipping unreadable ones.
  - pam_pwhistory: added a SELinux helper executable.
  - pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
  - pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
  - pam_env: Reading of the user environment is deprecated and will be removed
             at some point in the future.
  - libpam: pam_modutil_drop_priv() now correctly sets the target user's
    supplementary groups, allowing pam_motd to filter messages accordingly
- Refresh pam-xauth_ownership.patch
- pam_tally2-removal.patch: Re-add pam_tally2 for deprecated sub-package
- pam_cracklib-removal.patch: Re-add pam_cracklib for deprecated sub-package
- pam_cracklib: added code to check whether the password contains
  a substring of of the user's name of at least <N> characters length
  in some form.
  This is enabled by the new parameter "usersubstr=<N>"
  See bfef79dbe6
  [jsc#SLE-16719, jsc#SLE-16720, pam-pam_cracklib-add-usersubstr.patch]
- pam_xauth.c: do not free() a string which has been (successfully)
  passed to putenv().
  [bsc#1177858, pam-bsc1177858-dont-free-environment-string.patch]
- Initialize pam_unix pam_sm_acct_mgmt() local variable "daysleft"
  to avoid spurious (and misleading)
      Warning: your password will expire in ... days.
  fixed upstream with commit db6b293046a
  [bsc#1178727, pam-bsc1178727-initialize-daysleft.patch]
- Enable pam_faillock [bnc#1171562]
- prepare usrmerge (boo#1029961, pam-usrmerge.diff)
- /usr/bin/xauth chokes on the old user's $HOME being on an NFS
  file system. Run /usr/bin/xauth using the old user's uid/gid
  Patch courtesy of Dr. Werner Fink.
  [bsc#1174593, pam-xauth_ownership.patch]
- pam-login_defs-check.sh: Fix the regexp to get a real variable
  list (boo#1164274).
- Revert the previous change [SR#815713].
  The group is not necessary for PAM functionality but used only
  during testing. The test system should therefore create this group.
  [bsc#1171016, pam.spec]
- Add requirement for group "wheel" to spec file.
  [bsc#1171016, pam.spec]
- Update to final 1.4.0 release
  - includes pam-check-user-home-dir.patch
  - obsoletes fix-man-links.dif
- common-password: remove pam_cracklib, as that is deprecated.
- pam_setquota.so:
  When setting quota, don't apply any quota if the user's $HOME is
  a mountpoint (ie the user has a partition of his/her own).
  [bsc#1171721, pam-check-user-home-dir.patch]
- Update to current Linux-PAM snapshot
  - pam_tally* and pam_cracklib got deprecated
- Disable pam_faillock and pam_setquota until they are whitelisted
- Adapted patch pam-hostnames-in-access_conf.patch for new version
  New version obsoleted patch use-correct-IP-address.patch
  [pam-hostnames-in-access_conf.patch,
   use-correct-IP-address.patch]
- Update to current Linux-PAM snapshot
  - Obsoletes pam_namespace-systemd.diff
- Update to current Linux-PAM snapshot
  - Add pam_faillock
  - Multiple minor bug fixes and documentation improvements
  - Fixed grammar of messages printed via pam_prompt
  - Added support for a vendor directory and libeconf
  - configure: Allowed disabling documentation through --disable-doc
  - pam_get_authtok_verify: Avoid duplicate password verification
  - pam_env: Changed the default to not read the user .pam_environment file
  - pam_group, pam_time: Fixed logical error with multiple ! operators
  - pam_keyinit: In pam_sm_setcred do the same as in pam_sm_open_session
  - pam_lastlog: Do not log info about failed login if the session was opened
                 with PAM_SILENT flag
  - pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs
  - pam_lastlog: With 'unlimited' option prevent SIGXFSZ due to reduced 'fsize'
                 limit
  - pam_motd: Export MOTD_SHOWN=pam after showing MOTD
  - pam_motd: Support multiple motd paths specified, with filename overrides
  - pam_namespace: Added a systemd service, which creates the namespaced
                   instance parent directories during boot
  - pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts
  - pam_shells: Recognize /bin/sh as the default shell
  - pam_succeed_if: Support lists in group membership checks
  - pam_tty_audit: If kernel audit is disabled return PAM_IGNORE
  - pam_umask: Added new 'nousergroups' module argument and allowed specifying
               the default for usergroups at build-time
  - pam_unix: Added 'nullresetok' option to allow resetting blank passwords
  - pam_unix: Report unusable hashes found by checksalt to syslog
  - pam_unix: Support for (gost-)yescrypt hashing methods
  - pam_unix: Use bcrypt b-variant when it bcrypt is chosen
  - pam_usertype: New module to tell if uid is in login.defs ranges
  - Added new API call pam_start_confdir() for special applications that
    cannot use the system-default PAM configuration paths and need to
    explicitly specify another path
- pam_namespace-systemd.diff: fix path of pam_namespace.services
- own /usr/lib/motd.d/ so other packages can add files there
- Listed all manual pages seperately as pam_userdb.8 has been moved
  to pam-extra.
  Also %exclude %{_defaultdocdir}/pam as the docs are in a separate
  package.
  [pam.spec]
- pam_userdb moved to a new package pam-extra as pam-modules
  is obsolete and not part of SLE.
  [bsc#1166510, pam.spec]
- Removed pam_userdb from this package and moved to pam-modules.
  This removed the requirement for libdb.
  Also made "xz" required for all releases.
  Remove limits for nproc from /etc/security/limits.conf
  [bsc#1164562, bsc#1166510, bsc#1110700, pam.spec]
- Recommend login.defs only (no hard requirement)
- Update to version 1.3.1+git20190923.ea78d67:
  * Fixed missing quotes in configure script
  * Add support for a vendor directory and libeconf (#136)
  * pam_lastlog: document the 'unlimited' option
  * pam_lastlog: prevent crash due to reduced 'fsize' limit
  * pam_unix_sess.c add uid for opening session
  * Fix the man page for "pam_fail_delay()"
  * Fix a typo
  * Update a function comment
- drop usr-etc-support.patch (accepted upstream)
- Add migration support from /etc to /usr/etc during upgrade
- Update to version 1.3.1+git20190902.9de67ee:
  * pwhistory: fix read of uninitialized data and memory leak when modifying opasswd
- Update to version 1.3.1+git20190826.1b087ed:
  * libpam/pam_modutil_sanitize.c: optimize the way to close fds
- Replace old $RPM_* shell vars by macros.
- Avoid unnecessary invocation of subshells.
- Shorten recipe for constructing securetty contents on s390.
- usr-etc-support.patch: Add support for /usr/etc/pam.d
- encryption_method_nis.diff: obsolete, NIS clients shouldn't
  require DES anymore.
- etc.environment: removed, the sources contain the same
- Update to version 1.3.1+git20190807.e31dd6c:
  * pam_tty_audit: Manual page clarification about password logging
  * pam_get_authtok_verify: Avoid duplicate password verification
  * Mention that ./autogen.sh is needeed to be run if you check out the sources from git
  * pam_unix: Correct MAXPASS define name in the previous two commits.
  * Restrict password length when changing password
  * Trim password at PAM_MAX_RESP_SIZE chars
  * pam_succeed_if: Request user data only when needed
  * pam_tally2: Remove unnecessary fsync()
  * Fixed a grammer mistake
  * Fix documentation for pam_wheel
  * Fix a typo in the documentation
  * pam_lastlog: Improve silent option documentation
  * pam_lastlog: Respect PAM_SILENT flag
  * Fix regressions from the last commits.
  * Replace strndupa with strncpy
  * build: ignore pam_lastlog when logwtmp is not available.
  * build: ignore pam_rhosts if neither ruserok nor ruserok_af is available.
  * pam_motd: Cleanup the code and avoid unnecessary logging
  * pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.
  * Move the duplicated search_key function to pam_modutil.
  * pam_unix: Use pam_syslog instead of helper_log_err.
  * pam_unix: Report unusable hashes found by checksalt to syslog.
  * Revert "pam_unix: Add crypt_default method, if supported."
  * pam_unix: Add crypt_default method, if supported.
  * Revert part of the commit 4da9febc
  * pam_unix: Add support for (gost-)yescrypt hashing methods.
  * pam_unix: Fix closing curly brace. (#77)
  * pam_unix: Add support for crypt_checksalt, if libcrypt supports it.
  * pam_unix: Prefer a gensalt function, that supports auto entropy.
  * pam_motd: Fix segmentation fault when no motd_dir specified (#76)
  * pam_motd: Support multiple motd paths specified, with filename overrides (#69)
  * pam_unix: Use bcrypt b-variant for computing new hashes.
  * pam_tally, pam_tally2: fix grammar and spelling (#54)
  * Fix grammar of messages printed via pam_prompt
  * pam_stress: do not mark messages for translation
  * pam_unix: remove obsolete _UNIX_AUTHTOK, _UNIX_OLD_AUTHTOK, and _UNIX_NEW_AUTHTOK macros
  * pam_unix: remove obsolete _unix_read_password prototype
- Add virtual symbols for login.defs compatibility (bsc#1121197).
- Add login.defs safety check pam-login_defs-check.sh
  (bsc#1121197).
- When comparing an incoming IP address with an entry in
  access.conf that only specified a single host (ie no netmask),
  the incoming IP address was used rather than the IP address from
  access.conf, effectively comparing the incoming address with
  itself.  (Also fixed a small typo while I was at it)
  {bsc#1115640, use-correct-IP-address.patch, CVE-2018-17953]
- Upgrade to 1.3.1
  * pam_motd: add support for a motd.d directory
  * pam_umask: Fix documentation to align with order of loading umask
  * pam_get_user.3: Fix missing word in documentation
  * pam_tally2 --reset: avoid creating a missing tallylog file
  * pam_mkhomedir: Allow creating parent of homedir under /
  * access.conf.5: Add note about spaces around ':'
  * pam.8: Workaround formatting problem
  * pam_unix: Check return value of malloc used for setcred data
  * pam_cracklib: Drop unused prompt macros
  * pam_tty_audit: Support matching users by uid range
  * pam_access: support parsing files in /etc/security/access.d/*.conf
  * pam_localuser: Correct documentation
  * pam_issue: Fix no prompting in parse escape codes mode
  * Unification and cleanup of syslog log levels
  Also: removed nproc limit, referred to systemd instead.
  Patch5 (pam-fix-config-order-in-manpage.patch) not needed any more.
  [bsc#1112508, pam-fix-config-order-in-manpage.patch]
- Add libdb as build-time dependency to enable pam_userdb module.
  This module is useful for implementing virtual user support for
  vsftpd and possibly other daemons, too. [bsc#929711, fate#322538]
- Install empty directory /etc/security/namespace.d for
  pam_namespace.so iscript.
- pam_umask.8 needed to be patched as well.
  [bsc#1089884, pam-fix-config-order-in-manpage.patch]
- Changed order of configuration files to reflect actual code.
  [bsc#1089884, pam-fix-config-order-in-manpage.patch]
- Use %license (boo#1082318)
- Prerequire group(shadow), user(root)
- Allow symbolic hostnames in access.conf file.
  [pam-hostnames-in-access_conf.patch, boo#1019866]
- Increased nproc limits for non-privileged users to 4069/16384.
  Removed limits for "root".
  [pam-limit-nproc.patch, bsc#1012494, bsc#1013706]
- pam-limit-nproc.patch: increased process limit to help 
  Chrome/Chromuim users with really lots of tabs. New limit gets 
  closer to UserTasksMax parameter in logind.conf
- Add doc directory to filelist.
- Remove obsolete README.pam_tally [bsc#977973]
- Update Linux-PAM to version 1.3.0
- Rediff encryption_method_nis.diff
- Link pam_unix against libtirpc and external libnsl to enable
  IPv6 support.
- Add /sbin/unix2_chkpwd (moved from pam-modules)
- Remove (since accepted upstream):
  - 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch
  - 0002-Remove-enable-static-modules-option-and-support-from.patch
  - 0003-fix-nis-checks.patch
  - 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch
  - 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch
- Add 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch
  - Replace IPv4 only functions
- Fix typo in common-account.pamd [bnc#959439]
- Add 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch
  - readd PAM_EXTERN for external PAM modules
- Add 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch
- Add 0002-Remove-enable-static-modules-option-and-support-from.patch
- Add 0003-fix-nis-checks.patch
- Add folder /etc/security/limits.d as mentioned in 'man pam_limits'
- Update to version 1.2.1
  - security update for CVE-2015-3238
- Update to version 1.2.0
  - obsoletes Linux-PAM-git-20150109.diff
- Re-add lost patch encryption_method_nis.diff [bnc#906660]
- Update to current git:
  - Linux-PAM-git-20150109.diff replaces Linux-PAM-git-20140127.diff
  - obsoletes pam_loginuid-log_write_errors.diff
  - obsoletes pam_xauth-sigpipe.diff
  - obsoletes bug-870433_pam_timestamp-fix-directory-traversal.patch
- increase process limit to 1200 to help chromium users with many tabs
- limit number of processes to 700 to harden against fork-bombs
  Add pam-limit-nproc.patch
- Fix CVE-2014-2583: pam_timestamp path injection (bnc#870433)
  bug-870433_pam_timestamp-fix-directory-traversal.patch
- adding sclp_line0/ttysclp0 to /etc/securetty on s390 (bnc#869664)
- Add pam_loginuid-log_write_errors.diff: log significant loginuid
  write errors
- pam_xauth-sigpipe.diff: avoid potential SIGPIPE when writing to
  xauth process
- Update to current git (Linux-PAM-git-20140127.diff), which 
  obsoletes pam_loginuid-part1.diff, pam_loginuid-part2.diff and
  Linux-PAM-git-20140109.diff.
  - Fix gratuitous use of strdup and x_strdup
  - pam_xauth: log fatal errors preventing xauth process execution
  - pam_loginuid: cleanup loginuid buffer initialization
  - libpam_misc: fix an inconsistency in handling memory allocation errors
  - pam_limits: fix utmp->ut_user handling
  - pam_mkhomedir: check and create home directory for the same user
  - pam_limits: detect and ignore stale utmp entries
- Disable pam_userdb (remove db-devel from build requires)
- Add pam_loginuid-part1.diff: Ignore missing /proc/self/loginuid
- Add pam_loginuid-part2.diff: Workaround to run pam_loginuid inside lxc
- Update to current git (Linux-PAM-git-20140109.diff, which
  replaces pam_unix.diff and encryption_method_nis.diff)
  - pam_access: fix debug level logging
  - pam_warn: log flags passed to the module
  - pam_securetty: check return value of fgets
  - pam_lastlog: fix format string
  - pam_loginuid: If the correct loginuid is already set, skip writing it
- common-session.pamd: add missing newline
- Remove libtrpc support to solve dependency/build cycles, plain
  glibc is enough for now.
- Add encryption_method_nis.diff:
  - implement pam_unix2 functionality to use another hash for
    NIS passwords.
- Add pam_unix.diff:
  - fix if /etc/login.defs uses DES
  - ask always for old password if a NIS password will be changed
- fix manpages links (bnc#842872) [fix-man-links.dif]
- Explicitly add pam_systemd.so to list of modules in 
  common-session.pamd (bnc#812462)
- Update to official release 1.1.8 (1.1.7 + git-20130916.diff)
- Remove needless pam_tally-deprecated.diff patch
- Replace fix-compiler-warnings.diff with current git snapshot
  (git-20130916.diff) for pam_unix.so:
  - fix glibc warnings
  - fix syntax error in SELinux code
  - fix crash at login
- Remove pam_unix-login.defs.diff, not needed anymore 
- Update to version 1.1.7 (bugfix release)
  - Drop missing-DESTDIR.diff and pam-fix-includes.patch
  - fix-compiler-warnings.diff: fix unchecked setuid return code
- adding hvc0-hvc7 to /etc/securetty on s390 (bnc#718516)
- Fix typo in common-password [bnc#821526]
- Added libtool as BuildRequire, and autoreconf -i option to fix 
  build with new automake
- Update pam_unix-login.defs.diff patch to the final upstream
  version.
- Adjust URL
- Add set_permission macro and PreReq
- Read default encryption method from /etc/login.defs
  (pam_unix-login.defs.diff)
- Remove deprecated pam_tally.so module, it's too buggy and can
  destroy config and log files.
- Sync common-*.pamd config with pam-config (use pam_unix.so as
  default).
- Fix building in Factory (add patch missing-DESTDIR.diff)
- Update to Linux-PAM 1.1.6
  - Update translations
  - pam_cracklib: Add more checks for weak passwords
  - pam_lastlog: Never lock out root
  - Lot of bug fixes and smaller enhancements
- Include correct headers for getrlimit (add patch pam-fix-includes.patch).
- Update homepage URL in specfile
- Update to new upstream release 1.1.5
* pam_env: Fix CVE-2011-3148: correctly count leading whitespace
  when parsing environment file in pam_env
* Fix CVE-2011-3149: when overflowing, exit with PAM_BUF_ERR in
  pam_env
* pam_access: Add hostname resolution cache
- pam_tally2: remove invalid options from manpage (bnc#726071)
- fix possible overflow and DOS in pam_env (bnc#724480)
  CVE-2011-3148, CVE-2011-3149
- Update to version 1.1.4
  * pam_securetty: Honour console= kernel option, add noconsole option
  * pam_limits: Add %group syntax, drop change_uid option, add set_all option
  * Lot of small bug fixes
  * Add support for libtirpc
- Build against libtirpc
- license update: GPL-2.0+ or BSD-3-Clause
  Updating to spdx.org/licenses syntax as legal-auto for some reason did
  not accept the previous spec file license
- Remove libxcrypt-devel from BuildRequires
- bnc#673826 rework
  * manpage is left intact, as it was 
  * correct parsing of "quiet" option
- fix for bnc#673826 (pam_listfile)
  * removed unnecessary logging when listfile is missing and quiet
option is specified
  * manpage is also updated, to reflect that all option
require values
- Update to Linux-PAM 1.1.3
  - fixes CVE-2010-3853, CVE-2010-3431, CVE-2010-3430
  - pam_unix: Add minlen option, change default from 6 to 0
- Update to Linux-PAM 1.1.2
- use %_smp_mflags
- Update to current CVS version (pam_rootok: Add support for 
  chauthtok and acct_mgmt, [bnc#533249])
- Install correct documentation
- Update to Linux-PAM 1.1.1 (bug fix release)
- add baselibs.conf as a source
- enable parallel building
- Add fixes from CVS
- Update to final version 1.1.0 (spelling fixes)
- Update to version 1.0.92:
  * Update translations
  * pam_succeed_if: Use provided username
  * pam_mkhomedir: Fix handling of options
- Remove cracklib-dict-full and pwdutils BuildRequires again.
- Update to version 1.0.91 aka 1.1 Beta2:
  * Changes in the behavior of the password stack. Results of 
    PRELIM_CHECK are not used for the final run.
  * Redefine LOCAL keyword of pam_access configuration file
  * Add support for try_first_pass and use_first_pass to 
    pam_cracklib
  * New password quality tests in pam_cracklib
  * Add support for passing PAM_AUTHTOK to stdin of helpers from 
    pam_exec
  * New options for pam_lastlog to show last failed login attempt and
    to disable lastlog update
  * New pam_pwhistory module to store last used passwords
  * New pam_tally2 module similar to pam_tally with wordsize independent
    tally data format, obsoletes pam_tally
  * Make libpam not log missing module if its type is prepended with '-'
  * New pam_timestamp module for authentication based on recent successful
    login.
  * Add blowfish support to pam_unix.
  * Add support for user specific environment file to pam_env.
  * Add pam_get_authtok to libpam as Linux-PAM extension.
- use sr@latin instead of sr@Latn
- Log failures of setrlimit in pam_limits [bnc#448314]
- Fix using of requisite in password stack [bnc#470337]
- Regenerate documentation [bnc#448314]
- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
  (bnc#437293)
- obsolete old -XXbit packages (bnc#437293)
- enhance the man page for limits.conf (bnc#448314) 
- pam_time: fix parsing if '|' is used [bdo#326407]
- pam_xauth: update last patch
- pam_pwhistory: add missing type option
- pam_xauth: put XAUTHLOCALHOSTNAME into new enviroment
  (bnc#441314) 
- Add pam_tally2
- Regenerate Documentation
- Enhance pam_lastlog with status output
- Add pam_pwhistory as tech preview
- pam_tally: fix fd leak
- pam_mail: fix "quiet" option
- Update to version 1.0.2 (fix SELinux regression)
- enhance pam_tally [FATE#303753]
- Backport fixes from CVS
- enabled SELinux support [Fate#303662]
- Update to version 1.0.1:
  - Fixes regression in pam_set_item().
- added baselibs.conf file to build xxbit packages
  for multilib support
- Remove devfs lines from securetty [bnc#372241]
- Update to version 1.0.0:
  - Official first "stable" release
  - bug fixes
  - translation updates
- Update to version 0.99.10.0:
  - New substack directive in config file syntax
  - New module pam_tty_audit.so for enabling and disabling tty
    auditing
  - New PAM items PAM_XDISPLAY and PAM_XAUTHDATA
  - Improved functionality of pam_namespace.so module (method flags,
    namespace.d configuration directory, new options).
  - Finaly removed deprecated pam_rhosts_auth module.
- Update to version 0.99.9.0:
  - misc_conv no longer blocks SIGINT; applications that don't want
    user-interruptable prompts should block SIGINT themselves
  - Merge fixes from Debian
  - Fix parser for pam_group and pam_time
- Update to version 0.99.8.1:
  - Fix regression in pam_audit
- Update to version 0.99.8.0:
  - Add translations for ar, ca, da, ru, sv and zu.
  - Update hungarian translation.
  - Add support for limits.d directory to pam_limits.
  - Add minclass option to pam_cracklib
  - Add new group syntax to pam_access
- move the documentation into a seperate package (pam-doc)
  [partly fixes Bug #265733]
- add flex and bison BuildRequires
- add %verify_permissions for /sbin/unix_chkpwd
  [#237625] 
- Update to Version 0.99.7.1 (security fix)
- Update to Version 0.99.7.0
  * Add manual page for pam_unix.so.
  * Add pam_faildelay module to set pam_fail_delay() value.
  * Fix possible seg.fault in libpam/pam_set_data().
  * Cleanup of configure options.
  * Update hungarian translation, fix german translation.
- install unix_chkpwd setuid root instead of setgid shadow (#216816)
- pam_unix.so/unix_chkpwd: teach about blowfish [#213929]
- pam_namespace.so: Fix two possible buffer overflow
- link against libxcrypt
- Update hungarian translation [#210091]
- Don't remove pam_unix.so
- Use cracklib again (goes lost with one of the last cleanups)
- Add pam_umask.so to common-session [Fate#3621]
- Update to Linux-PAM 0.99.6.3 (merges all patches)
- Update to Linux-PAM 0.99.6.2 (incorporate last change)
- Add pam_loginuid and fixes from CVS [Fate#300486]
- Fix seg.fault in pam_cracklib if retyped password is empty
- Remove use_first_pass from pam_unix2.so in password section
- Update to Linux-PAM 0.99.6.1 (big documentation update)
- Add missing namespace.init script
- Reenable audit subsystem [Fate#300486]
- Update to Linux-PAM 0.99.5.0 (more manual pages, three new PAM
  modules: pam_keyinit, pam_namespace, pam_rhosts)
- Update to current CVS (lot of new manual pages and docu)
- Update to Linux-PAM 0.99.4.0 (merge all patches and translations)
- Fix problems found by Coverity
- Don't strip binaries.
- Fix pam_tally LFS support [#172492]
- Update fr.po and pl.po
- Update km.po
- Remove obsolete pam-laus from the system
- Update translations for pt, pl, fr, fi and cs
- Add translation for uk
- Update hu.po
- Add translation for tr
- Fix order of NULL checks in pam_get_user
- Fix comment in pam_lastlog for translators to be visible in
  pot file
- Docu update, remove pam_selinux docu
- Update km translation
- pam_lastlog: 
  - Initialize correct struct member [SF#1427401]
  - Mark strftime fmt string for translation [SF#1428269]
- Update more manual pages
- really disable audit if header file not present 
- Update fi.po
- Add km.po 
- Update pl.po
- Update with better manual pages
- Add translation for nl, update pt translation
- Move devel manual pages to -devel package
- Mark PAM config files as noreplace
- Mark /etc/securetty as noreplace
- Run ldconfig
- Fix libdb/ndbm compat detection with gdbm
- Adjust german translation
- Add all services to pam_listfile
- converted neededforbuild to BuildRequires
- Update to Linux-PAM 0.99.3.0 release candiate tar balls
  (new translations)
- Fix NULL handling for LSB-pam test suite [#141240]
- Fix usage of PAM_AUTHTOK_RECOVER_ERR vs. PAM_AUTHTOK_RECOVERY_ERR
- NULL is allowed as thirs argument for pam_get_item [#141240]
- Add fixes from CVS
- Fix pam_lastlog: don't report error on first login
- Update to 0.99.2.1
- Add /etc/environment to avoid warnings in syslog
- disable SELinux
- Update getlogin() fix to final one
- Fix PAM getlogin() implementation
- Update to official 0.99.2.0 release
- Update to new snapshot
- Enable original pam_wheel module
- Update to current CVS
- Compile libpam_misc with -fno-strict-aliasing
- Update to current CVS
- Fix compiling of pammodutil with -fPIC
- Update to current CVS
- Update to new snapshot (Major version is back to 0)
- Update to Linux-PAM 0.99.0.3 snapshot
- Add pam_umask
- Update to current CVS snapshot
- Update to current CVS snapshot
- Add pam_loginuid
- Update to current CVS snapshot
- Don't reset priority [#81690]
- Fix creating of symlinks
- Update to current CVS snapshot
- Real fix for [#82687] (don't include kernel header files)
- Bug 82687 - pam_client.h redefines __u8 and __u32 
- Apply lot of fixes from CVS (including SELinux support)
- Update to final 0.79 release
- Apply patch for pam_xauth to preserve DISPLAY variable [#66885]
- Compile with large file support
- Made patch of latest CVS tree
- Removed patch pam_handler.diff ( included in CVS now ) 
- moved Linux-PAM-0.78.dif to pam_group_time.diff
- Fix seg.fault, if a PAM config line is incomplete
- Update to final 0.78
- Add pam_env.so to common-auth
- Add pam_limit.so to common-session
- Update to 0.78-Beta1
- Create pam.d/common-{auth,account,password,session} and include
  them in pam.d/other
- Update to current CVS version of upcoming 0.78 release
- Update "code cleanup" patch
- Disable reading of /etc/environment in pam_env.so per default
- Reenable a "fixed" version of "code cleanup" patch
- Use pam_wheel from pam-modules package
- Disable "code cleanup" patch (no more comments about security
  fixes)
- Apply big "code cleanup" patch [Bug #39673]
- pam_wheel: Use original getlogin again, PAM internal does not
  work without application help [Bug #35682]
- We no longer have pam in the buildsystem, so we 
  need some buildroot magic flags for the dlopen tests.
- Cleanup neededforbuild
- Add manual pages from SLES8
- Fix installing manual pages of modules
- Remove pthread check (db is now linked against pthread)
- Merge with current CVS
- Apply bug fixes from bugtracking system
- Build as normal user
- Compile with noexecstack
- Fix pam_securetty CVS patch
- Sync with current CVS version
- Add patch to implement "include" statement in pamd files
- added ttyS1 (VT220) to securetty on s390* (bug #29239)
- Apply lot of fixes for various problems
- Fix getlogin handling in pam_wheel.so
- added cracklib-devel to neededforbuild 
- Update pam_localuser and pam_xauth.
- Update to Linux-PAM 0.77 (minor bug fixes and enhancemants)
- changed neededforbuild <sp> to <opensp>
- changed securetty / use extra file 
- 390: standard console (4,64)/ttyS0 ->only ttyS0 in /etc/securetty
- Call password checking helper from pam_unix.so whenever the
  passwd field is invalid.
- Don't build ps and pdf documentation
- pam-devel requires pam [Bug #17543]
- Remove explicit requires
- Update to Linux-PAM 0.76
- Remove reentrant patch for original PAM modules (needs to be
  rewritten for new PAM version)
- Add docu in PDF format
- Fix build on different partitions
- Fix to not own /usr/shar/man/man3
- Add /usr/include/security to pam-devel filelist
- tar option for bz2 is "j" 
- Fix last pam_securetty patch
- Use reentrant getpwnam functions for most modules
- Fix unresolved symbols in pam_access and pam_userdb
- libpam_misc: Don't handle Ctrl-D as error.
- Remove SuSEconfig.pam
- Update pam_localuser and pam_xauth
- Add new READMEs about blowfish and cracklib
- Remove pam_unix.so (is part of pam-modules)
- Move extra PAM modules to separate package
- Require pam-modules package
- Move susehelp config file to susehelp package
- changed neededforbuild <sp_libs> to <sp-devel>
- Fixes wrong symlink handling of pam_homecheck [Bug #3905]
- Sync pam_homecheck and pam_unix2 fixes from 7.2
- Always ask for the old password if it is expired
- Cleanup Patches, make tar archive from extra pam modules
- Use LOG_NOTICE for trace option [Bug #7673]
- Linux-PAM: link pam_access against libnsl
- Add pam.conf for susehelp/pam html docu
- Linux-PAM: Update to version 0.75
- Linux-PAM: link libpam_misc against libpam [Bug #6890]
- Linux-PAM: Fix manual pages (.so reference)
- pam_pwcheck: fix Makefile
- Update for Linux-PAM 0.74
- Drop pwdb subpackage
- pam_unix2: Create temp files with permission 0600
- pam_issue.c: include time.h to make it compile 
- Don't print error message about failed initialization from
  pam_limits with kernel 2.2 [Bug #5198]
- Adjust docu for pam_limits
- Adjust docu for pam_pwcheck
- Add fix for pam_limits from 0.73
- Add db-devel to need for build
- Don't link PAM modules against old libpam library 
- Create new "devel" subpackage 
- Add SuSEconfig.pam
- Fix problems with new gcc and glibc 2.2 header files 
- Fix problem with passwords longer then PASS_MAX_LEN
- Add missing PAM modules to filelist
- Fix seg.fault in pam_pwcheck [BUG #3894]
- Clean spec file
- Lot of bug fixes in pam_unix2 and pam_pwcheck
- compress postscript docu
- Move docu to /usr/share/doc/pam
- Fix some bugs in pam_unix2 and pam_pwcheck
- Add pam_homecheck Module
- Add devfs devices to /etc/securetty
- Fix handling of changing passwords to empty one
- Set correct attr for unix_chkpwd and pwdb_chkpwd
- Update pam_pwcheck
- Update pam_unix2
- pwdb: Update to 0.61 
- Add config files and README for md5 passwords
- Update pam_pwcheck
- Update pam_unix2
- Update pam_unix2
- New: pam_pwcheck
- Update to Linux-PAM 0.72
- pam_pwdb: Add security fixes from RedHat 
- Update to Linux-PAM 0.70
- Update to pwdb-0.60
- Fix more pam_unix2 shadow bugs
- Add more PAM fixes
- Implement Password changing request (sp_lstchg == 0)
- ran old prepare_spec on spec file to switch to new prepare_spec.
- Add pam_wheel to file list
- pam_wheel: Minor fixes 
- pam_unix2: root is allowed to change passwords with wrong
             password aging information
- pam_unix2: Fix typo 
- Linux-PAM: Update to version 0.69
- pam_unix2: Root is allowed to use the old password again.
- pam_unix2: Allow root to set an empty password.
- Add HP-UX password aging to pam_unix2. 
- Don't install .cvsignore files
- Make sure, /etc/shadow has the correct rights
- Update to Linux-PAM 0.68
- pam_unix2: more bug fixes
- pam_unix2: Fix "inactive" password
- pam_warn: Add missing functions 
- other.pamd: Update
- Add more doku
- Add securetty config file
- Fix Debian pam_env patch
- Update to Linux-PAM 0.67
- Add Debian pam_env patch 
- pam_ftp malloc (core dump) fix 
- pam_unix2 fixes 
- First PAM package: pam 0.66, pwdb 0.57 and pam_unix2

OBS-URL: https://build.opensuse.org/request/show/933489
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=256
2021-11-24 15:07:30 +00:00
Thorsten Kukuk
3139982e02 Accepting request 933454 from home:kukuk:tiu
- Add missing recommends and split provides

OBS-URL: https://build.opensuse.org/request/show/933454
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=255
2021-11-24 14:34:36 +00:00
Thorsten Kukuk
30c0969bef Accepting request 933444 from home:kukuk:tiu
- Use multibuild to build docu with correct paths and available
  features.
- common-session: move pam_systemd to first position as if the
  file would have been generated with pam-config
- Add vendordir fixes and enhancements from upstream:
  - 0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch
  - 0002-Only-include-vendordir-in-manual-page-if-set-401.patch
  - 0003-Use-vendor-specific-limits.conf-as-fallback-402.patch

OBS-URL: https://build.opensuse.org/request/show/933444
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=254
2021-11-24 13:43:37 +00:00
Thorsten Kukuk
343fbe4278 Accepting request 931923 from home:sbrabec:branches:Base:System
- Update pam-login_defs-check.sh regexp and
  login_defs-support-for-pam symbol to version 1.5.2
  (new variable HMAC_CRYPTO_ALGO).

OBS-URL: https://build.opensuse.org/request/show/931923
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=253
2021-11-18 14:13:26 +00:00
Josef Möllers
b73acde402 Accepting request 928857 from home:gmbr3:Active
- Add /run/pam_timestamp to pam.tmpfiles

OBS-URL: https://build.opensuse.org/request/show/928857
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=252
2021-11-03 07:33:24 +00:00
Josef Möllers
6f28f708b6 Accepting request 924878 from home:jmoellers:branches:Linux-PAM
OBS-URL: https://build.opensuse.org/request/show/924878
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=251
2021-10-18 07:41:15 +00:00
Josef Möllers
ab36e21a01 Accepting request 923464 from home:jmoellers:branches:Linux-PAM
OBS-URL: https://build.opensuse.org/request/show/923464
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=250
2021-10-11 06:28:05 +00:00
Thorsten Kukuk
bdff5d34ca - Rename motd.tmpfiles to pam.tmpfiles
- Add /run/faillock directory

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=249
2021-09-15 13:55:27 +00:00
Thorsten Kukuk
3aaba5773b - pam-login_defs-check.sh: adjust for new login.defs variable usages
pam_tally2 has been removed upstream, remove pam_tally2-removal.patch

- Update to version 1.5.2

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=247
2021-09-10 10:28:05 +00:00
Thorsten Kukuk
dc65a6a40a Accepting request 917897 from home:jmoellers:branches:Linux-PAM
OBS-URL: https://build.opensuse.org/request/show/917897
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=246
2021-09-10 09:48:01 +00:00
Thorsten Kukuk
c6cae773e2 - pam_umask-usergroups-login_defs.patch: Deprecate pam_umask
explicit "usergroups" option and instead read it from login.def's
  "USERGROUP_ENAB" option if umask is only defined there.
  [bsc#1189139]

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=245
2021-08-12 14:45:10 +00:00
Thorsten Kukuk
39b8fe8e87 Accepting request 909931 from home:pgajdos
- package man5/motd.5 as a man-pages link to man8/pam_motd.8
  [bsc#1188724]

OBS-URL: https://build.opensuse.org/request/show/909931
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=244
2021-08-09 08:32:39 +00:00
Thorsten Kukuk
0fc7ab76cc - revert-check_shadow_expiry.diff: revert wrong
CRYPT_SALT_METHOD_LEGACY check.

- revert-check_shadow_expiry.diff: revert wrong
  CRYPT_SALT_METHOD_LEGACY check.

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=242
2021-07-13 13:43:07 +00:00
Thorsten Kukuk
089ed3e485 Accepting request 903070 from home:lnussel:usrmove
- Remove legacy pre-usrmerge compat code (removed pam-usrmerge.diff)
- Backport patch to not install /usr/etc/securetty (boo#1033626) ie
  no distro defaults and don't complain about it missing
  (pam_securetty-don-t-complain-about-missing-config.patch)
- add debug bcond to be able to build pam with debug output easily
- add macros file to allow other packages to stop hardcoding
  directory names. Compatible with Fedora.

- Remove usrmerged conditional as it's now the default

OBS-URL: https://build.opensuse.org/request/show/903070
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=241
2021-07-09 12:12:20 +00:00
Josef Möllers
dd0389449b Accepting request 902295 from home:gmbr3:Active
- Create /run/motd.d

OBS-URL: https://build.opensuse.org/request/show/902295
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=240
2021-06-25 09:44:49 +00:00
Josef Möllers
55bb007d97 Accepting request 892225 from home:jmoellers:branches:Linux-PAM
OBS-URL: https://build.opensuse.org/request/show/892225
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=237
2021-05-17 06:51:34 +00:00
Thorsten Kukuk
24e9b7b6ee Accepting request 883597 from home:jmoellers:branches:Linux-PAM
bsc1184358

OBS-URL: https://build.opensuse.org/request/show/883597
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=236
2021-04-07 13:01:25 +00:00
Josef Möllers
9080c178e7 Accepting request 882509 from home:jmoellers:branches:Linux-PAM
OBS-URL: https://build.opensuse.org/request/show/882509
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=235
2021-04-01 08:02:50 +00:00
Thorsten Kukuk
fadf030a46 - Add missing conflicts for pam_unix-nis
- Add missing conflicts for pam_unix

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=234
2021-02-18 22:17:30 +00:00
Thorsten Kukuk
5e8c266a79 Accepting request 872794 from home:kukuk:etc
- Split out pam_unix module and build without NIS support


- Fix split provides and BuildRequires 

- standalone pam_unix with NIS support

OBS-URL: https://build.opensuse.org/request/show/872794
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=232
2021-02-16 10:28:19 +00:00
Thorsten Kukuk
070ad9f4c2 Accepting request 851800 from home:lnussel:usrmove
- add macros.pam to abstract directory for pam modules 

- prepare usrmerge (boo#1029961, pam-usrmerge.diff)

OBS-URL: https://build.opensuse.org/request/show/851800
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=230
2020-12-03 13:58:29 +00:00
Thorsten Kukuk
34431add7d - Update to 1.5.1
- pam_unix: fixed CVE-2020-27780 - authentication bypass when a user
    doesn't exist and root password is blank [bsc#1179166]
  - pam_faillock: added nodelay option to not set pam_fail_delay
  - pam_wheel: use pam_modutil_user_in_group to check for the group membership
    with getgrouplist where it is available

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=229
2020-11-27 09:37:31 +00:00
Thorsten Kukuk
c4daf63ae5 - Update to 1.5.0
- obsoletes pam-bsc1178727-initialize-daysleft.patch
  - Multiple minor bug fixes, portability fixes, and documentation improvements.
  - Extended libpam API with pam_modutil_check_user_in_passwd function.
  - pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
  - pam_motd: read motd files with target user credentials skipping unreadable ones.
  - pam_pwhistory: added a SELinux helper executable.
  - pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
  - pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
  - pam_env: Reading of the user environment is deprecated and will be removed
             at some point in the future.
  - libpam: pam_modutil_drop_priv() now correctly sets the target user's
    supplementary groups, allowing pam_motd to filter messages accordingly
- Refresh pam-xauth_ownership.patch
- pam_tally2-removal.patch: Re-add pam_tally2 for deprecated sub-package
- pam_cracklib-removal.patch: Re-add pam_cracklib for deprecated sub-package

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=228
2020-11-19 15:52:27 +00:00
Josef Möllers
94ef2ca6a9 Accepting request 849367 from home:jmoellers:branches:Linux-PAM
OBS-URL: https://build.opensuse.org/request/show/849367
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=226
2020-11-19 11:13:17 +00:00
Josef Möllers
e0f485fa5c Accepting request 848315 from home:jmoellers:branches:Linux-PAM
OBS-URL: https://build.opensuse.org/request/show/848315
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=225
2020-11-16 14:19:30 +00:00
Thorsten Kukuk
f65a31291f - Enable pam_faillock [bnc#1171562]
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=224
2020-11-10 12:23:49 +00:00
Josef Möllers
51190216f3 Accepting request 840209 from home:jmoellers:branches:Linux-PAM
OBS-URL: https://build.opensuse.org/request/show/840209
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=221
2020-10-08 09:10:15 +00:00
Josef Möllers
ca72e1f704 Accepting request 840140 from home:sbrabec:branches:util-linux-multibuild
- pam-login_defs-check.sh: Fix the regexp to get a real variable
  list (boo#1164274).

OBS-URL: https://build.opensuse.org/request/show/840140
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=220
2020-10-08 08:51:25 +00:00
Thorsten Kukuk
daeda00e6c Accepting request 817074 from home:jmoellers:branches:Linux-PAM
OBS-URL: https://build.opensuse.org/request/show/817074
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=219
2020-06-29 14:11:14 +00:00