rpm/pam
SHA256
1
0
Fork 0
forked from pool/pam
Code Pull Requests Activity

Accepting request 724569 from home:kukuk:branches:Linux-PAM

Browse Source 
- encryption_method_nis.diff: obsolete, NIS clients shouldn't
  require DES anymore.
- etc.environment: removed, the sources contain the same

- Update to version 1.3.1+git20190807.e31dd6c:
  * pam_tty_audit: Manual page clarification about password logging
  * pam_get_authtok_verify: Avoid duplicate password verification
  * Mention that ./autogen.sh is needeed to be run if you check out the sources from git
  * pam_unix: Correct MAXPASS define name in the previous two commits.
  * Restrict password length when changing password
  * Trim password at PAM_MAX_RESP_SIZE chars
  * pam_succeed_if: Request user data only when needed
  * pam_tally2: Remove unnecessary fsync()
  * Fixed a grammer mistake
  * Fix documentation for pam_wheel
  * Fix a typo in the documentation
  * pam_lastlog: Improve silent option documentation
  * pam_lastlog: Respect PAM_SILENT flag
  * Fix regressions from the last commits.
  * Replace strndupa with strncpy
  * build: ignore pam_lastlog when logwtmp is not available.
  * build: ignore pam_rhosts if neither ruserok nor ruserok_af is available.
  * pam_motd: Cleanup the code and avoid unnecessary logging
  * pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.
  * Move the duplicated search_key function to pam_modutil.
  * pam_unix: Use pam_syslog instead of helper_log_err.
  * pam_unix: Report unusable hashes found by checksalt to syslog.
  * Revert "pam_unix: Add crypt_default method, if supported."
  * pam_unix: Add crypt_default method, if supported.
  * Revert part of the commit 4da9febc

OBS-URL: https://build.opensuse.org/request/show/724569
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=191
This commit is contained in:
Josef Möllers 2019-08-19 12:43:33 +00:00 committed by Git OBS Bridge
parent bf578882d8
commit 78441ed37b
10 changed files with 86 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Linux-PAM-1.3.1.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:eff47a4ecd833fbf18de9686632a70ee8d0794b79aecb217ebd0ce11db4cd0db
size 912332

14
_service Normal file
View File

@ -0,0 +1,14 @@
<services>
<service name="tar_scm" mode="disabled">
<param name="version">1.3.1</param>
<param name="versionformat">1.3.1+git%cd.%h</param>
<param name="url">git://github.com/linux-pam/linux-pam.git</param>
<param name="scm">git</param>
<param name="changesgenerate">enable</param>
</service>
<service name="recompress" mode="disabled">
<param name="compression">xz</param>
<param name="file">*.tar</param>
</service>
<service name="set_version" mode="disabled"/>
</services>

6
_servicedata Normal file
View File

@ -0,0 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">git://github.com/linux-pam/linux-pam.git</param>
<param name="changesrevision">e31dd6c7d0faa7a06d3ebd50a0b6957b9f822d15</param>
</service>
</servicedata>

71
encryption_method_nis.diff
View File

@ -1,71 +0,0 @@
--- modules/pam_unix/pam_unix_passwd.c
+++ modules/pam_unix/pam_unix_passwd.c 2016/04/11 13:49:32
@@ -840,6 +840,29 @@
* rebuild the password database file.
*/
+
+ /* if it is a NIS account, check for special hash algo */
+ if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) {
+ /* preset encryption method with value from /etc/login.defs */
+ int j;
+ char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS);
+ if (val) {
+ for (j = 0; j < UNIX_CTRLS_; ++j) {
+ if (unix_args[j].token && unix_args[j].is_hash_algo
+ && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {
+ break;
+ }
+ }
+ if (j >= UNIX_CTRLS_) {
+ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val);
+ } else {
+ ctrl &= unix_args[j].mask; /* for turning things off */
+ ctrl |= unix_args[j].flag; /* for turning things on */
+ }
+ free (val);
+ }
+ }
+
/*
* First we encrypt the new password.
*/
--- modules/pam_unix/support.c
+++ modules/pam_unix/support.c 2016/04/11 13:49:32
@@ -31,8 +31,8 @@
#include "support.h"
#include "passverify.h"
-static char *
-search_key (const char *key, const char *filename)
+char *
+_unix_search_key (const char *key, const char *filename)
{
FILE *fp;
char *buf = NULL;
@@ -153,7 +153,7 @@
}
/* preset encryption method with value from /etc/login.defs */
- val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
+ val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
if (val) {
for (j = 0; j < UNIX_CTRLS_; ++j) {
if (unix_args[j].token && unix_args[j].is_hash_algo
@@ -171,7 +171,7 @@
/* read number of rounds for crypt algo */
if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
- val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
+ val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
if (val) {
*rounds = strtol(val, NULL, 10);
--- modules/pam_unix/support.h
+++ modules/pam_unix/support.h 2016/04/11 13:49:32
@@ -174,4 +174,5 @@
extern int _unix_run_verify_binary(pam_handle_t *pamh,
unsigned int ctrl, const char *user, int *daysleft);
+extern char *_unix_search_key(const char *key, const char *filename);
#endif /* _PAM_UNIX_SUPPORT_H */

5
etc.environment
View File

@ -1,5 +0,0 @@
#
# This file is parsed by pam_env module
#
# Syntax: simple "KEY=VAL" pairs on seperate lines
#

3
linux-pam-1.3.1+git20190807.e31dd6c.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5203477a4c8ea91e038e08f18efeb3836aa7b395de8b518f405eb3f43ea7fdbf
size 530264

3
linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:89397d7cb52e6a331b766d6219c6aaf3e3cc57c384ef8223f10c1f0ff4217bac
size 64012

2
pam-login_defs-check.sh
View File

@ -12,7 +12,7 @@ grep -rh LOGIN_DEFS . |
sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' | sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' |
LC_ALL=C sort -u >pam-login_defs-vars.lst LC_ALL=C sort -u >pam-login_defs-vars.lst
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 3e1ae01b1e928c53c828f64ab412be6267eb1018 ; then if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != da39a3ee5e6b4b0d3255bfef95601890afd80709 ; then
echo "does not match!" >&2 echo "does not match!" >&2
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2 echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2

49
pam.changes
View File

@ -1,3 +1,52 @@
-------------------------------------------------------------------
Mon Aug 19 13:33:49 CEST 2019 - kukuk@suse.de
- encryption_method_nis.diff: obsolete, NIS clients shouldn't
require DES anymore.
- etc.environment: removed, the sources contain the same
-------------------------------------------------------------------
Mon Aug 19 11:28:31 UTC 2019 - kukuk@suse.com
- Update to version 1.3.1+git20190807.e31dd6c:
* pam_tty_audit: Manual page clarification about password logging
* pam_get_authtok_verify: Avoid duplicate password verification
* Mention that ./autogen.sh is needeed to be run if you check out the sources from git
* pam_unix: Correct MAXPASS define name in the previous two commits.
* Restrict password length when changing password
* Trim password at PAM_MAX_RESP_SIZE chars
* pam_succeed_if: Request user data only when needed
* pam_tally2: Remove unnecessary fsync()
* Fixed a grammer mistake
* Fix documentation for pam_wheel
* Fix a typo in the documentation
* pam_lastlog: Improve silent option documentation
* pam_lastlog: Respect PAM_SILENT flag
* Fix regressions from the last commits.
* Replace strndupa with strncpy
* build: ignore pam_lastlog when logwtmp is not available.
* build: ignore pam_rhosts if neither ruserok nor ruserok_af is available.
* pam_motd: Cleanup the code and avoid unnecessary logging
* pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.
* Move the duplicated search_key function to pam_modutil.
* pam_unix: Use pam_syslog instead of helper_log_err.
* pam_unix: Report unusable hashes found by checksalt to syslog.
* Revert "pam_unix: Add crypt_default method, if supported."
* pam_unix: Add crypt_default method, if supported.
* Revert part of the commit 4da9febc
* pam_unix: Add support for (gost-)yescrypt hashing methods.
* pam_unix: Fix closing curly brace. (#77)
* pam_unix: Add support for crypt_checksalt, if libcrypt supports it.
* pam_unix: Prefer a gensalt function, that supports auto entropy.
* pam_motd: Fix segmentation fault when no motd_dir specified (#76)
* pam_motd: Support multiple motd paths specified, with filename overrides (#69)
* pam_unix: Use bcrypt b-variant for computing new hashes.
* pam_tally, pam_tally2: fix grammar and spelling (#54)
* Fix grammar of messages printed via pam_prompt
* pam_stress: do not mark messages for translation
* pam_unix: remove obsolete _UNIX_AUTHTOK, _UNIX_OLD_AUTHTOK, and _UNIX_NEW_AUTHTOK macros
* pam_unix: remove obsolete _unix_read_password prototype
------------------------------------------------------------------- -------------------------------------------------------------------
Thu May 2 23:55:30 CEST 2019 - sbrabec@suse.com Thu May 2 23:55:30 CEST 2019 - sbrabec@suse.com

23
pam.spec
View File

@ -38,7 +38,7 @@ BuildRequires: libselinux-devel
%define libpam_misc_so_version 0.82.1 %define libpam_misc_so_version 0.82.1
%define libpamc_so_version 0.82.1 %define libpamc_so_version 0.82.1
# #
Version: 1.3.1 Version: 1.3.1+git20190807.e31dd6c
Release: 0 Release: 0
Summary: A Security Tool that Provides Authentication for Applications Summary: A Security Tool that Provides Authentication for Applications
License: GPL-2.0-or-later OR BSD-3-Clause License: GPL-2.0-or-later OR BSD-3-Clause
@ -55,22 +55,21 @@ Requires(pre): user(root)
Requires: login_defs-support-for-pam >= 1.3.1 Requires: login_defs-support-for-pam >= 1.3.1
#DL-URL: https://fedorahosted.org/releases/l/i/linux-pam/ #DL-URL: https://fedorahosted.org/releases/l/i/linux-pam/
Source: Linux-PAM-%{version}.tar.xz Source: linux-pam-%{version}.tar.xz
Source1: Linux-PAM-%{version}-docs.tar.xz Source1: Linux-PAM-1.3.1-docs.tar.xz
Source2: securetty Source2: linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz
Source3: other.pamd Source3: other.pamd
Source4: common-auth.pamd Source4: common-auth.pamd
Source5: common-account.pamd Source5: common-account.pamd
Source6: common-password.pamd Source6: common-password.pamd
Source7: common-session.pamd Source7: common-session.pamd
Source8: etc.environment Source8: securetty
Source9: baselibs.conf Source9: baselibs.conf
Source10: unix2_chkpwd.c Source10: unix2_chkpwd.c
Source11: unix2_chkpwd.8 Source11: unix2_chkpwd.8
Source12: pam-login_defs-check.sh Source12: pam-login_defs-check.sh
Patch0: fix-man-links.dif Patch0: fix-man-links.dif
Patch2: pam-limit-nproc.patch Patch2: pam-limit-nproc.patch
Patch3: encryption_method_nis.diff
Patch4: pam-hostnames-in-access_conf.patch Patch4: pam-hostnames-in-access_conf.patch
Patch5: use-correct-IP-address.patch Patch5: use-correct-IP-address.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -120,17 +119,17 @@ building both PAM-aware applications and modules for use with PAM.
%prep %prep
%setup -q -n Linux-PAM-%{version} -b 1 %setup -q -n linux-pam-%{version} -b 1 -a 2
cp -av ../Linux-PAM-1.3.1/* .
cp -a %{S:12} . cp -a %{S:12} .
%patch0 -p1 %patch0 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p0
%patch4 -p0 %patch4 -p0
%patch5 -p1 %patch5 -p1
%build %build
bash ./pam-login_defs-check.sh bash ./pam-login_defs-check.sh
autoreconf -fiv ./autogen.sh
export CFLAGS="%optflags -DNDEBUG" export CFLAGS="%optflags -DNDEBUG"
%configure \ %configure \
--sbindir=/sbin \ --sbindir=/sbin \
@ -142,7 +141,7 @@ export CFLAGS="%optflags -DNDEBUG"
--enable-isadir=../../%{_lib}/security \ --enable-isadir=../../%{_lib}/security \
--enable-securedir=/%{_lib}/security --enable-securedir=/%{_lib}/security
make %{?_smp_mflags} make %{?_smp_mflags}
%__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/.libs/ -lpam %__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/linux-pam-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/linux-pam-%{version}/libpam/.libs/ -lpam
%check %check
make %{?_smp_mflags} check make %{?_smp_mflags} check
@ -157,10 +156,8 @@ make DESTDIR=$RPM_BUILD_ROOT install
/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib} /sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}
# Install documentation # Install documentation
make -C doc install DESTDIR=$RPM_BUILD_ROOT make -C doc install DESTDIR=$RPM_BUILD_ROOT
# install /etc/environment
install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc/environment
# install securetty # install securetty
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/etc install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc
%ifarch s390 s390x %ifarch s390 s390x
echo "ttyS0" >> $RPM_BUILD_ROOT/etc/securetty echo "ttyS0" >> $RPM_BUILD_ROOT/etc/securetty
echo "ttyS1" >> $RPM_BUILD_ROOT/etc/securetty echo "ttyS1" >> $RPM_BUILD_ROOT/etc/securetty