Date: Wednesday, August 12, 2020 @ 21:16:25 Author: heftig Revision: 393574
3.36.3-5: Match new pambase Added: gdm/trunk/0004-pam-arch-Update-to-match-pambase-20200721.1-2.patch Modified: gdm/trunk/PKGBUILD Deleted: gdm/trunk/0004-pam-arch-Replace-pam_tally-with-pam_faillock.patch ----------------------------------------------------------+ 0004-pam-arch-Replace-pam_tally-with-pam_faillock.patch | 33 -- 0004-pam-arch-Update-to-match-pambase-20200721.1-2.patch | 200 +++++++++++++ PKGBUILD | 8 3 files changed, 204 insertions(+), 37 deletions(-) Deleted: 0004-pam-arch-Replace-pam_tally-with-pam_faillock.patch =================================================================== --- 0004-pam-arch-Replace-pam_tally-with-pam_faillock.patch 2020-08-12 19:45:01 UTC (rev 393573) +++ 0004-pam-arch-Replace-pam_tally-with-pam_faillock.patch 2020-08-12 21:16:25 UTC (rev 393574) @@ -1,33 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <[email protected]> -Date: Sun, 9 Aug 2020 00:34:37 +0000 -Subject: [PATCH] pam-arch: Replace pam_tally with pam_faillock - -pam 1.4.0 removed the former and replaces it with the latter. - -https://bugs.archlinux.org/task/67485 ---- - data/pam-arch/gdm-fingerprint.pam | 2 +- - data/pam-arch/gdm-smartcard.pam | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam -index a4808617..57d57925 100644 ---- a/data/pam-arch/gdm-fingerprint.pam -+++ b/data/pam-arch/gdm-fingerprint.pam -@@ -1,4 +1,4 @@ --auth required pam_tally.so onerr=succeed file=/var/log/faillog -+auth required pam_faillock.so onerr=succeed file=/var/log/tallylog - auth required pam_shells.so - auth requisite pam_nologin.so - auth required pam_env.so -diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam -index ec6f75d5..0852476a 100644 ---- a/data/pam-arch/gdm-smartcard.pam -+++ b/data/pam-arch/gdm-smartcard.pam -@@ -1,4 +1,4 @@ --auth required pam_tally.so onerr=succeed file=/var/log/faillog -+auth required pam_faillock.so onerr=succeed file=/var/log/tallylog - auth required pam_shells.so - auth requisite pam_nologin.so - auth required pam_env.so Added: 0004-pam-arch-Update-to-match-pambase-20200721.1-2.patch =================================================================== --- 0004-pam-arch-Update-to-match-pambase-20200721.1-2.patch (rev 0) +++ 0004-pam-arch-Update-to-match-pambase-20200721.1-2.patch 2020-08-12 21:16:25 UTC (rev 393574) @@ -0,0 +1,200 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <[email protected]> +Date: Sun, 9 Aug 2020 00:34:37 +0000 +Subject: [PATCH] pam-arch: Update to match pambase 20200721.1-2 + +https://bugs.archlinux.org/task/67485 +--- + data/pam-arch/gdm-autologin.pam | 22 +++++++++-------- + data/pam-arch/gdm-fingerprint.pam | 31 +++++++++++++++--------- + data/pam-arch/gdm-launch-environment.pam | 24 ++++++++++-------- + data/pam-arch/gdm-password.pam | 17 +++++++------ + data/pam-arch/gdm-pin.pam | 13 ---------- + data/pam-arch/gdm-smartcard.pam | 31 +++++++++++++++--------- + 6 files changed, 75 insertions(+), 63 deletions(-) + delete mode 100644 data/pam-arch/gdm-pin.pam + +diff --git a/data/pam-arch/gdm-autologin.pam b/data/pam-arch/gdm-autologin.pam +index 99b14209..30bdf529 100644 +--- a/data/pam-arch/gdm-autologin.pam ++++ b/data/pam-arch/gdm-autologin.pam +@@ -1,13 +1,15 @@ +-auth requisite pam_nologin.so +-auth required pam_env.so +-auth optional pam_gdm.so +-auth optional pam_gnome_keyring.so +-auth optional pam_permit.so ++#%PAM-1.0 + +-account include system-local-login ++auth required pam_shells.so ++auth requisite pam_nologin.so ++auth optional pam_permit.so ++auth required pam_env.so ++auth [success=ok default=1] pam_gdm.so ++auth optional pam_gnome_keyring.so + +-password include system-local-login ++account include system-local-login + +-session optional pam_keyinit.so force revoke +-session include system-local-login +-session optional pam_gnome_keyring.so auto_start ++password required pam_deny.so ++ ++session include system-local-login ++session optional pam_gnome_keyring.so auto_start +diff --git a/data/pam-arch/gdm-fingerprint.pam b/data/pam-arch/gdm-fingerprint.pam +index a4808617..cc660d9a 100644 +--- a/data/pam-arch/gdm-fingerprint.pam ++++ b/data/pam-arch/gdm-fingerprint.pam +@@ -1,14 +1,23 @@ +-auth required pam_tally.so onerr=succeed file=/var/log/faillog +-auth required pam_shells.so +-auth requisite pam_nologin.so +-auth required pam_env.so +-auth required pam_fprintd.so +-auth optional pam_permit.so ++#%PAM-1.0 + +-account include system-local-login ++auth required pam_shells.so ++auth requisite pam_nologin.so ++auth required pam_faillock.so preauth ++# Optionally use requisite above if you do not want to prompt for the fingerprint ++# on locked accounts. ++auth [success=1 default=ignore] pam_fprintd.so ++auth [default=die] pam_faillock.so authfail ++auth optional pam_permit.so ++auth required pam_env.so ++auth required pam_faillock.so authsucc ++# If you drop the above call to pam_faillock.so the lock will be done also ++# on non-consecutive authentication failures. ++auth [success=ok default=1] pam_gdm.so ++auth optional pam_gnome_keyring.so + +-password required pam_fprintd.so +-password optional pam_permit.so ++account include system-local-login + +-session optional pam_keyinit.so force revoke +-session include system-local-login ++password required pam_deny.so ++ ++session include system-local-login ++session optional pam_gnome_keyring.so auto_start +diff --git a/data/pam-arch/gdm-launch-environment.pam b/data/pam-arch/gdm-launch-environment.pam +index d59c9cb9..3db24bb1 100644 +--- a/data/pam-arch/gdm-launch-environment.pam ++++ b/data/pam-arch/gdm-launch-environment.pam +@@ -1,13 +1,17 @@ +-auth required pam_env.so +-auth required pam_succeed_if.so audit quiet_success user = gdm +-auth optional pam_permit.so ++#%PAM-1.0 + +-account required pam_succeed_if.so audit quiet_success user = gdm +-account optional pam_permit.so ++auth required pam_succeed_if.so audit quiet_success user=gdm ++auth optional pam_permit.so ++auth required pam_env.so + +-password required pam_deny.so ++account required pam_succeed_if.so audit quiet_success user=gdm ++account optional pam_permit.so + +-session optional pam_keyinit.so force revoke +-session required pam_succeed_if.so audit quiet_success user = gdm +-session required pam_systemd.so +-session optional pam_permit.so ++password required pam_deny.so ++ ++session optional pam_loginuid.so ++session optional pam_keyinit.so force revoke ++session required pam_succeed_if.so audit quiet_success user=gdm ++session optional pam_permit.so ++-session optional pam_systemd.so ++session required pam_env.so user_readenv=1 +diff --git a/data/pam-arch/gdm-password.pam b/data/pam-arch/gdm-password.pam +index 8d34794e..137242a6 100644 +--- a/data/pam-arch/gdm-password.pam ++++ b/data/pam-arch/gdm-password.pam +@@ -1,11 +1,12 @@ +-auth include system-local-login +-auth optional pam_gnome_keyring.so ++#%PAM-1.0 + +-account include system-local-login ++auth include system-local-login ++auth optional pam_gnome_keyring.so + +-password include system-local-login +-password optional pam_gnome_keyring.so use_authtok ++account include system-local-login + +-session optional pam_keyinit.so force revoke +-session include system-local-login +-session optional pam_gnome_keyring.so auto_start ++password include system-local-login ++password optional pam_gnome_keyring.so use_authtok ++ ++session include system-local-login ++session optional pam_gnome_keyring.so auto_start +diff --git a/data/pam-arch/gdm-pin.pam b/data/pam-arch/gdm-pin.pam +deleted file mode 100644 +index 135e205e..00000000 +--- a/data/pam-arch/gdm-pin.pam ++++ /dev/null +@@ -1,13 +0,0 @@ +-auth requisite pam_pin.so +-auth include system-local-login +-auth optional pam_gnome_keyring.so +- +-account include system-local-login +- +-password include system-local-login +-password optional pam_pin.so +-password optional pam_gnome_keyring.so use_authtok +- +-session optional pam_keyinit.so force revoke +-session include system-local-login +-session optional pam_gnome_keyring.so auto_start +diff --git a/data/pam-arch/gdm-smartcard.pam b/data/pam-arch/gdm-smartcard.pam +index ec6f75d5..e6ec1299 100644 +--- a/data/pam-arch/gdm-smartcard.pam ++++ b/data/pam-arch/gdm-smartcard.pam +@@ -1,14 +1,23 @@ +-auth required pam_tally.so onerr=succeed file=/var/log/faillog +-auth required pam_shells.so +-auth requisite pam_nologin.so +-auth required pam_env.so +-auth required pam_pkcs11.so wait_for_card card_only +-auth optional pam_permit.so ++#%PAM-1.0 + +-account include system-local-login ++auth required pam_shells.so ++auth requisite pam_nologin.so ++auth required pam_faillock.so preauth ++# Optionally use requisite above if you do not want to prompt for the smartcard ++# on locked accounts. ++auth [success=1 default=ignore] pam_pkcs11.so wait_for_card card_only ++auth [default=die] pam_faillock.so authfail ++auth optional pam_permit.so ++auth required pam_env.so ++auth required pam_faillock.so authsucc ++# If you drop the above call to pam_faillock.so the lock will be done also ++# on non-consecutive authentication failures. ++auth [success=ok default=1] pam_gdm.so ++auth optional pam_gnome_keyring.so + +-password required pam_pkcs11.so +-password optional pam_permit.so ++account include system-local-login + +-session optional pam_keyinit.so force revoke +-session include system-local-login ++password required pam_deny.so ++ ++session include system-local-login ++session optional pam_gnome_keyring.so auto_start Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-08-12 19:45:01 UTC (rev 393573) +++ PKGBUILD 2020-08-12 21:16:25 UTC (rev 393574) @@ -4,7 +4,7 @@ pkgbase=gdm pkgname=(gdm libgdm) pkgver=3.36.3 -pkgrel=4 +pkgrel=5 pkgdesc="Display manager and login screen" url="https://wiki.gnome.org/Projects/GDM"; arch=(x86_64) @@ -17,12 +17,12 @@ 0001-Xsession-Don-t-start-ssh-agent-by-default.patch 0002-pam-arch-Don-t-check-greeter-account-for-expiry.patch 0003-pam-arch-Restrict-greeter-service-to-the-gdm-user.patch - 0004-pam-arch-Replace-pam_tally-with-pam_faillock.patch) + 0004-pam-arch-Update-to-match-pambase-20200721.1-2.patch) sha256sums=('SKIP' 'b9ead66d2b6207335f0bd982a835647536998e7c7c6b5248838e5d53132ca21a' 'd89a3a852c9656a61a3d418817c883f7a607a0e65aa0eaf9904738c0299f006d' 'c18dc79bdd3207c66b6f66a41a51dd069442d2e9053055147c2f90e39f0c4a7d' - '091fe36855c39c7e900ba971795c48d155269be470a6ff3e5494b438de7aa3d9') + '7d1e293de59e08e750a42dc01c35170c9d8f1d9a71ff6ca168efd1c4f9bb6812') pkgver() { cd gdm @@ -39,7 +39,7 @@ patch -Np1 -i ../0003-pam-arch-Restrict-greeter-service-to-the-gdm-user.patch # https://bugs.archlinux.org/task/67485 - patch -Np1 -i ../0004-pam-arch-Replace-pam_tally-with-pam_faillock.patch + patch -Np1 -i ../0004-pam-arch-Update-to-match-pambase-20200721.1-2.patch NOCONFIGURE=1 ./autogen.sh }
