Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pam_mount for openSUSE:Factory
checked in at 2023-08-21 11:45:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam_mount (Old)
and /work/SRC/openSUSE:Factory/.pam_mount.new.1766 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_mount"
Mon Aug 21 11:45:39 2023 rev:78 rq:1104916 version:2.20
Changes:
--------
--- /work/SRC/openSUSE:Factory/pam_mount/pam_mount.changes 2023-01-04
17:53:20.466442736 +0100
+++ /work/SRC/openSUSE:Factory/.pam_mount.new.1766/pam_mount.changes
2023-08-21 11:45:50.267718294 +0200
@@ -1,0 +2,8 @@
+Thu Aug 17 14:04:07 UTC 2023 - Jan Engelhardt <jeng...@inai.de>
+
+- Update to release 2.20
+ * Tokenization support for user principal names
+ (usernames in the form of f...@bar.de)
+ * Added a volume option to control empty password behavior
+
+-------------------------------------------------------------------
Old:
----
pam_mount-2.19.tar.asc
pam_mount-2.19.tar.xz
New:
----
pam_mount-2.20.tar.asc
pam_mount-2.20.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pam_mount.spec ++++++
--- /var/tmp/diff_new_pack.jN2VcB/_old 2023-08-21 11:45:51.335720340 +0200
+++ /var/tmp/diff_new_pack.jN2VcB/_new 2023-08-21 11:45:51.339720348 +0200
@@ -1,7 +1,7 @@
#
# spec file for package pam_mount
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
Name: pam_mount
%define lname libcryptmount0
-Version: 2.19
+Version: 2.20
Release: 0
Summary: A PAM Module that can Mount Volumes for a User Session
License: GPL-2.0-or-later AND LGPL-2.1-or-later
@@ -113,7 +113,7 @@
rm -f $b%{_pam_moduledir}/*.{a,la} "$b/%_libdir"/*.la
#install the docs
mkdir -p "$b/%_docdir/%name/examples"
-cp -a doc/bugs.txt doc/news.rst LICENSE* doc/faq.txt doc/todo.txt
doc/options.txt "$b/%_docdir/%name/"
+cp -a doc/bugs.rst doc/news.rst LICENSE* doc/faq.txt doc/todo.txt
doc/options.txt "$b/%_docdir/%name/"
install -m 755 %SOURCE1 "$b/%_docdir/%name/examples/"
install -m 755 %SOURCE2 "$b/%_docdir/%name/examples/"
%if 0%{?suse_version} < 1550
@@ -150,7 +150,7 @@
%files
%_docdir/%name
-%{_pam_moduledir}/pam_mount*.so
+%_pam_moduledir/pam_mount*.so
%_tmpfilesdir/%name.conf
%_sbindir/mount.*
%_sbindir/umount.*
++++++ pam_mount-2.19.tar.xz -> pam_mount-2.20.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/config/pam_mount.conf.xml.dtd
new/pam_mount-2.20/config/pam_mount.conf.xml.dtd
--- old/pam_mount-2.19/config/pam_mount.conf.xml.dtd 2022-07-06
03:10:17.000000000 +0200
+++ new/pam_mount-2.20/config/pam_mount.conf.xml.dtd 2023-08-17
15:58:38.000000000 +0200
@@ -77,6 +77,7 @@
path CDATA #REQUIRED
mountpoint CDATA #REQUIRED
ssh (0|1|yes|no|true|false) "no"
+ empty_pass (0|1|yes|no|true|false) "yes"
options CDATA #IMPLIED
cipher CDATA #IMPLIED
fskeycipher CDATA #IMPLIED
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/configure new/pam_mount-2.20/configure
--- old/pam_mount-2.19/configure 2022-07-06 03:10:30.054208668 +0200
+++ new/pam_mount-2.20/configure 2023-08-17 15:59:24.325803101 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for pam_mount 2.19.
+# Generated by GNU Autoconf 2.71 for pam_mount 2.20.
#
#
# Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation,
@@ -618,8 +618,8 @@
# Identity of this package.
PACKAGE_NAME='pam_mount'
PACKAGE_TARNAME='pam_mount'
-PACKAGE_VERSION='2.19'
-PACKAGE_STRING='pam_mount 2.19'
+PACKAGE_VERSION='2.20'
+PACKAGE_STRING='pam_mount 2.20'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1409,7 +1409,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures pam_mount 2.19 to adapt to many kinds of systems.
+\`configure' configures pam_mount 2.20 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1480,7 +1480,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of pam_mount 2.19:";;
+ short | recursive ) echo "Configuration of pam_mount 2.20:";;
esac
cat <<\_ACEOF
@@ -1625,7 +1625,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-pam_mount configure 2.19
+pam_mount configure 2.20
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -1903,7 +1903,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by pam_mount $as_me 2.19, which was
+It was created by pam_mount $as_me 2.20, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -2658,7 +2658,7 @@
ac_compiler_gnu=$ac_cv_c_compiler_gnu
-PACKAGE_RELDATE="2022-07-06"
+PACKAGE_RELDATE="2023-08-17"
ac_config_headers="$ac_config_headers config.h"
@@ -3178,7 +3178,7 @@
# Define the identity of the package.
PACKAGE='pam_mount'
- VERSION='2.19'
+ VERSION='2.20'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -14552,7 +14552,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by pam_mount $as_me 2.19, which was
+This file was extended by pam_mount $as_me 2.20, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -14620,7 +14620,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-pam_mount config.status 2.19
+pam_mount config.status 2.20
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/configure.ac
new/pam_mount-2.20/configure.ac
--- old/pam_mount-2.19/configure.ac 2022-07-06 03:10:17.000000000 +0200
+++ new/pam_mount-2.20/configure.ac 2023-08-17 15:58:38.000000000 +0200
@@ -7,8 +7,8 @@
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
-AC_INIT([pam_mount], [2.19])
-PACKAGE_RELDATE="2022-07-06"
+AC_INIT([pam_mount], [2.20])
+PACKAGE_RELDATE="2023-08-17"
AC_PREREQ([2.59])
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_HEADERS([config.h])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/doc/bugs.rst
new/pam_mount-2.20/doc/bugs.rst
--- old/pam_mount-2.19/doc/bugs.rst 1970-01-01 01:00:00.000000000 +0100
+++ new/pam_mount-2.20/doc/bugs.rst 2023-08-17 15:58:38.000000000 +0200
@@ -0,0 +1,142 @@
+
+Known Issues with other programs
+
+
+cryptsetup: awkward input processing
+====================================
+
+Some people create their crypto partition using a command like
+
+.. code-block:: sh
+
+ openssl ... | cryptsetup create ...
+
+Without any extra arguments, input is processed as if it were
+interactive, that is, everything starting from the first newline is
+ignored. This is standard behavior for stdin. Other truncations to
+binary characters may happen.
+
+pam_mount's mount.crypt makes sure that libcryptsetup uses the entire
+key material, including newlines, NUL bytes or other characters.
+However, since you created your crypto volume with a truncated key
+that is different from the real one, mounting may fail unexpectedly.
+
+
+cryptsetup: key truncation
+==========================
+
+cryptsetup implicitly assumes ``-s 256``, which either pads or truncates
+the key material after it has gone through cryptsetup's hashing (``-h``),
+if any. This means that
+
+.. code-block:: sh
+
+ cryptsetup create -h sha512 ...
+
+will hash the input with SHA-512, then truncate it down to 256 bits,
+unless ``-s 512`` was explicitly specified.
+
+pam_mount won't do this sort of key weakening when a key file is used.
+Remember that a key file is supposed to already contain the *final* key
+used for the filesystem, i.e. no extra hashing. (This is why pam_mount
+also passes ``-h plain`` to cryptsetup by default.) Thus, pam_mount defaults
+to using the key file's length (when decrypted) as the cipher size.
+
+
+shell: key expansion
+====================
+
+Some HOWTOs suggest manual key generation for encrypted volumes, however
+they fail to guard against shell semantics, such as:
+
+.. code-block:: sh
+
+ KEY=$(head -c79 /dev/urandom)
+
+At least bash strips all ``\x00`` bytes from the input. There might be worse
+behavior. Furthermore,
+
+.. code-block:: sh
+
+ echo $KEY | openssl ...
+
+implicitly adds a newline into the stream, which is unwanted for
+key generation. Please use the pmt-ehd tool to create PLAIN-type
+encrypted volumes.
+
+
+gksu & kdesu
+============
+
+gksu interprets any output on stderr as an error. pam_mount writes
+debug output to stderr, so this combination will only work if debugging
+is disabled in pam_mount, or gksu gets fixed.
+
+
+sshd: various
+=============
+
+The ``UsePAM`` configuration option is required to be enabled to make
+sshd go through the PAM stacks.
+
+When ``PrivilegeSeparation`` is enabled in OpenSSH versions before 4.9,
+ssh will not run correctly through the PAM stacks. In 4.9 and later,
+this is fixed.
+
+When public key authentication is used, the PAM auth stage is entirely
+skipped. The same goes for Challenge Response Authentication.
+
+So pam_mount would normally ask for a password in the session stage,
+but in any OpenSSH to date, PAM modules do not seem to be able to ask
+for a password in the session stage, "conversation" always fails:
+https://bugzilla.mindrot.org/show_bug.cgi?id=926#c35
+https://bugzilla.mindrot.org/show_bug.cgi?id=688
+
+``UseLogin yes`` may be used to enable pam_mount â irrespective of
+public key authentification, privilege separation or ``UsePAM=no``. sshd
+itself will not do anything useful w.r.t. pam_mount, but it will call
+``/bin/login`` which will then run through the PAM session stage, where
+pam_mount can ask your for a password. Read the sshd documentation
+about possible pitfalls involved using UseLogin.
+
+
+su, probably others: privilege drop
+===================================
+
+The project has sometimes received reports about unmount
+failing because of insufficient
+privileges. Some programs and/or distributions and/or pam
+configurations seem to drop the root privileges after successful
+authentification. This goes counter to pam_mount which needs these
+privileges for umount. (May not apply for FUSE mounts.)
+
+Known constellations include
+
+* su from coreutils, on some distros
+* GDM on Ubuntu
+
+
+sudo
+====
+
+sudo has an internal bug (def_prompt is NULL) that leads to a crash
+when a PAM module tries to invoke the conversation function.
+
+Seen with at least sudo-1.6.9p17.
+Reference: http://bugs.debian.org/492333
+
+
+truecrypt
+=========
+
+The scriptable interface of Truecrypt 5 and upwards is broken and
+cannot be used by pam_mount.
+
+
+vsftpd: not using PAM
+=====================
+
+vsftpd does not run through the PAM session code, hence will never
+call pam_mount's mounting functions.
+It also appears to drop privileges so that there would be a
+unmounting problems.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/doc/bugs.txt
new/pam_mount-2.20/doc/bugs.txt
--- old/pam_mount-2.19/doc/bugs.txt 2022-07-06 03:10:17.000000000 +0200
+++ new/pam_mount-2.20/doc/bugs.txt 1970-01-01 01:00:00.000000000 +0100
@@ -1,127 +0,0 @@
-
-Known Issues with other programs
-
-
-== cryptsetup â awkward input processing ==
-
-Some people create their crypto partition using a command like
-
- openssl ... | cryptsetup create ...
-
-Without any extra arguments, input is processed as if it were
-interactive, that is, everything starting from the first newline is
-ignored. This is standard behavior for stdin. Other truncations to
-binary characters may happen.
-
-pam_mount's mount.crypt makes sure that libcryptsetup uses the entire
-key material, including newlines, NUL bytes or other characters.
-However, since you created your crypto volume with a truncated key
-that is different from the real one, mounting may fail unexpectedly.
-
-
-== cryptsetup â key truncation ==
-
-cryptsetup implicitly assumes -s 256, which either pads or truncates
-the key material after it has gone through cryptsetup's hashing (-h),
-if any. This means that
-
- cryptsetup create -h sha512 ...
-
-will hash the input with SHA-512, then truncate it down to 256 bits,
-unless -s 512 was explicitly specified.
-
-pam_mount won't do this sort of key weakening when a key file is used.
-Remember that a key file is supposed to already contain the _final_ key
-used for the filesystem, i.e. no extra hashing. (This is why pam_mount
-also passes -h plain to cryptsetup by default.) Thus, pam_mount defaults
-to using the key file's length (when decrypted) as the cipher size.
-
-
-== shell â key expansion ==
-
-Some HOWTOs suggest manual key generation for encrypted volumes, however
-they fail to guard against shell semantics, such as:
-
- KEY=$(head -c79 /dev/urandom)
-
-At least bash strips all \x00 bytes from the input. There might be worse
-behavior. Furthermore,
-
- echo $KEY | openssl ...
-
-implicitly adds a newline into the stream, which is unwanted for
-key generation. Please use the pmt-ehd tool to create PLAIN-type
-encrypted volumes.
-
-
-== gksu & kdesu ==
-
-gksu interprets any output on stderr as an error. pam_mount writes
-debug output to stderr, so this combination will only work if debugging
-is disabled in pam_mount, or gksu gets fixed.
-
-
-== sshd â various ==
-
-The "UsePAM" configuration option is required to be enabled to make
-sshd go through the PAM stacks.
-
-When "PrivilegeSeparation" is enabled in OpenSSH versions before 4.9,
-ssh will not run correctly through the PAM stacks. In 4.9 and later,
-this is fixed.
-
-When public key authentication is used, the PAM auth stage is entirely
-skipped. The same goes for Challenge Response Authentication.
-
-So pam_mount would normally ask for a password in the session stage,
-but in any OpenSSH to date, PAM modules do not seem to be able to ask
-for a password in the session stage, "conversation" always fails:
-https://bugzilla.mindrot.org/show_bug.cgi?id=926#c35
-https://bugzilla.mindrot.org/show_bug.cgi?id=688
-
-"UseLogin yes" may be used to enable pam_mount -- irrespective of
-public key authentification, privilege separation or UsePAM=no. sshd
-itself will not do anything useful w.r.t. pam_mount, but it will call
-/bin/login which will then run through the PAM session stage, where
-pam_mount can ask your for a password. Read the sshd documentation
-about possible pitfalls involved using UseLogin.
-
-
-== su, probably others â privilege drop ==
-
-I sometimes get reports about unmount failing because of insufficient
-privileges. Some programs and/or distributions and/or pam
-configurations seem to drop the root privileges after successful
-authentification. This goes counter to pam_mount which needs these
-privileges for umount. (May not apply for FUSE mounts.)
-
-Known constellations include
-
- * su from coreutils, on some distros
- * GDM on Ubuntu
-
-
-== sudo ==
-
-sudo has an internal bug (def_prompt is NULL) that leads to a crash
-when a PAM module tries to invoke the conversation function.
-
-Seen with at least 1.6.9p17.
-Reference: http://bugs.debian.org/492333
-
-
-== truecrypt ==
-
-The scriptable interface of Truecrypt 5 and upwards is broken and
-cannot be used by pam_mount.
-
-
-== vsftpd â not using PAM ==
-
-vsftpd does not run through the PAM session code, hence will never
-call pam_mount's mounting functions.
-It also appears to drop privileges so that there would be a
-unmounting problems.
-
-
-# right-margin: 72
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/doc/faq.txt
new/pam_mount-2.20/doc/faq.txt
--- old/pam_mount-2.19/doc/faq.txt 2022-07-06 03:10:17.000000000 +0200
+++ new/pam_mount-2.20/doc/faq.txt 2023-08-17 15:58:38.000000000 +0200
@@ -80,22 +80,6 @@
=======================================================================
-Q. Why are my smbmounts hanging when using Red Hat Linux 9?
-
-A. See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=103200.
-
- Try creating /sbin/mount.smbfs_no_nptl with this content:
-
- #!/bin/sh
- export LD_ASSUME_KERNEL=2.4.1
- exec smbmount "$@"
-
- Then configure pam_mount with the following in pam_mount.conf.xml:
-
- <smbmount>/bin/mount -t smbfs_no_nptl</smbmount>
-
-=======================================================================
-
Q. Will pam_mount work with my ftpd?
A. I do not know. I know that vsftpd works fine with pam_mount. You
@@ -179,29 +163,6 @@
=======================================================================
-Q. I want to use an NCP share as my home directory but X does not seem
- to like this. Why?
-
-A. The X authentication utility xauth uses file system facilities not
- supported by the Linux ncpfs driver. In order to work around this,
- try adding something like the following to your shell's
- configuration file:
-
- export XAUTHORITY=/tmp/.Xauthority
- export ICEAUTHORITY=/tmp/.ICEauthority
-
- If you use gdm then you may want to modify gdm.conf's UserAuthDir
- instead of setting XAUTHORITY.
-
- If you also wish to allow OpenSSH to tunnel X out of the same
- computer, then ensure /etc/ssh/sshd_config is configured with
- PermitUserEnvironment enabled and add the following to
- ~/.ssh/environment:
-
- XAUTHORITY=/tmp/.Xauthority
-
-=======================================================================
-
Q. Can I use pam_mount on an SELinux-enabled system?
A. I would not recommend it right now on a production system. However,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/doc/install.rst
new/pam_mount-2.20/doc/install.rst
--- old/pam_mount-2.19/doc/install.rst 1970-01-01 01:00:00.000000000 +0100
+++ new/pam_mount-2.20/doc/install.rst 2023-08-17 15:58:38.000000000 +0200
@@ -0,0 +1,73 @@
+
+Required packages for building
+==============================
+
+Minimum required packages for building pam_mount from a tarball release:
+
+* libHX 3.12.1 or up
+* libmount 2.20 or up
+* libpcre 7.0 or up
+* libxml 2.6.x or up
+* pkg-config 0.19 or up
+* choose one of:
+ * Linux-PAM 0.99.x or up
+ * SUN-PAM [untested and the last attempt, though successful, is years old]
+ * BSD PAM [untested and probably not working right now]
+
+Additional required packages for building from (Git) snapshot:
+
+* autoconf 2.59 or up
+* automake 1.10 or up
+* libtool 1.5.22 or up (older ones might work)
+
+Then, optional packages for building:
+
+* openssl 0.9.8 or up
+* libcryptsetup 1.1.2 or up â block-level encryption
+
+Required packages for runtime
+-----------------------------
+
+* util-linux 2.20 or up
+
+Suggested packages for runtime
+------------------------------
+
+* hxtools
+ * fd0ssh: to support passing passwords to SSH
+ * ofl: to support kill-on-logout
+
+Suggested packages for local volumes
+------------------------------------
+
+* encfs 1.4 or up â file-level encryption
+
+Suggested packages for remote targets
+-------------------------------------
+
+* sshfs â SFTP-over-SSH
+* cifs-mount â for CIFS and SMB shares
+
+For configuration validation
+----------------------------
+
+* xmllint (libxml2)
+
+
+Notes for configure
+===================
+
+OpenSSL and/or libcryptsetup are optional, to build without them however
+you need to explicitly specify ``--without-crypto`` and/or
+``--without-libcryptsetup``, respectively.
+
+DTD installation usage
+----------------------
+
+Configure pam_mount with ``--with-dtd``.
+
+To validate (assuming the installation prefix was /usr):
+
+.. code-block:: sh
+
+ xmllint --nonet --noout --loaddtd --valid --path
/usr/share/xml/pam_mount/dtd/pam_mount.conf.xml.dtd
/etc/security/pam_mount.conf.xml
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/doc/install.txt
new/pam_mount-2.20/doc/install.txt
--- old/pam_mount-2.19/doc/install.txt 2022-07-06 03:10:17.000000000 +0200
+++ new/pam_mount-2.20/doc/install.txt 1970-01-01 01:00:00.000000000 +0100
@@ -1,59 +0,0 @@
-
-Minimum required packages for building pam_mount from a tarball release:
-
- * libHX 3.12.1 or up
- * libmount 2.20 or up
- * libpcre 7.0 or up
- * libxml 2.6.x or up
- * pkg-config 0.19 or up
- * Linux-PAM 0.99.x or up
- SUN-PAM (compiled-tested only with 5.11-Beta Build 85)
- BSD PAM is untested and probably not working right now.
-
-Additional required packages for building from (Git) snapshot:
-
- * autoconf 2.59 or up
- * automake 1.10 or up
- * libtool 1.5.22 or up (older ones might work)
-
-Then, optional packages for building:
-
- * openssl 0.9.8 or up
- * libcryptsetup 1.1.2 or up -- block-level encryption
-
-Required packages for runtime:
-
- * util-linux 2.20 or up
-
-Suggested packages for runtime:
-
- * hxtools
- - fd0ssh: to support passing passwords to SSH
- - ofl: to support kill-on-logout
-
- local targets:
- * encfs 1.4 or up -- file-level encryption
-
- remote targets:
- * sshfs -- SFTP-over-SSH
- * ccgfs -- ccgfs-over-SSH (full operation support; mknod, acl, xattrs)
- * cifs-mount -- for CIFS and SMB shares
-
- configuration validation:
- * xmllint (libxml2)
-
-Notes for configure:
-
-OpenSSL and/or libcryptsetup are optional, to build without them however
-you need to explicitly specify --without-crypto and/or
---without-libcryptsetup, respectively.
-
-DTD installation usage:
-
- Configure pam_mount with:
- --with-dtd
-
- To validate (assuming the installation prefix was /usr):
- xmllint --nonet --noout --loaddtd --valid
- --path /usr/share/xml/pam_mount/dtd/pam_mount.conf.xml.dtd
- /etc/security/pam_mount.conf.xml
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/doc/news.rst
new/pam_mount-2.20/doc/news.rst
--- old/pam_mount-2.19/doc/news.rst 2022-07-06 03:10:17.000000000 +0200
+++ new/pam_mount-2.20/doc/news.rst 2023-08-17 15:58:38.000000000 +0200
@@ -1,3 +1,18 @@
+v2.20 (2023-08-17)
+==================
+
+Enhancements:
+
+* Tokenization support for user principal names
+ (usernames in the form of ``f...@bar.de``)
+
+ Such usernames will now be accordingly split at the @ to populate the
+ ``%(DOMAIN_NAME)`` and ``%(DOMAIN_USER)`` variables.
+
+* Added a volume option to control empty password behavior
+ (to mount or not to mount a volume that requires a password)
+
+
v2.19 (2022-07-06)
==================
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/doc/pam_mount.conf.5.in
new/pam_mount-2.20/doc/pam_mount.conf.5.in
--- old/pam_mount-2.19/doc/pam_mount.conf.5.in 2022-07-06 03:10:17.000000000
+0200
+++ new/pam_mount-2.20/doc/pam_mount.conf.5.in 2023-08-17 15:58:38.000000000
+0200
@@ -112,6 +112,13 @@
binary, e.g. ccgfs or sshfs. Do \fInot\fP enable it for anything else or the
login will most likely hang.
.TP
+\fBempty_pass="0"\fP or \fBempty_pass="1"\fP
+The \fBempty_pass\fP option controls behavior when an empty password is
supplied
+or a password is unavailable. The default value of \fBtrue\fP will try to
+unlock a volume with an empty string key if no password is available. When
+\fBempty_pass\fP is \fBfalse\fP, pam_mount will not attempt to mount the volume
+unless a non-empty password is available.
+.TP
\fBcipher="\fP\fIcipher\fP\fB"\fP
Cryptsetup cipher name for the volume. To be used with the \fBcrypt\fP fstype.
.TP
@@ -383,14 +390,10 @@
.SS NFS mounts
.PP
<volume fstype="nfs" server="fileserver" path="/home/%(USER)" mountpoint="~" />
-.SS CIFS/SMB mounts
+.SS CIFS mounts
.PP
-<volume user="user" fstype="smbfs" server="krueger" path="public"
+<volume user="user" fstype="cifs" server="krueger" path="public"
mountpoint="/home/user/krueger" />
-.SS NCP mounts
-.PP
-<volume user="user" fstype="ncpfs" server="krueger" path="public"
-mountpoint="/home/user/krueger" options="username=user.context" />
.SS Bind mounts
.PP
This may come useful in conjunction with pam_chroot:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/src/misc.c
new/pam_mount-2.20/src/misc.c
--- old/pam_mount-2.19/src/misc.c 2022-07-06 03:10:17.000000000 +0200
+++ new/pam_mount-2.20/src/misc.c 2023-08-17 15:58:38.000000000 +0200
@@ -205,32 +205,34 @@
* @user: username to add
*
* Splits up @user into domain and user parts (if applicable) and adds
- * %(DOMAIN_NAME) and %(DOMAIN_USER) to @v. If @user is not of the form
- * "domain\user", %(DOMAIN_NAME) will be added as an empty tag, and
- * %(DOMAIN_USER) will be the same as @v. It is assumed that @user is also
- * part of @v, and hence, will not go out of scope as long as %(DOMAIN_*) is
- * in @v.
+ * %(DOMAIN_NAME) and %(DOMAIN_USER) to @v. If @user is neither of the form
+ * "domain\user" nor "user@domain", %(DOMAIN_NAME) will be added as an empty
+ * tag, and %(DOMAIN_USER) will be the same as @v. It is assumed that @user
+ * is also part of @v, and hence, will not go out of scope as long as
+ * %(DOMAIN_*) is in @v.
*/
void misc_add_ntdom(struct HXformat_map *v, const char *user)
{
char *ptr, *tmp;
- if ((ptr = strchr(user, '\\')) == NULL) {
- format_add(v, "DOMAIN_NAME", NULL);
- format_add(v, "DOMAIN_USER", user);
- return;
- }
-
if ((tmp = HX_strdup(user)) == NULL) {
perror("HX_strdup");
return;
}
- ptr = strchr(tmp, '\\');
- assert(ptr != NULL);
- *ptr++ = '\0';
- format_add(v, "DOMAIN_NAME", tmp);
- format_add(v, "DOMAIN_USER", ptr);
+ if ((ptr = strchr(tmp, '\\')) != NULL) {
+ *ptr++ = '\0';
+ format_add(v, "DOMAIN_NAME", tmp);
+ format_add(v, "DOMAIN_USER", ptr);
+ } else if ((ptr = strchr(tmp, '@')) != NULL) {
+ *ptr++ = '\0';
+ format_add(v, "DOMAIN_NAME", ptr);
+ format_add(v, "DOMAIN_USER", tmp);
+ } else {
+ format_add(v, "DOMAIN_NAME", NULL);
+ format_add(v, "DOMAIN_USER", tmp);
+ }
+
free(tmp);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/src/mount.c
new/pam_mount-2.20/src/mount.c
--- old/pam_mount-2.19/src/mount.c 2022-07-06 03:10:17.000000000 +0200
+++ new/pam_mount-2.20/src/mount.c 2023-08-17 15:58:38.000000000 +0200
@@ -645,6 +645,11 @@
return 0;
}
}
+ if (password == NULL && !vpt->empty_pass) {
+ l0g("skipping volume %s because of empty password\n",
+ vpt->volume);
+ return 0;
+ }
if (config->command[vpt->type]->items == 0) {
l0g("proper mount command not defined in "
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/src/pam_mount.h
new/pam_mount-2.20/src/pam_mount.h
--- old/pam_mount-2.19/src/pam_mount.h 2022-07-06 03:10:17.000000000 +0200
+++ new/pam_mount-2.20/src/pam_mount.h 2023-08-17 15:58:38.000000000 +0200
@@ -86,6 +86,8 @@
bool use_fstab;
bool uses_ssh;
bool noroot;
+ /* try mount even when password is empty */
+ bool empty_pass;
};
/**
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/src/pmvarrun.c
new/pam_mount-2.20/src/pmvarrun.c
--- old/pam_mount-2.19/src/pmvarrun.c 2022-07-06 03:10:17.000000000 +0200
+++ new/pam_mount-2.20/src/pmvarrun.c 2023-08-17 15:58:38.000000000 +0200
@@ -124,7 +124,7 @@
valid = (*n >= 'A' && *n <= 'Z') || (*n >= 'a' && *n <= 'z') ||
(*n >= '0' && *n <= '9') || *n == '_' || *n == '.' ||
- *n == '-' || *n == ' ' || *n == '\\';
+ *n == '-' || *n == ' ' || *n == '\\' || *n == '@';
if (!valid)
return false;
++n;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pam_mount-2.19/src/rdconf1.c
new/pam_mount-2.20/src/rdconf1.c
--- old/pam_mount-2.19/src/rdconf1.c 2022-07-06 03:10:17.000000000 +0200
+++ new/pam_mount-2.20/src/rdconf1.c 2023-08-17 15:58:38.000000000 +0200
@@ -1359,6 +1359,12 @@
/* Figure out whether we want to act as user. */
vpt->noroot = strcmp(vpt->fstype, "fuse") == 0;
+ /* Empty password behavior. Default to trying empty passwords */
+ if ((tmp = xml_getprop(node, "empty_pass")) != NULL)
+ vpt->empty_pass = parse_bool_f(tmp);
+ else
+ vpt->empty_pass = true;
+
/* Source location */
if ((tmp = xml_getprop(node, "server")) != NULL) {
free(vpt->server);
++++++ pam_mount.keyring ++++++
--- /var/tmp/diff_new_pack.jN2VcB/_old 2023-08-21 11:45:51.607720861 +0200
+++ /var/tmp/diff_new_pack.jN2VcB/_new 2023-08-21 11:45:51.611720869 +0200
@@ -4,11 +4,23 @@
Nq/LtMO0IEphbiBFbmdlbGhhcmR0IDxqZW5nZWxoQGluYWkuZGU+iJUEExYKAD0W
IQS8oMXDCcrFaedKkhz3bv5dDCI6jwUCYdM5wgIbAwUJCWYBgAQLCQgHBRUKCQgL
BRYCAwEAAh4FAheAAAoJEPdu/l0MIjqPriUBAPLcct0ekiHZHS/mPDaS0I0mh5zy
-zaZFuB5FaMpQQgQ5AP45H+SqGxP7BRlsEDajDmcEyM+IPvn22lOGKyR5OKQxDrg4
-BGHTOcISCisGAQQBl1UBBQEBB0CqY3sTu9nzOBVHK04dq+jAssZgBdAgVKZ00HiJ
-OZ1WdgMBCAeIfgQYFgoAJhYhBLygxcMJysVp50qSHPdu/l0MIjqPBQJh0znCAhsM
-BQkJZgGAAAoJEPdu/l0MIjqP7DoA/Rjo5o9m5WRrUeWrbX2OOv/QfWwZG/JA1uyw
-AitNO2GVAQCa/CQnyFBQX5uW/3r/NK7HAFEqeLk5+Gf1ussEeUkyBw==
-=7MhT
+zaZFuB5FaMpQQgQ5AP45H+SqGxP7BRlsEDajDmcEyM+IPvn22lOGKyR5OKQxDokC
+MwQQAQoAHRYhBCNobBCkVpG+ekJRCdY4gYHzWgk4BQJh0zqPAAoJENY4gYHzWgk4
+F7EP/3ZG6rs4l24k/GOvO1CNPM0rHaOccbB3E8BXzTJ6BsKIG1T3X4cokLHAkhmO
+8ffw9NYV/HJ1AJyirvHfYFd6nn55aMakbyjo7RmDpmMmpJH5UpbhtqlJkeRQdMni
+3bx+9i9E8QFJG6eFaGz8UhCCyzQvuLhawNcA6mPDumQkIri73NnA9vegw8yyDqpr
+14fm4Eh+uERzXQ6JkNTqaZuKfyryb4MSluJ6LEUqNv1vqJeCHoE5iQc0WaDPamiP
+Dnd3G/k2KHIFTlYdFVKnow0MYo+kyRKxUUL38x/tZ/WEhSv9oiNUOqTZJhkPOHOv
+VaHfRdxOGV3845bWngegkXD6KGQvWT1vlfGa9XbNqxWQFqi59malm/jShnd8XJAK
+gZuU9pB70lFwCglc+NQLPPrY16cYwFv1L2xU3owhtdiMydTI38Cw7hPteYPkASpa
+/1EHf0pPxRhv01RtrPEsGhroXennooFTHe6U0Ay3Z0yBZbRJhoDv8PvBZ4RatdNR
+p05qu2SBUWC+neecIHvbguI9x5G8egJ8WsGgDAuMcvWsW95H9oj/aONAgtL6LcsT
+KHaPI9senfBTYI+ak+E9sHi/kaQIl5umvf8+B2CAh4QPhmkYvGtINH+HCZI6WdyE
+tIsg+JklBgFwSBus9zHHUwwBfio2PgIlocRL6SL5Q2amcALPuDgEYdM5whIKKwYB
+BAGXVQEFAQEHQKpjexO72fM4FUcrTh2r6MCyxmAF0CBUpnTQeIk5nVZ2AwEIB4h+
+BBgWCgAmFiEEvKDFwwnKxWnnSpIc927+XQwiOo8FAmHTOcICGwwFCQlmAYAACgkQ
+927+XQwiOo/sOgD9GOjmj2blZGtR5attfY46/9B9bBkb8kDW7LACK007YZUBAJr8
+JCfIUFBfm5b/ev80rscAUSp4uTn4Z/W6ywR5STIH
+=NTtt
-----END PGP PUBLIC KEY BLOCK-----
