Author: glen Date: Sat Mar 31 21:25:02 2012 GMT Module: packages Tag: HEAD ---- Log message: - new, based on fedora package
---- Files affected: packages/pam-pam_google-authenticator: 0001-Add-no-drop-privs-option-to-manage-secret-files-as-r.patch (NONE -> 1.1) (NEW), 0002-Allow-expansion-of-PAM-environment-variables-in-secr.patch (NONE -> 1.1) (NEW), pam-pam_google-authenticator.spec (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: packages/pam-pam_google-authenticator/0001-Add-no-drop-privs-option-to-manage-secret-files-as-r.patch diff -u /dev/null packages/pam-pam_google-authenticator/0001-Add-no-drop-privs-option-to-manage-secret-files-as-r.patch:1.1 --- /dev/null Sat Mar 31 23:25:02 2012 +++ packages/pam-pam_google-authenticator/0001-Add-no-drop-privs-option-to-manage-secret-files-as-r.patch Sat Mar 31 23:24:57 2012 @@ -0,0 +1,47 @@ +From b9dba3310e01a378014520d23e05ed432d0f8266 Mon Sep 17 00:00:00 2001 +From: David Woodhouse <david.woodho...@intel.com> +Date: Sun, 11 Sep 2011 23:10:16 +0100 +Subject: [PATCH] Add no-drop-privs option to manage secret files as root + +--- + libpam/pam_google_authenticator.c | 10 +++++++--- + 1 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/libpam/pam_google_authenticator.c b/libpam/pam_google_authenticator.c +index c6b8e58..1b83c38 100644 +--- a/libpam/pam_google_authenticator.c ++++ b/libpam/pam_google_authenticator.c +@@ -60,6 +60,7 @@ typedef struct Params { + const char *secret_filename_spec; + int noskewadj; + int echocode; ++ int no_drop_privs; + } Params; + + static char oom; +@@ -1083,6 +1084,8 @@ static int parse_args(pam_handle_t *pamh, int argc, const char **argv, + params->noskewadj = 1; + } else if (!strcmp(argv[i], "echo-verification-code")) { + params->echocode = PAM_PROMPT_ECHO_ON; ++ } else if (!strcmp(argv[i], "no-drop-privs")) { ++ params->no_drop_privs = 1; + } else { + log_message(LOG_ERR, pamh, "Unrecognized option \"%s\"", argv[i]); + return -1; +@@ -1118,9 +1121,10 @@ static int google_authenticator(pam_handle_t *pamh, int flags, + int updated = 0; + if ((username = get_user_name(pamh)) && + (secret_filename = get_secret_filename(pamh, ¶ms, username, &uid)) && +- (old_uid = drop_privileges(pamh, username, uid)) >= 0 && +- (fd = open_secret_file(pamh, secret_filename, username, uid, +- &filesize, &mtime)) >= 0 && ++ (params.no_drop_privs || ++ (old_uid = drop_privileges(pamh, username, uid))) >= 0 && ++ (fd = open_secret_file(pamh, secret_filename, params.no_drop_privs?"root":username, ++ params.no_drop_privs?0:uid, &filesize, &mtime)) >= 0 && + (buf = read_file_contents(pamh, secret_filename, &fd, filesize)) && + (secret = get_shared_secret(pamh, secret_filename, buf, &secretLen)) && + (rate_limit(pamh, secret_filename, &updated, &buf) >= 0) && +-- +1.7.6 + ================================================================ Index: packages/pam-pam_google-authenticator/0002-Allow-expansion-of-PAM-environment-variables-in-secr.patch diff -u /dev/null packages/pam-pam_google-authenticator/0002-Allow-expansion-of-PAM-environment-variables-in-secr.patch:1.1 --- /dev/null Sat Mar 31 23:25:02 2012 +++ packages/pam-pam_google-authenticator/0002-Allow-expansion-of-PAM-environment-variables-in-secr.patch Sat Mar 31 23:24:57 2012 @@ -0,0 +1,62 @@ +From 82eae28e2fd4f7ddfcbc185c7478db5806b4b4ea Mon Sep 17 00:00:00 2001 +From: David Woodhouse <david.woodho...@intel.com> +Date: Mon, 26 Sep 2011 23:55:55 +0100 +Subject: [PATCH 2/2] Allow expansion of PAM environment variables in secret + file name + +https://bugzilla.mindrot.org/show_bug.cgi?id=983#c43 makes OpenSSH set +a PAM environment variable indicating which SSH public key was used to +authenticate. This lets Google Authenticator use that information (or +anything else in PAM environment variables) to select an appropriate +secret file. +--- + libpam/Makefile | 4 ++-- + libpam/pam_google_authenticator.c | 13 ++++++++++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/libpam/Makefile b/libpam/Makefile +index 9137d68..fbe93a8 100644 +--- a/libpam/Makefile ++++ b/libpam/Makefile +@@ -60,7 +60,7 @@ google-authenticator: google-authenticator.o base32.o hmac.o sha1.o + echo " -ldl") -o $@ $+ + + demo: demo.o pam_google_authenticator_demo.o base32.o hmac.o sha1.o +- $(CC) -g $(DEF_LDFLAGS) -rdynamic \ ++ $(CC) -g $(DEF_LDFLAGS) -rdynamic -lpam \ + $(shell [ -f /usr/lib/libdl.so ] && echo " -ldl") -o $@ $+ + + pam_google_authenticator_unittest: pam_google_authenticator_unittest.o \ +@@ -92,4 +92,4 @@ sha1.o: sha1.c sha1.h + .c.o: + $(CC) --std=gnu99 -Wall -O2 -g -fPIC -c $(DEF_CFLAGS) -o $@ $< + .o.so: +- $(CC) -shared -g $(DEF_LDFLAGS) -o $@ $+ ++ $(CC) -shared -g $(DEF_LDFLAGS) -lpam -o $@ $+ +diff --git a/libpam/pam_google_authenticator.c b/libpam/pam_google_authenticator.c +index 1b83c38..4708c1e 100644 +--- a/libpam/pam_google_authenticator.c ++++ b/libpam/pam_google_authenticator.c +@@ -170,7 +170,18 @@ static char *get_secret_filename(pam_handle_t *pamh, const Params *params, + subst = pw->pw_dir; + var = cur; + } else if (secret_filename[offset] == '$') { +- if (!memcmp(cur, "${HOME}", 7)) { ++ if (!memcmp(cur, "${PAM:", 6)) { ++ char *cls = strchr(cur + 6, '}'); ++ if (cls) { ++ char *envname = strndup(cur + 6, cls - cur - 6); ++ subst = pam_getenv(pamh, envname); ++ if (!subst) ++ subst = ""; ++ free (envname); ++ var = cur; ++ var_len = cls - cur + 1; ++ } ++ } else if (!memcmp(cur, "${HOME}", 7)) { + var_len = 7; + subst = pw->pw_dir; + var = cur; +-- +1.7.6.2 + ================================================================ Index: packages/pam-pam_google-authenticator/pam-pam_google-authenticator.spec diff -u /dev/null packages/pam-pam_google-authenticator/pam-pam_google-authenticator.spec:1.1 --- /dev/null Sat Mar 31 23:25:02 2012 +++ packages/pam-pam_google-authenticator/pam-pam_google-authenticator.spec Sat Mar 31 23:24:57 2012 @@ -0,0 +1,77 @@ +# $Revision$, $Date$ +# +# Conditional build: +%bcond_with tests # build with tests + +%define snapshot d525a9bab875 +%define snapdate 20110830 +Summary: PAM module for One-time passcode support using open standards +Name: pam-pam_google-authenticator +Version: 0 +Release: 0.3.%{snapdate}.hg%{snapshot} +License: ASL 2.0 +URL: http://code.google.com/p/google-authenticator/ +# hg archive -r ${snapshot} %{name}-0.%{snapdate}.hg%{snapshot}.tar.gz +#Source0: %{name}-0.%{snapdate}.hg%{snapshot}.tar.gz +Group: Libraries +Source0: http://pkgs.fedoraproject.org/repo/pkgs/google-authenticator/google-authenticator-0.20110830.hgd525a9bab875.tar.gz/82b01c66812d1a2ceef51c0e375c18f3/google-authenticator-0.20110830.hgd525a9bab875.tar.gz +# Source0-md5: 82b01c66812d1a2ceef51c0e375c18f3 +Patch1: 0001-Add-no-drop-privs-option-to-manage-secret-files-as-r.patch +Patch2: 0002-Allow-expansion-of-PAM-environment-variables-in-secr.patch +BuildRequires: pam-devel +BuildRequires: qrencode-devel +BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) + +%description +The Google Authenticator package contains a pluggable authentication +module (PAM) which allows login using one-time passcodes conforming to +the open standards developed by the Initiative for Open Authentication +(OATH) (which is unrelated to OAuth). + +Passcode generators are available (separately) for several mobile +platforms. + +These implementations support the HMAC-Based One-time Password (HOTP) +algorithm specified in RFC 4226 and the Time-based One-time Password +(TOTP) algorithm currently in draft. + +%prep +%setup -q -n google-authenticator-%{version}.%{snapdate}.hg%{snapshot} +%patch1 -p1 +%patch2 -p1 + +%build +%{__make} -C libpam \ + CC="%{__cc}" \ + CFLAGS="%{rpmcflags}" \ + LDFLAGS="-ldl" + +%if %{with tests} +cd libpam +./pam_google_authenticator_unittest +%endif + +%install +rm -rf $RPM_BUILD_ROOT +install -d $RPM_BUILD_ROOT{/%{_lib}/security,%{_bindir}} +cd libpam +install -p pam_google_authenticator.so $RPM_BUILD_ROOT/%{_lib}/security +install -p google-authenticator $RPM_BUILD_ROOT%{_bindir}/google-authenticator + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(644,root,root,755) +%doc libpam/FILEFORMAT libpam/README libpam/totp.html +%attr(755,root,root) /%{_lib}/security/pam_google_authenticator.so +%attr(755,root,root) %{_bindir}/google-authenticator + +%define date %(echo `LC_ALL="C" date +"%a %b %d %Y"`) +%changelog +* %{date} PLD Team <feedb...@pld-linux.org> +All persons listed below can be reached at <cvs_login>@pld-linux.org + +$Log$ +Revision 1.1 2012/03/31 21:24:57 glen +- new, based on fedora package ================================================================ _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit