Date: Wednesday, August 12, 2020 @ 19:34:22 Author: tpowa Revision: 393562
Remove options not supported by faillock, Drop sha512 option to pam_unix, Fix pam_faillock support, Pass option user_readenv=1 to pam_env at end of session in system-login Modified: pambase/trunk/PKGBUILD pambase/trunk/system-auth pambase/trunk/system-login --------------+ PKGBUILD | 6 +++--- system-auth | 32 +++++++++++++++++++++----------- system-login | 4 +--- 3 files changed, 25 insertions(+), 17 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-08-12 19:33:15 UTC (rev 393561) +++ PKGBUILD 2020-08-12 19:34:22 UTC (rev 393562) @@ -2,7 +2,7 @@ pkgname=pambase pkgver=20200721.1 -pkgrel=1 +pkgrel=2 pkgdesc="Base PAM configuration for services" arch=('any') url="https://www.archlinux.org" @@ -19,9 +19,9 @@ 'etc/pam.d/system-remote-login' 'etc/pam.d/system-services' 'etc/pam.d/other') -sha256sums=('3eb67872e436817ec97c4f3795adba2cf1d3829ea4e107ef5747569e4eeb5746' +sha256sums=('89d62406b2d623a76d53c33aca98ce8ee124ed4a450ff6c8a44cfccca78baa2f' '005736b9bd650ff5e5d82a7e288853776d5bb8c90185d5774c07231c1e1c64a9' - '7ed354fca93af277cb139a7b98be985d573c6a5e5585528b0e76b9a401e59749' + '2ed270c2789526336cc6479e63f6263b5c6f41cfc829a17a449a38621b6bf020' '005736b9bd650ff5e5d82a7e288853776d5bb8c90185d5774c07231c1e1c64a9' '6eb1acdd3fa9f71a7f93fbd529be57ea65bcafc6e3a98a06af4d88013fc6a567' 'd5ed59ec2157c19c87964a162f7ca84d53c19fb2bd68d3fbc1671ba8d906346f') Modified: system-auth =================================================================== --- system-auth 2020-08-12 19:33:15 UTC (rev 393561) +++ system-auth 2020-08-12 19:34:22 UTC (rev 393562) @@ -1,16 +1,26 @@ #%PAM-1.0 -auth required pam_unix.so try_first_pass nullok -auth optional pam_permit.so -auth required pam_env.so +auth required pam_faillock.so preauth +# Optionally use requisite above if you do not want to prompt for the password +# on locked accounts. +auth [success=2 default=ignore] pam_unix.so try_first_pass nullok +-auth [success=1 default=ignore] pam_systemd_home.so +auth [default=die] pam_faillock.so authfail +auth optional pam_permit.so +auth required pam_env.so +auth required pam_faillock.so authsucc +# If you drop the above call to pam_faillock.so the lock will be done also +# on non-consecutive authentication failures. -account required pam_unix.so -account optional pam_permit.so -account required pam_time.so +-account [success=1 default=ignore] pam_systemd_home.so +account required pam_unix.so +account optional pam_permit.so +account required pam_time.so -password required pam_unix.so try_first_pass nullok sha512 shadow -password optional pam_permit.so +-password [success=1 default=ignore] pam_systemd_home.so +password required pam_unix.so try_first_pass nullok shadow +password optional pam_permit.so -session required pam_limits.so -session required pam_unix.so -session optional pam_permit.so +session required pam_limits.so +session required pam_unix.so +session optional pam_permit.so Modified: system-login =================================================================== --- system-login 2020-08-12 19:33:15 UTC (rev 393561) +++ system-login 2020-08-12 19:34:22 UTC (rev 393562) @@ -1,11 +1,9 @@ #%PAM-1.0 -auth required pam_faillock.so onerr=succeed file=/var/log/tallylog auth required pam_shells.so auth requisite pam_nologin.so auth include system-auth -account required pam_faillock.so account required pam_access.so account required pam_nologin.so account include system-auth @@ -18,4 +16,4 @@ session optional pam_motd.so motd=/etc/motd session optional pam_mail.so dir=/var/spool/mail standard quiet -session optional pam_systemd.so -session required pam_env.so +session required pam_env.so user_readenv=1