Date: Wednesday, August 12, 2020 @ 19:34:22
Author: tpowa
Revision: 393562
Remove options not supported by faillock, Drop sha512 option to pam_unix, Fix
pam_faillock support, Pass option user_readenv=1 to pam_env at end of session
in system-login
Modified:
pambase/trunk/PKGBUILD
pambase/trunk/system-auth
pambase/trunk/system-login
--------------+
PKGBUILD | 6 +++---
system-auth | 32 +++++++++++++++++++++-----------
system-login | 4 +---
3 files changed, 25 insertions(+), 17 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-08-12 19:33:15 UTC (rev 393561)
+++ PKGBUILD 2020-08-12 19:34:22 UTC (rev 393562)
@@ -2,7 +2,7 @@
pkgname=pambase
pkgver=20200721.1
-pkgrel=1
+pkgrel=2
pkgdesc="Base PAM configuration for services"
arch=('any')
url="https://www.archlinux.org";
@@ -19,9 +19,9 @@
'etc/pam.d/system-remote-login'
'etc/pam.d/system-services'
'etc/pam.d/other')
-sha256sums=('3eb67872e436817ec97c4f3795adba2cf1d3829ea4e107ef5747569e4eeb5746'
+sha256sums=('89d62406b2d623a76d53c33aca98ce8ee124ed4a450ff6c8a44cfccca78baa2f'
'005736b9bd650ff5e5d82a7e288853776d5bb8c90185d5774c07231c1e1c64a9'
- '7ed354fca93af277cb139a7b98be985d573c6a5e5585528b0e76b9a401e59749'
+ '2ed270c2789526336cc6479e63f6263b5c6f41cfc829a17a449a38621b6bf020'
'005736b9bd650ff5e5d82a7e288853776d5bb8c90185d5774c07231c1e1c64a9'
'6eb1acdd3fa9f71a7f93fbd529be57ea65bcafc6e3a98a06af4d88013fc6a567'
'd5ed59ec2157c19c87964a162f7ca84d53c19fb2bd68d3fbc1671ba8d906346f')
Modified: system-auth
===================================================================
--- system-auth 2020-08-12 19:33:15 UTC (rev 393561)
+++ system-auth 2020-08-12 19:34:22 UTC (rev 393562)
@@ -1,16 +1,26 @@
#%PAM-1.0
-auth required pam_unix.so try_first_pass nullok
-auth optional pam_permit.so
-auth required pam_env.so
+auth required pam_faillock.so preauth
+# Optionally use requisite above if you do not want to prompt for the password
+# on locked accounts.
+auth [success=2 default=ignore] pam_unix.so try_first_pass
nullok
+-auth [success=1 default=ignore] pam_systemd_home.so
+auth [default=die] pam_faillock.so authfail
+auth optional pam_permit.so
+auth required pam_env.so
+auth required pam_faillock.so authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
-account required pam_unix.so
-account optional pam_permit.so
-account required pam_time.so
+-account [success=1 default=ignore] pam_systemd_home.so
+account required pam_unix.so
+account optional pam_permit.so
+account required pam_time.so
-password required pam_unix.so try_first_pass nullok sha512 shadow
-password optional pam_permit.so
+-password [success=1 default=ignore] pam_systemd_home.so
+password required pam_unix.so try_first_pass
nullok shadow
+password optional pam_permit.so
-session required pam_limits.so
-session required pam_unix.so
-session optional pam_permit.so
+session required pam_limits.so
+session required pam_unix.so
+session optional pam_permit.so
Modified: system-login
===================================================================
--- system-login 2020-08-12 19:33:15 UTC (rev 393561)
+++ system-login 2020-08-12 19:34:22 UTC (rev 393562)
@@ -1,11 +1,9 @@
#%PAM-1.0
-auth required pam_faillock.so onerr=succeed
file=/var/log/tallylog
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth
-account required pam_faillock.so
account required pam_access.so
account required pam_nologin.so
account include system-auth
@@ -18,4 +16,4 @@
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
-session required pam_env.so
+session required pam_env.so user_readenv=1
