[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: f6e52e5b96c20426687bc8041b171c9b788d7910
Author: Sam James  gentoo  org>
AuthorDate: Sun Jan 28 08:14:35 2024 +
Commit: Sam James  gentoo  org>
CommitDate: Sun Jan 28 08:14:35 2024 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=f6e52e5b

system-auth.tpl: fix sssd's pam_deny

Closes: https://bugs.gentoo.org/922918
Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 4065e89..9a274a4 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -31,7 +31,7 @@ auth  sufficient  pam_sss.so forward_pass {{ 
debug|default('', true) }}
 auth   optionalpam_cap.so
 {% endif %}
 {% if sssd %}
-auth   sufficient  pam_deny.so
+auth   requiredpam_deny.so
 {% endif %}
 {% if krb5 %}
 account[success=2 default=ignore]  pam_krb5.so {{ 
krb5_params }}

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Sam James]

commit: c2060f499d483e11ba4524283c2d95a6a8beb8dc
Author: Christopher Byrne  gmail  com>
AuthorDate: Sun Sep  3 16:32:19 2023 +
Commit: Sam James  gentoo  org>
CommitDate: Fri Jan 19 05:31:42 2024 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=c2060f49

Add sssd support

Bug: https://bugs.gentoo.org/726050
Closes: https://github.com/gentoo/pambase/issues/1
Signed-off-by: Christopher Byrne  gmail.com>
Closes: https://github.com/gentoo/pambase/pull/17
Signed-off-by: Sam James  gentoo.org>

 pambase.py   |  7 ++-
 templates/system-auth.tpl| 38 --
 templates/system-session.tpl |  4 
 3 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/pambase.py b/pambase.py
index 3875e89..ceec8cb 100755
--- a/pambase.py
+++ b/pambase.py
@@ -19,6 +19,7 @@ def main():
 parser.add_argument('--mktemp', action="store_true", help='enable 
pam_mktemp.so module')
 parser.add_argument('--pam-ssh', action="store_true", help='enable 
pam_ssh.so module')
 parser.add_argument('--securetty', action="store_true", help='enable 
pam_securetty.so module')
+parser.add_argument('--sssd', action="store_true", help='enable sssd.so 
module')
 parser.add_argument('--yescrypt', action="store_true", help='enable 
yescrypt option for pam_unix.so module')
 parser.add_argument('--sha512', action="store_true", help='enable sha512 
option for pam_unix.so module')
 parser.add_argument('--krb5', action="store_true", help='enable 
pam_krb5.so module')
@@ -41,7 +42,8 @@ def process_args(args):
 "unix_authtok",
 "unix_extended_encryption",
 "likeauth",
-"nullok"
+"nullok",
+"local_users_only"
 ]
 
 # create a blank dictionary
@@ -62,6 +64,9 @@ def process_args(args):
 if args.krb5:
 output["krb5_params"] = "{0} ignore_root 
try_first_pass".format("debug").strip()
 
+if args.sssd:
+output["local_users_only"] = "local_users_only"
+
 if args.yescrypt:
 output["unix_extended_encryption"] = "yescrypt shadow"
 elif args.sha512:

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 9b078f3..4065e89 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -7,34 +7,55 @@ auth  sufficient  pam_ssh.so
 auth   [success={{ 4 if homed else 3 }} default=ignore]  
pam_krb5.so {{ krb5_params }}
 {% endif %}
 
+{% if sssd %}
+auth   [default=1 ignore=ignore success=ok]pam_usertype.so 
isregular
+auth   [default=3 ignore=ignore success=ok]pam_localuser.so
+{% endif %}
+
 auth   requisite   pam_faillock.so preauth
+
 {% if homed %}
 auth[success=2 default=ignore]  pam_systemd_home.so
 {% endif %}
+
+{% if sssd %}
+authsufficientpam_unix.so {{ nullok|default('', true) }} {{ 
debug|default('', true) }}
+{% else %}
 auth[success=1 new_authtok_reqd=1 ignore=ignore default=bad]  
pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} 
try_first_pass
+{% endif %}
 auth   [default=die]   pam_faillock.so authfail
-
+{% if sssd %}
+auth   sufficient  pam_sss.so forward_pass {{ debug|default('', 
true) }}
+{% endif %}
 {% if caps %}
 auth   optionalpam_cap.so
 {% endif %}
-
+{% if sssd %}
+auth   sufficient  pam_deny.so
+{% endif %}
 {% if krb5 %}
 account[success=2 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}
 
 {% if homed %}
-account [success=1 default=ignore]  pam_systemd_home.so
+account [success={{ 2 if sssd else 1 }} default=ignore]  
pam_systemd_home.so
 {% endif %}
 
 accountrequiredpam_unix.so {{ debug|default('', true) 
}}
 account requiredpam_faillock.so
+{% if sssd %}
+accountsufficient  pam_localuser.so
+accountsufficient  pam_usertype.so issystem
+account[default=bad success=ok user_unknown=ignore] pam_sss.so 
{{ debug|default('', true) }}
+accountrequiredpam_permit.so
+{% endif %}
 
 {% if passwdqc %}
 password   requiredpam_passwdqc.so 
config=/etc/security/passwdqc.conf
 {% endif %}
 
 {% if pwquality %}
-passwordrequiredpam_pwquality.so
+passwordrequiredpam_pwquality.so {{ 
local_users_only|default('', true ) }}
 {% endif %}
 
 {% if pwhistory %}
@@ -50,9 +71,14 @@ password[success=1 default=ignore]  
pam_systemd_home.so
 {% endif %}
 
 {% if passwdqc or pwquality %}
-password   requiredpam_unix.so try_first_pass {{ 
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ 
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+password   {{ 'sufficient' if sssd else 'required' }}  pam_unix.so 
try_first_pass {{ unix_authtok|default('', true) }} 

[gentoo-commits] proj/pambase:master commit in: tests/rendered/custom/, templates/, tests/rendered/minimal/, ...

[Sam James]

commit: a125db180b5f9325cdabd90d17477090fbba95e5
Author: Daniel Harding  living180  net>
AuthorDate: Fri May 13 11:25:02 2022 +
Commit: Sam James  gentoo  org>
CommitDate: Sun Dec 17 12:45:22 2023 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=a125db18

Honor pam_unix.so return value

Commit eb138196aa2d3cb860d5eb5ab1d05985df34ad2c changed the return value
of pam_authenticate() for the case when the user enters an incorrect
password.  Prior to that change pam_authenticate() would return
PAM_AUTH_ERR for an incorrect password, while after it would return
PAM_PERM_DENIED.

The root cause is that after that change, nothing in the stack before
the final pam_faillock.so auth entry is setting `impression` in
_pam_dispatch_aux().  If the user has not reached the maximum number of
tries, pam_faillock.so returns PAM_IGNORE [1] and thus
_pam_dispatch_aux() sets `status` to PAM_MUST_FAIL_CODE [2], which is
defined to be PAM_PERM_DENIED [3].  This ends up being the return value
for pam_authenticate().

This commit addresses the problem by changing the `default` control
action for the pam_unix.so auth entry from `ignore` to `bad` (the same
as when its control value was `required`).  Thus when processing the
pam_unix.so entry, _pam_dispatch_aux() will set `impression` to
_PAM_NEGATIVE and `status` to the return value of pam_unix.so,
PAM_AUTH_ERR [4]. _pam_dispatch_aux() will then continue to the final
pam_faillock.so auth entry.  Because `impression` is now _PAM_NEGATIVE,
_pam_dispatch_aux() will not change the value of `status` and the return
value of pam_authenticate() is PAM_AUTH_ERR as desired.

Also ensure that `new_authtok_reqd` is handled correctly when returned
from from pam_unix.so.

[1] 
https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/modules/pam_faillock/pam_faillock.c#L712

[2] 
https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L244

[3] 
https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L17

[4] 
https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L246

Signed-off-by: Daniel Harding  living180.net>
Closes: https://github.com/gentoo/pambase/pull/10
Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl  | 2 +-
 tests/rendered/custom/system-auth  | 2 +-
 tests/rendered/default/system-auth | 2 +-
 tests/rendered/minimal/system-auth | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 9739b6f..9b078f3 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -11,7 +11,7 @@ auth  requisite   pam_faillock.so preauth
 {% if homed %}
 auth[success=2 default=ignore]  pam_systemd_home.so
 {% endif %}
-auth[success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+auth[success=1 new_authtok_reqd=1 ignore=ignore default=bad]  
pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} 
try_first_pass
 auth   [default=die]   pam_faillock.so authfail
 
 {% if caps %}

diff --git a/tests/rendered/custom/system-auth 
b/tests/rendered/custom/system-auth
index a84a45a..aae3914 100644
--- a/tests/rendered/custom/system-auth
+++ b/tests/rendered/custom/system-auth
@@ -1,6 +1,6 @@
 auth   requiredpam_env.so
 auth   requisite   pam_faillock.so preauth
-auth[success=1 default=ignore]  pam_unix.so nullok  
try_first_pass
+auth[success=1 new_authtok_reqd=1 ignore=ignore default=bad]  
pam_unix.so nullok  try_first_pass
 auth   [default=die]   pam_faillock.so authfail
 accountrequiredpam_unix.so
 account requiredpam_faillock.so

diff --git a/tests/rendered/default/system-auth 
b/tests/rendered/default/system-auth
index d84e030..4c069c3 100644
--- a/tests/rendered/default/system-auth
+++ b/tests/rendered/default/system-auth
@@ -1,6 +1,6 @@
 auth   requiredpam_env.so
 auth   requisite   pam_faillock.so preauth
-auth[success=1 default=ignore]  pam_unix.so   try_first_pass
+auth[success=1 new_authtok_reqd=1 ignore=ignore default=bad]  
pam_unix.so   try_first_pass
 auth   [default=die]   pam_faillock.so authfail
 accountrequiredpam_unix.so
 account requiredpam_faillock.so

diff --git a/tests/rendered/minimal/system-auth 
b/tests/rendered/minimal/system-auth
index d84e030..4c069c3 100644
--- a/tests/rendered/minimal/system-auth
+++ b/tests/rendered/minimal/system-auth
@@ -1,6 +1,6 @@
 auth   requiredpam_env.so
 auth   requisite   pam_faillock.so preauth
-auth[success=1 default=ignore]  

[gentoo-commits] proj/pambase:master commit in: /, .github/workflows/

[Sam James]

commit: 6b3b62b5777677930b3ff9e00835f6b1c1e914aa
Author: Aliaksei Urbanski  gmail  com>
AuthorDate: Wed Nov  8 15:01:37 2023 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Nov 13 06:20:51 2023 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=6b3b62b5

Add a GitHub Actions workflow for tests

These changes enable tests on the GitHub side.
The implementation relies on Official Gentoo Docker images,
since I believe it's a better way to test Gentoo-specific packages.

Useful links:
  * https://www.gentoo.org/news/2020/07/04/official-docker.html
  * https://github.com/gentoo/gentoo-docker-images
  * https://github.com/docker/build-push-action
  * https://docs.docker.com/build/ci/github-actions/cache/

Signed-off-by: Sam James  gentoo.org>

 .dockerignore   |  6 ++
 .github/workflows/tests.yml | 26 ++
 Dockerfile  | 14 ++
 3 files changed, 46 insertions(+)

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 000..f502e63
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,6 @@
+.git/
+.github/
+stack/
+.dockerignore
+.gitignore
+Dockerfile

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
new file mode 100644
index 000..652d733
--- /dev/null
+++ b/.github/workflows/tests.yml
@@ -0,0 +1,26 @@
+name: Tests
+
+on:
+  push:
+  pull_request:
+branches:
+  - master
+
+jobs:
+  tests:
+runs-on: ubuntu-latest
+steps:
+  - name: Checkout
+uses: actions/checkout@v4
+  - name: Set up Docker Buildx
+uses: docker/setup-buildx-action@v3
+  - name: Build the Docker image
+uses: docker/build-push-action@v5
+with:
+  context: .
+  cache-from: type=gha
+  cache-to: type=gha,mode=max
+  load: true
+  tags: pambase
+  - name: Run tox
+run: docker run pambase

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 000..1d3d150
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,14 @@
+# based on https://github.com/gentoo/gentoo-docker-images
+
+FROM gentoo/portage:latest as portage
+FROM gentoo/stage3:latest
+
+COPY --from=portage /var/db/repos/gentoo /var/db/repos/gentoo
+
+ENV ACCEPT_KEYWORDS="~amd64"
+RUN emerge -qvu python:3.{10..12} dev-python/tox
+
+COPY . /usr/src/pambase
+WORKDIR /usr/src/pambase
+
+CMD tox --colored yes

[gentoo-commits] proj/pambase:master commit in: /

[Sam James]

commit: b599daf14eda0a238265f11d239c4c772c345fbd
Author: Aliaksei Urbanski  gmail  com>
AuthorDate: Wed Nov  8 15:08:15 2023 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Nov 13 06:20:51 2023 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=b599daf1

Add README.md

Closes: https://github.com/gentoo/pambase/pull/18
Signed-off-by: Sam James  gentoo.org>

 README.md | 18 ++
 1 file changed, 18 insertions(+)

diff --git a/README.md b/README.md
new file mode 100644
index 000..59f4ecd
--- /dev/null
+++ b/README.md
@@ -0,0 +1,18 @@
+# pambase
+
+[PAM](https://wiki.gentoo.org/wiki/PAM) base configuration files.
+
+This repository contains a small [Python](https://wiki.gentoo.org/wiki/Python) 
script that renders `PAM` configuration templates for [Gentoo 
Linux](https://www.gentoo.org).
+
+## Dependencies
+
+`pambase` depends on 
[jinja](https://packages.gentoo.org/packages/dev-python/jinja).
+
+## Testing
+
+In order to perform tests, run 
[tox](https://packages.gentoo.org/packages/dev-python/tox).
+
+Alternatively, you can run tests with 
[Docker](https://wiki.gentoo.org/wiki/Docker):
+```sh
+docker run --rm -it $(docker build -q .)
+```

[gentoo-commits] proj/pambase:master commit in: tests/rendered/default/, tests/rendered/minimal/, tests/rendered/custom/, /

[Sam James]

commit: 93731d4ad939156665887e430086f6853653bc41
Author: Aliaksei Urbanski  gmail  com>
AuthorDate: Tue Nov  7 00:55:56 2023 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Nov 13 06:20:50 2023 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=93731d4a

Add basic rendering tests with tox

Signed-off-by: Aliaksei Urbanski  gmail.com>
Signed-off-by: Sam James  gentoo.org>

 .gitignore |  1 +
 tests/rendered/custom/login|  5 +
 tests/rendered/custom/other|  4 
 tests/rendered/custom/passwd   |  4 
 tests/rendered/custom/su   |  8 
 tests/rendered/custom/system-auth  | 11 +++
 tests/rendered/custom/system-local-login   |  4 
 tests/rendered/custom/system-login | 15 +++
 tests/rendered/custom/system-remote-login  |  4 
 tests/rendered/custom/system-services  |  6 ++
 tests/rendered/default/login   |  5 +
 tests/rendered/default/other   |  4 
 tests/rendered/default/passwd  |  4 
 tests/rendered/default/su  |  8 
 tests/rendered/default/system-auth | 10 ++
 tests/rendered/default/system-local-login  |  4 
 tests/rendered/default/system-login| 14 ++
 tests/rendered/default/system-remote-login |  4 
 tests/rendered/default/system-services |  6 ++
 tests/rendered/minimal/login   |  5 +
 tests/rendered/minimal/other   |  4 
 tests/rendered/minimal/passwd  |  4 
 tests/rendered/minimal/su  |  8 
 tests/rendered/minimal/system-auth | 10 ++
 tests/rendered/minimal/system-local-login  |  4 
 tests/rendered/minimal/system-login| 11 +++
 tests/rendered/minimal/system-remote-login |  4 
 tests/rendered/minimal/system-services |  6 ++
 tox.ini| 18 ++
 29 files changed, 195 insertions(+)

diff --git a/.gitignore b/.gitignore
index 844c82f..73c8fab 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 stack/
 .idea/
+.tox/

diff --git a/tests/rendered/custom/login b/tests/rendered/custom/login
new file mode 100644
index 000..e5a66f2
--- /dev/null
+++ b/tests/rendered/custom/login
@@ -0,0 +1,5 @@
+auth   include system-local-login
+accountinclude system-local-login
+password   include system-local-login
+sessionoptionalpam_lastlog.so
+sessioninclude system-local-login

diff --git a/tests/rendered/custom/other b/tests/rendered/custom/other
new file mode 100644
index 000..9544f8e
--- /dev/null
+++ b/tests/rendered/custom/other
@@ -0,0 +1,4 @@
+auth   requiredpam_deny.so
+accountrequiredpam_deny.so
+password   requiredpam_deny.so
+sessionrequiredpam_deny.so

diff --git a/tests/rendered/custom/passwd b/tests/rendered/custom/passwd
new file mode 100644
index 000..0bde2a3
--- /dev/null
+++ b/tests/rendered/custom/passwd
@@ -0,0 +1,4 @@
+auth   sufficient  pam_rootok.so
+auth   include system-auth
+accountinclude system-auth
+password   include system-auth

diff --git a/tests/rendered/custom/su b/tests/rendered/custom/su
new file mode 100644
index 000..a36b633
--- /dev/null
+++ b/tests/rendered/custom/su
@@ -0,0 +1,8 @@
+auth   sufficient  pam_rootok.so
+auth   requiredpam_wheel.so use_uid
+auth   include system-auth
+accountinclude system-auth
+password   include system-auth
+sessioninclude system-auth
+sessionrequiredpam_env.so
+sessionoptionalpam_xauth.so

diff --git a/tests/rendered/custom/system-auth 
b/tests/rendered/custom/system-auth
new file mode 100644
index 000..a84a45a
--- /dev/null
+++ b/tests/rendered/custom/system-auth
@@ -0,0 +1,11 @@
+auth   requiredpam_env.so
+auth   requisite   pam_faillock.so preauth
+auth[success=1 default=ignore]  pam_unix.so nullok  
try_first_pass
+auth   [default=die]   pam_faillock.so authfail
+accountrequiredpam_unix.so
+account requiredpam_faillock.so
+password   requiredpam_passwdqc.so 
config=/etc/security/passwdqc.conf
+password   requiredpam_unix.so try_first_pass use_authtok nullok 
sha512 shadow
+sessionrequiredpam_limits.so
+sessionrequiredpam_env.so
+sessionrequiredpam_unix.so

diff --git a/tests/rendered/custom/system-local-login 
b/tests/rendered/custom/system-local-login
new file mode 

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: ce3e0c4f0648ce44cb239be043a85468b29c4b13
Author: Michael Jones  users  noreply  github  
com>
AuthorDate: Sat Aug  6 05:41:29 2022 +
Commit: Sam James  gentoo  org>
CommitDate: Sat Aug 13 18:28:30 2022 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ce3e0c4f

other.tpl: Fix whitespace

Closes: https://github.com/gentoo/pambase/pull/14
Signed-off-by: Sam James  gentoo.org>

 templates/other.tpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/other.tpl b/templates/other.tpl
index f3b7198..9544f8e 100644
--- a/templates/other.tpl
+++ b/templates/other.tpl
@@ -1,4 +1,4 @@
 auth   requiredpam_deny.so
 accountrequiredpam_deny.so
-password   requiredpam_deny.so
-sessionrequiredpam_deny.so
+password   requiredpam_deny.so
+sessionrequiredpam_deny.so

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: f039f4766ce2b7cfc0ddec806805a4144534c99b
Author: Michael Jones  jonesmz  com>
AuthorDate: Sat Aug  6 06:06:06 2022 +
Commit: Sam James  gentoo  org>
CommitDate: Sat Aug 13 18:28:46 2022 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=f039f476

system-login.tpl: Fix whitespace

Closes: https://github.com/gentoo/pambase/pull/16
Signed-off-by: Sam James  gentoo.org>

 templates/system-login.tpl | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index b4b74cf..0269296 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -4,11 +4,11 @@ auth  include system-auth
 
 accountrequiredpam_access.so {{ debug|default('', 
true) }}
 accountrequiredpam_nologin.so
-account requiredpam_time.so
+accountrequiredpam_time.so
 accountinclude system-auth
 
 password   include system-auth
-session optionalpam_loginuid.so
+sessionoptionalpam_loginuid.so
 {% if selinux %}
 sessionrequiredpam_selinux.so close
 {% endif %}
@@ -32,9 +32,9 @@ session   optionalpam_mail.so
 {% endif %}
 
 {% if systemd %}
--sessionoptionalpam_systemd.so
+-session   optionalpam_systemd.so
 {% endif %}
 
 {% if elogind %}
--sessionoptionalpam_elogind.so
+-session   optionalpam_elogind.so
 {% endif %}

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: 2bb5c1846ca7a3222b8ff071d4bc3e63da68d3f1
Author: Michael Jones  users  noreply  github  
com>
AuthorDate: Sat Aug  6 05:40:20 2022 +
Commit: Sam James  gentoo  org>
CommitDate: Sat Aug 13 18:28:11 2022 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=2bb5c184

login.tpl: Fix unnecessary space character

Closes: https://github.com/gentoo/pambase/pull/13
Signed-off-by: Sam James  gentoo.org>

 templates/login.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/login.tpl b/templates/login.tpl
index 23e262a..cb85249 100644
--- a/templates/login.tpl
+++ b/templates/login.tpl
@@ -5,5 +5,5 @@ authrequiredpam_securetty.so
 auth   include system-local-login
 accountinclude system-local-login
 password   include system-local-login
-sessionoptionalpam_lastlog.so {{ debug|default('', 
true) }}
+sessionoptionalpam_lastlog.so {{ debug|default('', 
true) }}
 sessioninclude system-local-login

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: dacde6da43a9c87f896b842946b514cd49db5dd3
Author: Alexandra Parker  gmail  com>
AuthorDate: Sat Feb 12 21:30:29 2022 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Feb 14 16:51:51 2022 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=dacde6da

homed: add before pam_unix

- --homed inserts pam_systemd_home before pam_unix

- --homed --krb5 does that and adjusts krb5's jump to 4 modules

Signed-off-by: Alexandra Parker  gmail.com>
Closes: https://bugs.gentoo.org/808993
Closes: https://github.com/gentoo/pambase/pull/9
Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl | 8 +++-
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 62344ff..9739b6f 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -4,16 +4,14 @@ auth  sufficient  pam_ssh.so
 {% endif %}
 
 {% if krb5 %}
-auth   [success=3 default=ignore]  pam_krb5.so {{ krb5_params }}
+auth   [success={{ 4 if homed else 3 }} default=ignore]  
pam_krb5.so {{ krb5_params }}
 {% endif %}
 
 auth   requisite   pam_faillock.so preauth
 {% if homed %}
-auth   [success=2 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
-auth[success=1 default=ignore]  pam_systemd_home.so
-{% else %}
-auth[success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+auth[success=2 default=ignore]  pam_systemd_home.so
 {% endif %}
+auth[success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
 auth   [default=die]   pam_faillock.so authfail
 
 {% if caps %}

[gentoo-commits] proj/pambase:master commit in: /

[Mikle Kolyada]

commit: 3b89ab7e52aba0bbb23af40e420d2daf4e07cb84
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Sun Nov 14 11:54:54 2021 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Sun Nov 14 11:54:54 2021 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=3b89ab7e

Add yescrypt support

Signed-off-by: Mikle Kolyada  gentoo.org>

 pambase.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pambase.py b/pambase.py
index c078156..3875e89 100755
--- a/pambase.py
+++ b/pambase.py
@@ -19,6 +19,7 @@ def main():
 parser.add_argument('--mktemp', action="store_true", help='enable 
pam_mktemp.so module')
 parser.add_argument('--pam-ssh', action="store_true", help='enable 
pam_ssh.so module')
 parser.add_argument('--securetty', action="store_true", help='enable 
pam_securetty.so module')
+parser.add_argument('--yescrypt', action="store_true", help='enable 
yescrypt option for pam_unix.so module')
 parser.add_argument('--sha512', action="store_true", help='enable sha512 
option for pam_unix.so module')
 parser.add_argument('--krb5', action="store_true", help='enable 
pam_krb5.so module')
 parser.add_argument('--minimal', action="store_true", help='install 
minimalistic PAM stack')
@@ -61,7 +62,9 @@ def process_args(args):
 if args.krb5:
 output["krb5_params"] = "{0} ignore_root 
try_first_pass".format("debug").strip()
 
-if args.sha512:
+if args.yescrypt:
+output["unix_extended_encryption"] = "yescrypt shadow"
+elif args.sha512:
 output["unix_extended_encryption"] = "sha512 shadow"
 else:
 output["unix_extended_encryption"] = "md5 shadow"

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: c3471f99454e8d086e133beaaf28b129fb22fc40
Author: Sam James  gentoo  org>
AuthorDate: Tue Feb  2 15:50:25 2021 +
Commit: Sam James  gentoo  org>
CommitDate: Tue Feb  2 15:50:25 2021 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=c3471f99

templates/system-auth.tpl: fix try_first_pass typo

Closes: https://github.com/gentoo/pambase/issues/6
Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 1adee05..62344ff 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -12,7 +12,7 @@ auth  requisite   pam_faillock.so preauth
 auth   [success=2 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
 auth[success=1 default=ignore]  pam_systemd_home.so
 {% else %}
-auth[success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas
+auth[success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
 {% endif %}
 auth   [default=die]   pam_faillock.so authfail
 

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Sam James]

commit: fbbc2d49c860857b2fe4b2a6cdb967b0867261c9
Author: Mikle KOlyada  gentoo  org>
AuthorDate: Sat Jan 30 19:50:12 2021 +
Commit: Sam James  gentoo  org>
CommitDate: Sun Jan 31 21:37:17 2021 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=fbbc2d49

systemd-auth: add systemd-homed support

Signed-off-by: Mikle KOlyada  gentoo.org>
Closes: https://github.com/gentoo/pambase/pull/5
Signed-off-by: Sam James  gentoo.org>

 pambase.py   |  1 +
 templates/system-auth.tpl| 18 --
 templates/system-session.tpl |  4 
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/pambase.py b/pambase.py
index 278d578..c078156 100755
--- a/pambase.py
+++ b/pambase.py
@@ -14,6 +14,7 @@ def main():
 parser.add_argument('--pwquality', action="store_true", help='enable 
pam_pwquality.so module')
 parser.add_argument('--elogind', action="store_true", help='enable 
pam_elogind.so module')
 parser.add_argument('--systemd', action="store_true", help='enable 
pam_systemd.so module')
+parser.add_argument('--homed', action="store_true", help='enable 
pam_systemd_home.so module')
 parser.add_argument('--selinux', action="store_true", help='enable 
pam_selinux.so module')
 parser.add_argument('--mktemp', action="store_true", help='enable 
pam_mktemp.so module')
 parser.add_argument('--pam-ssh', action="store_true", help='enable 
pam_ssh.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 01a29db..1adee05 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -8,16 +8,26 @@ auth  [success=3 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}
 
 auth   requisite   pam_faillock.so preauth
-auth   [success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+{% if homed %}
+auth   [success=2 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+auth[success=1 default=ignore]  pam_systemd_home.so
+{% else %}
+auth[success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas
+{% endif %}
 auth   [default=die]   pam_faillock.so authfail
 
 {% if caps %}
--auth  optionalpam_cap.so
+auth   optionalpam_cap.so
 {% endif %}
 
 {% if krb5 %}
 account[success=2 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}
+
+{% if homed %}
+account [success=1 default=ignore]  pam_systemd_home.so
+{% endif %}
+
 accountrequiredpam_unix.so {{ debug|default('', true) 
}}
 account requiredpam_faillock.so
 
@@ -37,6 +47,10 @@ passwordrequiredpam_pwhistory.so use_authtok 
remember=5 retry=3
 password   [success=1 default=ignore]  pam_krb5.so {{ krb5_params }}
 {% endif %}
 
+{% if homed %}
+password[success=1 default=ignore]  pam_systemd_home.so
+{% endif %}
+
 {% if passwdqc or pwquality %}
 password   requiredpam_unix.so try_first_pass {{ 
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ 
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
 {% else %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 2a7024b..536db49 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -8,4 +8,8 @@ session optionalpam_mktemp.so
 session[success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}
 
+{% if homed %}
+session [success=1 default=ignore]  pam_systemd_home.so
+{% endif %}
+
 sessionrequiredpam_unix.so {{ debug|default('', true) 
}}

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Sam James]

commit: 93165fa671e7c6fe41a09302f3c00a140dd6ec9b
Author: Sam James  gentoo  org>
AuthorDate: Sun Jan 31 21:36:48 2021 +
Commit: Sam James  gentoo  org>
CommitDate: Sun Jan 31 21:37:12 2021 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=93165fa6

Revert "systemd-auth: add systemd-homed support"

This reverts commit 5a545eb14a1220af1ba8031f3669471e77edbc2f.
Auto-merged on a reverted commit.

Signed-off-by: Sam James  gentoo.org>

 pambase.py   |  1 -
 templates/system-auth.tpl| 18 ++
 templates/system-session.tpl |  4 
 3 files changed, 2 insertions(+), 21 deletions(-)

diff --git a/pambase.py b/pambase.py
index c078156..278d578 100755
--- a/pambase.py
+++ b/pambase.py
@@ -14,7 +14,6 @@ def main():
 parser.add_argument('--pwquality', action="store_true", help='enable 
pam_pwquality.so module')
 parser.add_argument('--elogind', action="store_true", help='enable 
pam_elogind.so module')
 parser.add_argument('--systemd', action="store_true", help='enable 
pam_systemd.so module')
-parser.add_argument('--homed', action="store_true", help='enable 
pam_systemd_home.so module')
 parser.add_argument('--selinux', action="store_true", help='enable 
pam_selinux.so module')
 parser.add_argument('--mktemp', action="store_true", help='enable 
pam_mktemp.so module')
 parser.add_argument('--pam-ssh', action="store_true", help='enable 
pam_ssh.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 1adee05..01a29db 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -8,26 +8,16 @@ auth  [success=3 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}
 
 auth   requisite   pam_faillock.so preauth
-{% if homed %}
-auth   [success=2 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
-auth[success=1 default=ignore]  pam_systemd_home.so
-{% else %}
-auth[success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas
-{% endif %}
+auth   [success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
 auth   [default=die]   pam_faillock.so authfail
 
 {% if caps %}
-auth   optionalpam_cap.so
+-auth  optionalpam_cap.so
 {% endif %}
 
 {% if krb5 %}
 account[success=2 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}
-
-{% if homed %}
-account [success=1 default=ignore]  pam_systemd_home.so
-{% endif %}
-
 accountrequiredpam_unix.so {{ debug|default('', true) 
}}
 account requiredpam_faillock.so
 
@@ -47,10 +37,6 @@ passwordrequiredpam_pwhistory.so use_authtok 
remember=5 retry=3
 password   [success=1 default=ignore]  pam_krb5.so {{ krb5_params }}
 {% endif %}
 
-{% if homed %}
-password[success=1 default=ignore]  pam_systemd_home.so
-{% endif %}
-
 {% if passwdqc or pwquality %}
 password   requiredpam_unix.so try_first_pass {{ 
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ 
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
 {% else %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 536db49..2a7024b 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -8,8 +8,4 @@ session optionalpam_mktemp.so
 session[success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}
 
-{% if homed %}
-session [success=1 default=ignore]  pam_systemd_home.so
-{% endif %}
-
 sessionrequiredpam_unix.so {{ debug|default('', true) 
}}

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Sam James]

commit: 2c873cb38ef20d7eb83b5e4aee723c34d64bde3d
Author: Sam James  gentoo  org>
AuthorDate: Sun Jan 31 21:36:41 2021 +
Commit: Sam James  gentoo  org>
CommitDate: Sun Jan 31 21:37:04 2021 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=2c873cb3

Revert "Add systemd-homed support"

This reverts commit 639b45ccb986de7314372a4a841e6f04c536c49a.
Unintentionally had this staged still.

Signed-off-by: Sam James  gentoo.org>

 pambase.py   | 1 -
 templates/system-auth.tpl| 6 --
 templates/system-session.tpl | 4 
 3 files changed, 11 deletions(-)

diff --git a/pambase.py b/pambase.py
index b306ca4..c078156 100755
--- a/pambase.py
+++ b/pambase.py
@@ -9,7 +9,6 @@ def main():
 parser = argparse.ArgumentParser(description='basic Gentoo PAM 
configuration files')
 parser.add_argument('--gnome-keyring', action="store_true", help='enable 
pam_gnome_keyring.so module')
 parser.add_argument('--caps', action="store_true", help='enable pam_cap.so 
module')
-parser.add_argument('--homed', action="store_true", help='enable 
pam_systemd_homed.so module')
 parser.add_argument('--passwdqc', action="store_true", help='enable 
pam_passwdqc.so module')
 parser.add_argument('--pwhistory', action="store_true", help='enable 
pam_pwhistory.so module')
 parser.add_argument('--pwquality', action="store_true", help='enable 
pam_pwquality.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 174aacf..1adee05 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -2,9 +2,6 @@ authrequiredpam_env.so {{ debug|default('', 
true) }}
 {% if pam_ssh %}
 auth   sufficient  pam_ssh.so
 {% endif %}
-{% if homed %}
--auth  sufficient  pam_systemd_home.so
-{% endif %}
 
 {% if krb5 %}
 auth   [success=3 default=ignore]  pam_krb5.so {{ krb5_params }}
@@ -23,9 +20,6 @@ auth  [default=die]   pam_faillock.so authfail
 auth   optionalpam_cap.so
 {% endif %}
 
-{% if homed %}
--account   sufficient  pam_systemd_home.so
-{% endif %}
 {% if krb5 %}
 account[success=2 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 48653d4..536db49 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -4,10 +4,6 @@ sessionrequiredpam_env.so {{ 
debug|default('', true) }}
 sessionoptionalpam_mktemp.so
 {% endif %}
 
-{% if homed %}
--session   optionalpam_systemd_home.so
-{% endif %}
-
 {%if krb5 %}
 session[success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}

[gentoo-commits] proj/pambase:master commit in: /, templates/

[Sam James]

commit: 5a545eb14a1220af1ba8031f3669471e77edbc2f
Author: Mikle KOlyada  gentoo  org>
AuthorDate: Sat Jan 30 19:50:12 2021 +
Commit: Sam James  gentoo  org>
CommitDate: Sun Jan 31 21:36:01 2021 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=5a545eb1

systemd-auth: add systemd-homed support

Signed-off-by: Mikle KOlyada  gentoo.org>
Closes: https://github.com/gentoo/pambase/pull/5
Signed-off-by: Sam James  gentoo.org>

 pambase.py   |  1 +
 templates/system-auth.tpl| 18 --
 templates/system-session.tpl |  4 
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/pambase.py b/pambase.py
index eb3d4fe..b306ca4 100755
--- a/pambase.py
+++ b/pambase.py
@@ -15,6 +15,7 @@ def main():
 parser.add_argument('--pwquality', action="store_true", help='enable 
pam_pwquality.so module')
 parser.add_argument('--elogind', action="store_true", help='enable 
pam_elogind.so module')
 parser.add_argument('--systemd', action="store_true", help='enable 
pam_systemd.so module')
+parser.add_argument('--homed', action="store_true", help='enable 
pam_systemd_home.so module')
 parser.add_argument('--selinux', action="store_true", help='enable 
pam_selinux.so module')
 parser.add_argument('--mktemp', action="store_true", help='enable 
pam_mktemp.so module')
 parser.add_argument('--pam-ssh', action="store_true", help='enable 
pam_ssh.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 53557dc..174aacf 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -11,11 +11,16 @@ auth[success=3 default=ignore]  
pam_krb5.so {{ krb5_params }}
 {% endif %}
 
 auth   requisite   pam_faillock.so preauth
-auth   [success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+{% if homed %}
+auth   [success=2 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
+auth[success=1 default=ignore]  pam_systemd_home.so
+{% else %}
+auth[success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas
+{% endif %}
 auth   [default=die]   pam_faillock.so authfail
 
 {% if caps %}
--auth  optionalpam_cap.so
+auth   optionalpam_cap.so
 {% endif %}
 
 {% if homed %}
@@ -24,6 +29,11 @@ auth [default=die]   pam_faillock.so authfail
 {% if krb5 %}
 account[success=2 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}
+
+{% if homed %}
+account [success=1 default=ignore]  pam_systemd_home.so
+{% endif %}
+
 accountrequiredpam_unix.so {{ debug|default('', true) 
}}
 account requiredpam_faillock.so
 
@@ -43,6 +53,10 @@ passwordrequiredpam_pwhistory.so use_authtok 
remember=5 retry=3
 password   [success=1 default=ignore]  pam_krb5.so {{ krb5_params }}
 {% endif %}
 
+{% if homed %}
+password[success=1 default=ignore]  pam_systemd_home.so
+{% endif %}
+
 {% if passwdqc or pwquality %}
 password   requiredpam_unix.so try_first_pass {{ 
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ 
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
 {% else %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 3dd1d70..48653d4 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -12,4 +12,8 @@ session   optionalpam_mktemp.so
 session[success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}
 
+{% if homed %}
+session [success=1 default=ignore]  pam_systemd_home.so
+{% endif %}
+
 sessionrequiredpam_unix.so {{ debug|default('', true) 
}}

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Sam James]

commit: 639b45ccb986de7314372a4a841e6f04c536c49a
Author: Sam James  gentoo  org>
AuthorDate: Fri Jan 29 03:46:42 2021 +
Commit: Sam James  gentoo  org>
CommitDate: Fri Jan 29 03:46:42 2021 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=639b45cc

Add systemd-homed support

Bug: https://bugs.gentoo.org/767784
Signed-off-by: Sam James  gentoo.org>

 pambase.py   | 1 +
 templates/system-auth.tpl| 6 ++
 templates/system-session.tpl | 4 
 3 files changed, 11 insertions(+)

diff --git a/pambase.py b/pambase.py
index 278d578..eb3d4fe 100755
--- a/pambase.py
+++ b/pambase.py
@@ -9,6 +9,7 @@ def main():
 parser = argparse.ArgumentParser(description='basic Gentoo PAM 
configuration files')
 parser.add_argument('--gnome-keyring', action="store_true", help='enable 
pam_gnome_keyring.so module')
 parser.add_argument('--caps', action="store_true", help='enable pam_cap.so 
module')
+parser.add_argument('--homed', action="store_true", help='enable 
pam_systemd_homed.so module')
 parser.add_argument('--passwdqc', action="store_true", help='enable 
pam_passwdqc.so module')
 parser.add_argument('--pwhistory', action="store_true", help='enable 
pam_pwhistory.so module')
 parser.add_argument('--pwquality', action="store_true", help='enable 
pam_pwquality.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 01a29db..53557dc 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -2,6 +2,9 @@ authrequiredpam_env.so {{ debug|default('', 
true) }}
 {% if pam_ssh %}
 auth   sufficient  pam_ssh.so
 {% endif %}
+{% if homed %}
+-auth  sufficient  pam_systemd_home.so
+{% endif %}
 
 {% if krb5 %}
 auth   [success=3 default=ignore]  pam_krb5.so {{ krb5_params }}
@@ -15,6 +18,9 @@ auth  [default=die]   pam_faillock.so authfail
 -auth  optionalpam_cap.so
 {% endif %}
 
+{% if homed %}
+-account   sufficient  pam_systemd_home.so
+{% endif %}
 {% if krb5 %}
 account[success=2 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 2a7024b..3dd1d70 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -4,6 +4,10 @@ sessionrequiredpam_env.so {{ 
debug|default('', true) }}
 sessionoptionalpam_mktemp.so
 {% endif %}
 
+{% if homed %}
+-session   optionalpam_systemd_home.so
+{% endif %}
+
 {%if krb5 %}
 session[success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}

[gentoo-commits] proj/pambase:master commit in: templates/

[Mikle Kolyada]

commit: ee4f6b1a6b402ebdf3c5763d934f1aaa6b32e633
Author: Mikle KOlyada  gentoo  org>
AuthorDate: Sun Dec 20 17:52:38 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Sun Dec 20 17:52:38 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ee4f6b1a

system-login: add pam_time.so

Signed-off-by: Mikle KOlyada  gentoo.org>

 templates/system-login.tpl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index 0c60bb6..b4b74cf 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -4,6 +4,7 @@ authinclude system-auth
 
 accountrequiredpam_access.so {{ debug|default('', 
true) }}
 accountrequiredpam_nologin.so
+account requiredpam_time.so
 accountinclude system-auth
 
 password   include system-auth

[gentoo-commits] proj/pambase:master commit in: templates/

[Mikle Kolyada]

commit: b725e39af14b57b69a256818bc1c98f98122c6a1
Author: Mikle KOlyada  gentoo  org>
AuthorDate: Sat Dec 19 22:30:15 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Sat Dec 19 22:30:15 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=b725e39a

strip pam_permit.so from system-auth

Signed-off-by: Mikle KOlyada  gentoo.org>

 templates/system-auth.tpl| 4 
 templates/system-session.tpl | 2 --
 2 files changed, 6 deletions(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 19e08fa..01a29db 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -10,7 +10,6 @@ auth  [success=3 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 auth   requisite   pam_faillock.so preauth
 auth   [success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
 auth   [default=die]   pam_faillock.so authfail
-auth   optionalpam_permit.so
 
 {% if caps %}
 -auth  optionalpam_cap.so
@@ -21,7 +20,6 @@ account   [success=2 default=ignore]  
pam_krb5.so {{ krb5_params }}
 {% endif %}
 accountrequiredpam_unix.so {{ debug|default('', true) 
}}
 account requiredpam_faillock.so
-account optionalpam_permit.so
 
 {% if passwdqc %}
 password   requiredpam_passwdqc.so 
config=/etc/security/passwdqc.conf
@@ -45,8 +43,6 @@ password  requiredpam_unix.so try_first_pass {{ 
unix_authtok|default('', true) }
 passwordrequiredpam_unix.so try_first_pass {{ 
nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ 
debug|default('', true) }}
 {% endif %}
 
-password   optionalpam_permit.so
-
 {% if pam_ssh %}
 sessionoptionalpam_ssh.so
 {% endif %}

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index ce3afa5..2a7024b 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -9,5 +9,3 @@ session [success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}
 
 sessionrequiredpam_unix.so {{ debug|default('', true) 
}}
-
-sessionoptionalpam_permit.so

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: 3f36e2c3de28b3cde25a27d05e49d354e098c368
Author: Sam James  gentoo  org>
AuthorDate: Tue Nov  3 07:19:16 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Tue Nov  3 07:19:16 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=3f36e2c3

templates/system-auth.tpl: shift cap to be with other auth

Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 4ff78e4..19e08fa 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -12,6 +12,10 @@ auth [success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ d
 auth   [default=die]   pam_faillock.so authfail
 auth   optionalpam_permit.so
 
+{% if caps %}
+-auth  optionalpam_cap.so
+{% endif %}
+
 {% if krb5 %}
 account[success=2 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}
@@ -47,8 +51,4 @@ password  optionalpam_permit.so
 sessionoptionalpam_ssh.so
 {% endif %}
 
-{% if caps %}
--auth  optionalpam_cap.so
-{% endif %}
-
 {% include "templates/system-session.tpl" %}

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: daeb59effa26ace52bf699229a1bc22afe8808fd
Author: Sam James  gentoo  org>
AuthorDate: Mon Nov  2 23:38:12 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Nov  2 23:39:38 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=daeb59ef

templates/system-auth.tpl: fix pam_cap realm

This fixes the pam_cap realm which can only
be auth. This is a regression from old pre-rewrite
pambase.

It was however exposed by the fixing of an incorrect
module name (pam_libcap -> pam_cap) not long ago.

Bug: https://bugs.gentoo.org/751946
Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 6964e05..2f2fe76 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -48,7 +48,7 @@ session   optionalpam_ssh.so
 {% endif %}
 
 {% if libcap %}
--sessionoptionalpam_cap.so
+-auth  optionalpam_cap.so
 {% endif %}
 
 {% include "templates/system-session.tpl" %}

[gentoo-commits] proj/pambase:master commit in: /, templates/

[Sam James]

commit: 94a9b5f76fc8fa1a3c6c34c5baa3fb25825e1dc2
Author: Sam James  gentoo  org>
AuthorDate: Mon Nov  2 23:40:50 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Nov  2 23:40:50 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=94a9b5f7

pambase.py: rename --libcap -> --caps

Signed-off-by: Sam James  gentoo.org>

 pambase.py| 2 +-
 templates/system-auth.tpl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pambase.py b/pambase.py
index de5dddb..278d578 100755
--- a/pambase.py
+++ b/pambase.py
@@ -8,7 +8,7 @@ import pathlib
 def main():
 parser = argparse.ArgumentParser(description='basic Gentoo PAM 
configuration files')
 parser.add_argument('--gnome-keyring', action="store_true", help='enable 
pam_gnome_keyring.so module')
-parser.add_argument('--libcap', action="store_true", help='enable 
pam_caps.so module')
+parser.add_argument('--caps', action="store_true", help='enable pam_cap.so 
module')
 parser.add_argument('--passwdqc', action="store_true", help='enable 
pam_passwdqc.so module')
 parser.add_argument('--pwhistory', action="store_true", help='enable 
pam_pwhistory.so module')
 parser.add_argument('--pwquality', action="store_true", help='enable 
pam_pwquality.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 2f2fe76..4ff78e4 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -47,7 +47,7 @@ password  optionalpam_permit.so
 sessionoptionalpam_ssh.so
 {% endif %}
 
-{% if libcap %}
+{% if caps %}
 -auth  optionalpam_cap.so
 {% endif %}
 

[gentoo-commits] proj/pambase:master commit in: templates/

[Mikle Kolyada]

commit: de5f97873c345b69c44df5a9d06fcd69ee6c5ccf
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Wed Oct 28 19:24:04 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Wed Oct 28 19:24:04 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=de5f9787

fix number of jumps when pam_krb5 used

Signed-off-by: Mikle Kolyada  gentoo.org>

 templates/system-auth.tpl  | 2 +-
 templates/system-login.tpl | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 6edba8d..6964e05 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -4,7 +4,7 @@ authsufficient  pam_ssh.so
 {% endif %}
 
 {% if krb5 %}
-auth   [success=4 default=ignore]  pam_krb5.so {{ krb5_params }}
+auth   [success=3 default=ignore]  pam_krb5.so {{ krb5_params }}
 {% endif %}
 
 auth   requisite   pam_faillock.so preauth

diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index 6a0d544..0c60bb6 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -5,7 +5,6 @@ authinclude system-auth
 accountrequiredpam_access.so {{ debug|default('', 
true) }}
 accountrequiredpam_nologin.so
 accountinclude system-auth
-account requiredpam_faillock.so
 
 password   include system-auth
 session optionalpam_loginuid.so

[gentoo-commits] proj/pambase:master commit in: templates/

[Mikle Kolyada]

commit: 74b99b4462138ed6b496725b2499fb5d17ad9371
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Wed Oct 28 16:07:21 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Wed Oct 28 16:13:35 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=74b99b44

Do not use use_authtok if no passwd module was stacked

Signed-off-by: Mikle Kolyada  gentoo.org>

 templates/system-auth.tpl | 5 +
 1 file changed, 5 insertions(+)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 2ffd7ea..6edba8d 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -35,7 +35,12 @@ passwordrequiredpam_pwhistory.so use_authtok 
remember=5 retry=3
 password   [success=1 default=ignore]  pam_krb5.so {{ krb5_params }}
 {% endif %}
 
+{% if passwdqc or pwquality %}
 password   requiredpam_unix.so try_first_pass {{ 
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ 
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
+{% else %}
+passwordrequiredpam_unix.so try_first_pass {{ 
nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ 
debug|default('', true) }}
+{% endif %}
+
 password   optionalpam_permit.so
 
 {% if pam_ssh %}

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: 99919c4b2b59af27e7ad1daa6fbe8c614a8463c0
Author: Sam James  gentoo  org>
AuthorDate: Mon Oct 26 08:32:29 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Oct 26 22:48:06 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=99919c4b

templates/system-auth.tpl: skip pam_unix with krb5

Before this change, success on pam_krb5 would result in jumping
one line (over pam_permit) back into pam_unix.

Incidentally, we did the later stanza correctly. This was a regression
from old pambase.

Bug: https://bugs.gentoo.org/748405
Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 8b61701..668303f 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -4,20 +4,20 @@ auth  sufficient  pam_ssh.so
 {% endif %}
 
 {% if krb5 %}
-auth[success=1 default=ignore]  pam_krb5.so {{ krb5_params }}
+auth   [success=4 default=ignore]  pam_krb5.so {{ krb5_params }}
 {% endif %}
 
-auth   optionalpam_permit.so
 auth   requisite   pam_faillock.so preauth
 auth   [success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
 auth   [default=die]   pam_faillock.so authfail
+auth   optionalpam_permit.so
 
 {% if krb5 %}
-account[success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
+account[success=2 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}
 accountrequiredpam_unix.so {{ debug|default('', true) 
}}
-accountoptionalpam_permit.so
 account requiredpam_faillock.so
+account optionalpam_permit.so
 
 {% if passwdqc %}
 password   requiredpam_passwdqc.so 
config=/etc/security/passwdqc.conf

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: 473b931a56c9387cc6a1e1eddef2260fc9f3896f
Author: Sam James  gentoo  org>
AuthorDate: Mon Oct 26 08:33:23 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Oct 26 21:14:00 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=473b931a

templates/system-login.tpl: always need faillock

Fixes: eb138196aa2d3cb860d5eb5ab1d05985df34ad2c
Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl  | 2 --
 templates/system-login.tpl | 2 --
 2 files changed, 4 deletions(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index faf18ee..8b61701 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -17,9 +17,7 @@ account   [success=1 default=ignore]  
pam_krb5.so {{ krb5_params }}
 {% endif %}
 accountrequiredpam_unix.so {{ debug|default('', true) 
}}
 accountoptionalpam_permit.so
-{% if not minimal %}
 account requiredpam_faillock.so
-{% endif %}
 
 {% if passwdqc %}
 password   requiredpam_passwdqc.so 
config=/etc/security/passwdqc.conf

diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index 889c2d7..6a0d544 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -5,9 +5,7 @@ authinclude system-auth
 accountrequiredpam_access.so {{ debug|default('', 
true) }}
 accountrequiredpam_nologin.so
 accountinclude system-auth
-{% if not minimal %}
 account requiredpam_faillock.so
-{% endif %}
 
 password   include system-auth
 session optionalpam_loginuid.so

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: 47a7d6f7477ac279b271babd970d2b4b6839fdb5
Author: Sam James  gentoo  org>
AuthorDate: Mon Oct 26 21:15:18 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Oct 26 22:48:39 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=47a7d6f7

templates/system-auth.tpl: fix libcap module name

Bug: https://bugs.gentoo.org/750524
Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 668303f..2ffd7ea 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -43,7 +43,7 @@ session   optionalpam_ssh.so
 {% endif %}
 
 {% if libcap %}
--sessionoptionalpam_libcap.so
+-sessionoptionalpam_cap.so
 {% endif %}
 
 {% include "templates/system-session.tpl" %}

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: eb138196aa2d3cb860d5eb5ab1d05985df34ad2c
Author: Sam James  gentoo  org>
AuthorDate: Tue Oct 20 02:32:28 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Tue Oct 20 02:38:20 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=eb138196

templates/system-auth.tpl: use faillock in minimal case

Bug: https://bugs.gentoo.org/748405
Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl | 7 ++-
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index bc28468..faf18ee 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -7,13 +7,10 @@ auth  sufficient  pam_ssh.so
 auth[success=1 default=ignore]  pam_krb5.so {{ krb5_params }}
 {% endif %}
 
-auth   requiredpam_unix.so try_first_pass {{ likeauth }} {{ 
nullok|default('', true) }} {{ debug|default('', true) }}
 auth   optionalpam_permit.so
-{% if not minimal %}
-auth   requiredpam_faillock.so preauth
-auth   sufficient  pam_unix.so nullok try_first_pass
+auth   requisite   pam_faillock.so preauth
+auth   [success=1 default=ignore]  pam_unix.so {{ 
nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass
 auth   [default=die]   pam_faillock.so authfail
-{% endif %}
 
 {% if krb5 %}
 account[success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: e0835e729bcf04f501d4610cf3925ec41b37c5f5
Author: Sam James  gentoo  org>
AuthorDate: Mon Oct 12 17:30:18 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Oct 12 17:30:18 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=e0835e72

templates/system-auth.tpl: drop superfluous conf param on faillock

pam_faillock defaults to /etc/security/faillock.conf anyway.

Closes: https://bugs.gentoo.org/747967
Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 557da9b..bc28468 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -10,7 +10,7 @@ auth[success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 auth   requiredpam_unix.so try_first_pass {{ likeauth }} {{ 
nullok|default('', true) }} {{ debug|default('', true) }}
 auth   optionalpam_permit.so
 {% if not minimal %}
-auth   requiredpam_faillock.so preauth 
conf=/etc/security/faillock.conf
+auth   requiredpam_faillock.so preauth
 auth   sufficient  pam_unix.so nullok try_first_pass
 auth   [default=die]   pam_faillock.so authfail
 {% endif %}

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: abca630446236ddf83c7686ca8742b305bf8a050
Author: Sam James  gentoo  org>
AuthorDate: Mon Oct 12 15:30:28 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Oct 12 15:30:28 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=abca6304

templates/system-login.tpl: remove duplicate block already in system-auth

Do it right this time!

Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl  | 5 +
 templates/system-login.tpl | 6 --
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 11319d6..557da9b 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -9,6 +9,11 @@ auth[success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 
 auth   requiredpam_unix.so try_first_pass {{ likeauth }} {{ 
nullok|default('', true) }} {{ debug|default('', true) }}
 auth   optionalpam_permit.so
+{% if not minimal %}
+auth   requiredpam_faillock.so preauth 
conf=/etc/security/faillock.conf
+auth   sufficient  pam_unix.so nullok try_first_pass
+auth   [default=die]   pam_faillock.so authfail
+{% endif %}
 
 {% if krb5 %}
 account[success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}

diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index 25843f5..889c2d7 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -2,12 +2,6 @@ auth   requiredpam_shells.so {{ 
debug|default('', true) }}
 auth   requiredpam_nologin.so
 auth   include system-auth
 
-{% if not minimal %}
-authrequiredpam_faillock.so preauth 
conf=/etc/security/faillock.conf
-authsufficient  pam_unix.so nullok try_first_pass
-auth[default=die]   pam_faillock.so authfail
-{% endif %}
-
 accountrequiredpam_access.so {{ debug|default('', 
true) }}
 accountrequiredpam_nologin.so
 accountinclude system-auth

[gentoo-commits] proj/pambase:master commit in: /

[Sam James]

commit: f28eb0e9d1f9d46d6d4d17164a1ed98461c2a377
Author: Sam James  gentoo  org>
AuthorDate: Mon Oct 12 15:25:20 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Oct 12 15:27:54 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=f28eb0e9

templates/system-login.tpl: remove duplicate block from system-auth (again)

Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl  | 5 -
 templates/system-login.tpl | 6 ++
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --cc templates/system-auth.tpl
index f8484f1,1bb53ae..11319d6
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@@ -9,11 -9,11 +9,6 @@@ auth[success=1 default=ignore
  
  auth  requiredpam_unix.so try_first_pass {{ likeauth }} {{ 
nullok|default('', true) }} {{ debug|default('', true) }}
  auth  optionalpam_permit.so
--{% if not minimal %}
- authrequiredpam_faillock.so preauth silent audit deny=3 
unlock_time=600
 -authrequiredpam_faillock.so preauth 
conf=/etc/security/faillock.conf
--authsufficient  pam_unix.so {{ nullok|default('', true) }} 
try_first_pass
- auth[default=die]   pam_faillock.so authfail audit deny=3 
unlock_time=600
 -auth[default=die]   pam_faillock.so authfail
--{% endif %}
  
  {% if krb5 %}
  account   [success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
diff --cc templates/system-login.tpl
index 889c2d7,bb4f093..25843f5
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@@ -1,7 -1,12 +1,13 @@@
  auth  requiredpam_shells.so {{ debug|default('', true) }}
  auth  requiredpam_nologin.so
  auth  include system-auth
 +
+ {% if not minimal %}
+ authrequiredpam_faillock.so preauth 
conf=/etc/security/faillock.conf
+ authsufficient  pam_unix.so nullok try_first_pass
+ auth[default=die]   pam_faillock.so authfail
+ {% endif %}
+ 
  account   requiredpam_access.so {{ debug|default('', 
true) }}
  account   requiredpam_nologin.so
  account   include system-auth

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: 949722adbb7187b68f392164865a964610221604
Author: Sam James  gentoo  org>
AuthorDate: Sun Oct 11 20:48:41 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Oct 12 14:32:12 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=949722ad

templates/system-session.tpl: include pam_krb5.so module name

Signed-off-by: Sam James  gentoo.org>

 templates/system-session.tpl | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/templates/system-session.tpl b/templates/system-session.tpl
index 1538429..ce3afa5 100644
--- a/templates/system-session.tpl
+++ b/templates/system-session.tpl
@@ -5,12 +5,9 @@ sessionoptionalpam_mktemp.so
 {% endif %}
 
 {%if krb5 %}
-session[success=1 default=ignore] {{ krb5_params }}
+session[success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 {% endif %}
 
 sessionrequiredpam_unix.so {{ debug|default('', true) 
}}
-{%if krb5 %}
-session [success=1 default=ignore] {{ krb5_params }}
-{% endif %}
 
 sessionoptionalpam_permit.so

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: 37a3f41da6fa3136c46c9d76a18ad36f4f680303
Author: Sam James  gentoo  org>
AuthorDate: Sun Oct 11 20:57:19 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Oct 12 14:32:12 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=37a3f41d

templates/system-login.tpl: move systemd, elogind blocks here

Signed-off-by: Sam James  gentoo.org>

 templates/system-auth.tpl  | 8 
 templates/system-login.tpl | 8 
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 46fc131..f8484f1 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -47,14 +47,6 @@ password optionalpam_permit.so
 sessionoptionalpam_ssh.so
 {% endif %}
 
-{% if systemd %}
--sessionoptionalpam_systemd.so
-{% endif %}
-
-{% if elogind %}
--sessionoptionalpam_elogind.so
-{% endif %}
-
 {% if libcap %}
 -sessionoptionalpam_libcap.so
 {% endif %}

diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index 99801a1..889c2d7 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -32,3 +32,11 @@ session  optionalpam_motd.so 
motd=/etc/motd
 {% if not minimal %}
 sessionoptionalpam_mail.so
 {% endif %}
+
+{% if systemd %}
+-sessionoptionalpam_systemd.so
+{% endif %}
+
+{% if elogind %}
+-sessionoptionalpam_elogind.so
+{% endif %}

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: da499cca70c5e77c851c5f75440df188fe2eeabe
Author: Sam James  gentoo  org>
AuthorDate: Sun Oct 11 20:55:39 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Oct 12 14:32:12 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=da499cca

templates/system-login.tpl: remove duplicate block from system-auth

Bug: https://bugs.gentoo.org/747868
Signed-off-by: Sam James  gentoo.org>

 templates/system-login.tpl | 5 -
 1 file changed, 5 deletions(-)

diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index d51481b..99801a1 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -1,11 +1,6 @@
 auth   requiredpam_shells.so {{ debug|default('', true) }}
 auth   requiredpam_nologin.so
 auth   include system-auth
-{% if not minimal %}
-authrequiredpam_faillock.so preauth silent audit deny=3 
unlock_time=600
-authsufficient  pam_unix.so nullok try_first_pass
-auth[default=die]   pam_faillock.so authfail audit deny=3 
unlock_time=600
-{% endif %}
 
 accountrequiredpam_access.so {{ debug|default('', 
true) }}
 accountrequiredpam_nologin.so

[gentoo-commits] proj/pambase:master commit in: templates/

[Mikle Kolyada]

commit: b54edff3a6724bba19fd803042909cc448d169fd
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Sat Oct 10 15:35:39 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Sat Oct 10 15:37:14 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=b54edff3

switch pam_faillock.so to its config file

Signed-off-by: Mikle Kolyada  gentoo.org>

 templates/system-auth.tpl  | 4 ++--
 templates/system-login.tpl | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 46fc131..1bb53ae 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -10,9 +10,9 @@ auth[success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 auth   requiredpam_unix.so try_first_pass {{ likeauth }} {{ 
nullok|default('', true) }} {{ debug|default('', true) }}
 auth   optionalpam_permit.so
 {% if not minimal %}
-authrequiredpam_faillock.so preauth silent audit deny=3 
unlock_time=600
+authrequiredpam_faillock.so preauth 
conf=/etc/security/faillock.conf
 authsufficient  pam_unix.so {{ nullok|default('', true) }} 
try_first_pass
-auth[default=die]   pam_faillock.so authfail audit deny=3 
unlock_time=600
+auth[default=die]   pam_faillock.so authfail
 {% endif %}
 
 {% if krb5 %}

diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index d51481b..bb4f093 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -2,9 +2,9 @@ authrequiredpam_shells.so {{ 
debug|default('', true) }}
 auth   requiredpam_nologin.so
 auth   include system-auth
 {% if not minimal %}
-authrequiredpam_faillock.so preauth silent audit deny=3 
unlock_time=600
+authrequiredpam_faillock.so preauth 
conf=/etc/security/faillock.conf
 authsufficient  pam_unix.so nullok try_first_pass
-auth[default=die]   pam_faillock.so authfail audit deny=3 
unlock_time=600
+auth[default=die]   pam_faillock.so authfail
 {% endif %}
 
 accountrequiredpam_access.so {{ debug|default('', 
true) }}

[gentoo-commits] proj/pambase:master commit in: /, templates/

[Mikle Kolyada]

commit: 46e6f29b1f9b7edd9541382fddd9b0837900e649
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Sun Sep 13 09:59:15 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Sun Sep 13 10:00:50 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=46e6f29b

system-auth: introduce pam_pwhistory

Signed-off-by: Mikle Kolyada  gentoo.org>

 pambase.py| 1 +
 templates/system-auth.tpl | 4 
 2 files changed, 5 insertions(+)

diff --git a/pambase.py b/pambase.py
index 83ee97c..de5dddb 100755
--- a/pambase.py
+++ b/pambase.py
@@ -10,6 +10,7 @@ def main():
 parser.add_argument('--gnome-keyring', action="store_true", help='enable 
pam_gnome_keyring.so module')
 parser.add_argument('--libcap', action="store_true", help='enable 
pam_caps.so module')
 parser.add_argument('--passwdqc', action="store_true", help='enable 
pam_passwdqc.so module')
+parser.add_argument('--pwhistory', action="store_true", help='enable 
pam_pwhistory.so module')
 parser.add_argument('--pwquality', action="store_true", help='enable 
pam_pwquality.so module')
 parser.add_argument('--elogind', action="store_true", help='enable 
pam_elogind.so module')
 parser.add_argument('--systemd', action="store_true", help='enable 
pam_systemd.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 0381e66..46fc131 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -32,6 +32,10 @@ password requiredpam_passwdqc.so 
config=/etc/security/passwdqc.conf
 passwordrequiredpam_pwquality.so
 {% endif %}
 
+{% if pwhistory %}
+passwordrequiredpam_pwhistory.so use_authtok remember=5 retry=3
+{% endif %}
+
 {% if krb5 %}
 password   [success=1 default=ignore]  pam_krb5.so {{ krb5_params }}
 {% endif %}

[gentoo-commits] proj/pambase:master commit in: templates/

[Mikle Kolyada]

commit: 1b7c7f7678a6402a0b0aec80b3883fd98516be4e
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Wed Sep  9 16:32:10 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Wed Sep  9 16:32:10 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=1b7c7f76

system-auth: switch password modules to configs

* pam_passwdqc.so can by managed by the /etc/security/passwdqc.conf
* pam_pwquality.so can be managed by the /etc/security/pwquality.conf

Both allow users to create their own password polices without touching
files in the /etc/pam.d directory

Signed-off-by: Mikle Kolyada  gentoo.org>

 templates/system-auth.tpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 69cc472..0381e66 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -25,11 +25,11 @@ account requiredpam_faillock.so
 {% endif %}
 
 {% if passwdqc %}
-password   requiredpam_passwdqc.so min=8,8,8,8,8 retry=3
+password   requiredpam_passwdqc.so 
config=/etc/security/passwdqc.conf
 {% endif %}
 
 {% if pwquality %}
-passwordrequiredpam_pwquality.so retry=3 minlen=8 lcredit=2 
ucredit=2 dcredit=2 ocredit=2 difok=3 enforce_for_root
+passwordrequiredpam_pwquality.so
 {% endif %}
 
 {% if krb5 %}

[gentoo-commits] proj/pambase:master commit in: /, templates/

[Mikle Kolyada]

commit: ed4f15348fa950b02016154790bb6d180cccf5f9
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Mon Aug 17 07:30:39 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Mon Aug 17 07:30:39 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ed4f1534

make pam_gnome_keyring optional

Signed-off-by: Mikle Kolyada  gentoo.org>

 pambase.py   | 143 ++-
 templates/passwd.tpl |   5 +-
 2 files changed, 76 insertions(+), 72 deletions(-)

diff --git a/pambase.py b/pambase.py
index 07e458d..83ee97c 100755
--- a/pambase.py
+++ b/pambase.py
@@ -6,96 +6,97 @@ import pathlib
 
 
 def main():
-   parser = argparse.ArgumentParser(description='basic Gentoo PAM 
configuration files')
-   parser.add_argument('--libcap', action="store_true", help='enable 
pam_caps.so module')
-   parser.add_argument('--passwdqc', action="store_true", help='enable 
pam_passwdqc.so module')
-   parser.add_argument('--pwquality', action="store_true", help='enable 
pam_pwquality.so module')
-   parser.add_argument('--elogind', action="store_true", help='enable 
pam_elogind.so module')
-   parser.add_argument('--systemd', action="store_true", help='enable 
pam_systemd.so module')
-   parser.add_argument('--selinux', action="store_true", help='enable 
pam_selinux.so module')
-   parser.add_argument('--mktemp', action="store_true", help='enable 
pam_mktemp.so module')
-   parser.add_argument('--pam-ssh', action="store_true", help='enable 
pam_ssh.so module')
-   parser.add_argument('--securetty', action="store_true", help='enable 
pam_securetty.so module')
-   parser.add_argument('--sha512', action="store_true", help='enable 
sha512 option for pam_unix.so module')
-   parser.add_argument('--krb5', action="store_true", help='enable 
pam_krb5.so module')
-   parser.add_argument('--minimal', action="store_true", help='install 
minimalistic PAM stack')
-   parser.add_argument('--debug', action="store_true", help='enable debug 
for selected modules')
-   parser.add_argument('--nullok', action="store_true", help='enable 
nullok option for pam_unix.so module')
-
-   parsed_args = parser.parse_args()
-   processed = process_args(parsed_args)
-
-   parse_templates(processed)
+parser = argparse.ArgumentParser(description='basic Gentoo PAM 
configuration files')
+parser.add_argument('--gnome-keyring', action="store_true", help='enable 
pam_gnome_keyring.so module')
+parser.add_argument('--libcap', action="store_true", help='enable 
pam_caps.so module')
+parser.add_argument('--passwdqc', action="store_true", help='enable 
pam_passwdqc.so module')
+parser.add_argument('--pwquality', action="store_true", help='enable 
pam_pwquality.so module')
+parser.add_argument('--elogind', action="store_true", help='enable 
pam_elogind.so module')
+parser.add_argument('--systemd', action="store_true", help='enable 
pam_systemd.so module')
+parser.add_argument('--selinux', action="store_true", help='enable 
pam_selinux.so module')
+parser.add_argument('--mktemp', action="store_true", help='enable 
pam_mktemp.so module')
+parser.add_argument('--pam-ssh', action="store_true", help='enable 
pam_ssh.so module')
+parser.add_argument('--securetty', action="store_true", help='enable 
pam_securetty.so module')
+parser.add_argument('--sha512', action="store_true", help='enable sha512 
option for pam_unix.so module')
+parser.add_argument('--krb5', action="store_true", help='enable 
pam_krb5.so module')
+parser.add_argument('--minimal', action="store_true", help='install 
minimalistic PAM stack')
+parser.add_argument('--debug', action="store_true", help='enable debug for 
selected modules')
+parser.add_argument('--nullok', action="store_true", help='enable nullok 
option for pam_unix.so module')
+
+parsed_args = parser.parse_args()
+processed = process_args(parsed_args)
+
+parse_templates(processed)
 
 
 def process_args(args):
-   # make sure that output directory exists
-   pathlib.Path("stack").mkdir(parents=True, exist_ok=True)
+# make sure that output directory exists
+pathlib.Path("stack").mkdir(parents=True, exist_ok=True)
 
-   blank_variables = [
-   "krb5_authtok",
-   "unix_authtok",
-   "unix_extended_encryption",
-   "likeauth",
-   "nullok"
-   ]
+blank_variables = [
+"krb5_authtok",
+"unix_authtok",
+"unix_extended_encryption",
+"likeauth",
+"nullok"
+]
 
-   # create a blank dictionary
-   # then add in our parsed args
-   output = dict.fromkeys(blank_variables, "")
-   output.update(vars(args))
+# create a blank dictionary
+# then add in our parsed args
+output = dict.fromkeys(blank_variables, "")
+output.update(vars(args))
 
-   # unconditional variables
- 

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Mikle Kolyada]

commit: 1e2706575348150992737c5415df36f6517b20fe
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Sat Aug 15 08:44:57 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Sat Aug 15 08:50:19 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=1e270657

Add pam_pwquality.so support

Signed-off-by: Mikle Kolyada  gentoo.org>

 pambase.py| 1 +
 templates/system-auth.tpl | 4 
 2 files changed, 5 insertions(+)

diff --git a/pambase.py b/pambase.py
index d021b81..07e458d 100755
--- a/pambase.py
+++ b/pambase.py
@@ -9,6 +9,7 @@ def main():
parser = argparse.ArgumentParser(description='basic Gentoo PAM 
configuration files')
parser.add_argument('--libcap', action="store_true", help='enable 
pam_caps.so module')
parser.add_argument('--passwdqc', action="store_true", help='enable 
pam_passwdqc.so module')
+   parser.add_argument('--pwquality', action="store_true", help='enable 
pam_pwquality.so module')
parser.add_argument('--elogind', action="store_true", help='enable 
pam_elogind.so module')
parser.add_argument('--systemd', action="store_true", help='enable 
pam_systemd.so module')
parser.add_argument('--selinux', action="store_true", help='enable 
pam_selinux.so module')

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 298e45c..69cc472 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -28,6 +28,10 @@ account requiredpam_faillock.so
 password   requiredpam_passwdqc.so min=8,8,8,8,8 retry=3
 {% endif %}
 
+{% if pwquality %}
+passwordrequiredpam_pwquality.so retry=3 minlen=8 lcredit=2 
ucredit=2 dcredit=2 ocredit=2 difok=3 enforce_for_root
+{% endif %}
+
 {% if krb5 %}
 password   [success=1 default=ignore]  pam_krb5.so {{ krb5_params }}
 {% endif %}

[gentoo-commits] proj/pambase:master commit in: templates/, /

[Sam James]

commit: ca96d2bc6bbcf860d12b9d610509c155029fe3cc
Author: Sam James  gentoo  org>
AuthorDate: Thu Aug  6 22:46:40 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Thu Aug  6 22:46:40 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ca96d2bc

pambase.py: rename system-service -> system-services

Some of e.g. OpenRC's installed pam files assume 'system-services':
./supervise-daemon:2:session include system-services
./start-stop-daemon:2:session include system-services

Signed-off-by: Sam James  gentoo.org>

 pambase.py| 2 +-
 templates/{system-service.tpl => system-services.tpl} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/pambase.py b/pambase.py
index 8f04870..d021b81 100755
--- a/pambase.py
+++ b/pambase.py
@@ -78,7 +78,7 @@ def parse_templates(processed_args):
"su",
"system-auth",
"system-login",
-   "system-service"
+   "system-services"
]
 
for template_name in templates:

diff --git a/templates/system-service.tpl b/templates/system-services.tpl
similarity index 100%
rename from templates/system-service.tpl
rename to templates/system-services.tpl

[gentoo-commits] proj/pambase:master commit in: /

[Sam James]

commit: e879759fba8edeffa2492a0dfcbe9c48570a684b
Author: Sam James  gentoo  org>
AuthorDate: Wed Aug  5 06:12:09 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Wed Aug  5 06:13:04 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=e879759f

pambase.py: strip trailing whitespace in stack

Signed-off-by: Sam James  gentoo.org>

 pambase.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pambase.py b/pambase.py
index 9765778..8f04870 100755
--- a/pambase.py
+++ b/pambase.py
@@ -89,7 +89,7 @@ def parse_templates(processed_args):
 
# Strip all intermediate lines to not worry about 
appeasing Jinja
lines = rendered_template.split("\n")
-   lines = [line for line in lines if line]
+   lines = [line.strip() for line in lines if line]
rendered_template = "\n".join(lines)
 
if rendered_template:

[gentoo-commits] proj/pambase:master commit in: templates/

[Sam James]

commit: 4e5e41c2e5607a298f30f679aa7ba8c4994033e3
Author: Sam James  gentoo  org>
AuthorDate: Wed Aug  5 06:10:02 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Wed Aug  5 06:10:16 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=4e5e41c2

templates/*: remove unnecessary strips

Now obsolete as of 732fb3bbfd7d007fdca78dd4587f1a7bd34bfa6c.

Signed-off-by: Sam James  gentoo.org>

 templates/login.tpl  |  4 ++--
 templates/system-auth.tpl| 44 ++--
 templates/system-login.tpl   | 28 ++--
 templates/system-session.tpl | 12 ++--
 4 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/templates/login.tpl b/templates/login.tpl
index 7476cb7..23e262a 100644
--- a/templates/login.tpl
+++ b/templates/login.tpl
@@ -1,6 +1,6 @@
-{% if securetty -%}
+{% if securetty %}
 auth   requiredpam_securetty.so
-{% endif -%}
+{% endif %}
 
 auth   include system-local-login
 accountinclude system-local-login

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index e8a6d91..298e45c 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -1,54 +1,54 @@
 auth   requiredpam_env.so {{ debug|default('', true) }}
-{% if pam_ssh -%}
+{% if pam_ssh %}
 auth   sufficient  pam_ssh.so
-{% endif -%}
+{% endif %}
 
-{% if krb5 -%}
+{% if krb5 %}
 auth[success=1 default=ignore]  pam_krb5.so {{ krb5_params }}
-{% endif -%}
+{% endif %}
 
 auth   requiredpam_unix.so try_first_pass {{ likeauth }} {{ 
nullok|default('', true) }} {{ debug|default('', true) }}
 auth   optionalpam_permit.so
-{% if not minimal -%}
+{% if not minimal %}
 authrequiredpam_faillock.so preauth silent audit deny=3 
unlock_time=600
 authsufficient  pam_unix.so {{ nullok|default('', true) }} 
try_first_pass
 auth[default=die]   pam_faillock.so authfail audit deny=3 
unlock_time=600
-{% endif -%}
+{% endif %}
 
-{% if krb5 -%}
+{% if krb5 %}
 account[success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
-{% endif -%}
+{% endif %}
 accountrequiredpam_unix.so {{ debug|default('', true) 
}}
 accountoptionalpam_permit.so
-{% if not minimal -%}
+{% if not minimal %}
 account requiredpam_faillock.so
-{% endif -%}
+{% endif %}
 
-{% if passwdqc -%}
+{% if passwdqc %}
 password   requiredpam_passwdqc.so min=8,8,8,8,8 retry=3
-{% endif -%}
+{% endif %}
 
-{% if krb5 -%}
+{% if krb5 %}
 password   [success=1 default=ignore]  pam_krb5.so {{ krb5_params }}
-{% endif -%}
+{% endif %}
 
 password   requiredpam_unix.so try_first_pass {{ 
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ 
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
 password   optionalpam_permit.so
 
-{%- if pam_ssh %}
+{% if pam_ssh %}
 sessionoptionalpam_ssh.so
-{% endif -%}
+{% endif %}
 
-{% if systemd -%}
+{% if systemd %}
 -sessionoptionalpam_systemd.so
-{% endif -%}
+{% endif %}
 
-{% if elogind -%}
+{% if elogind %}
 -sessionoptionalpam_elogind.so
-{% endif -%}
+{% endif %}
 
-{% if libcap -%}
+{% if libcap %}
 -sessionoptionalpam_libcap.so
-{% endif -%}
+{% endif %}
 
 {% include "templates/system-session.tpl" %}

diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index d8df530..d51481b 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -1,39 +1,39 @@
 auth   requiredpam_shells.so {{ debug|default('', true) }}
 auth   requiredpam_nologin.so
 auth   include system-auth
-{% if not minimal -%}
+{% if not minimal %}
 authrequiredpam_faillock.so preauth silent audit deny=3 
unlock_time=600
 authsufficient  pam_unix.so nullok try_first_pass
 auth[default=die]   pam_faillock.so authfail audit deny=3 
unlock_time=600
-{% endif -%}
+{% endif %}
 
 accountrequiredpam_access.so {{ debug|default('', 
true) }}
 accountrequiredpam_nologin.so
 accountinclude system-auth
-{% if not minimal -%}
+{% if not minimal %}
 account requiredpam_faillock.so
-{% endif -%}
+{% endif %}
 
 password   include system-auth
 session optionalpam_loginuid.so
-{% if selinux -%}
+{% if selinux %}
 sessionrequiredpam_selinux.so close
-{% endif -%}
+{% endif %}
 
 sessionrequiredpam_env.so envfile=/etc/profile.env {{ 
debug|default('', true) }}
-{% if not minimal -%}
+{% if not minimal %}
 sessionoptionalpam_lastlog.so silent {{ 

[gentoo-commits] proj/pambase:master commit in: /

[Sam James]

commit: 732fb3bbfd7d007fdca78dd4587f1a7bd34bfa6c
Author: Sam James  gentoo  org>
AuthorDate: Wed Aug  5 06:02:52 2020 +
Commit: Sam James  gentoo  org>
CommitDate: Wed Aug  5 06:03:49 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=732fb3bb

pambase.py: strip all blank lines

It's simpler to do this in pambase.py than with
Jinja 2, at least for now.

Signed-off-by: Sam James  gentoo.org>

 pambase.py | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pambase.py b/pambase.py
index 1ebafbe..9765778 100755
--- a/pambase.py
+++ b/pambase.py
@@ -67,7 +67,7 @@ def process_args(args):
 
 def parse_templates(processed_args):
load = FileSystemLoader('')
-   env = Environment(loader=load)
+   env = Environment(loader=load, trim_blocks=True, lstrip_blocks=True, 
keep_trailing_newline=True)
 
templates = [
"login",
@@ -87,6 +87,11 @@ def parse_templates(processed_args):
with open('stack/{0}'.format(template_name), "w+") as output:
rendered_template = template.render(processed_args)
 
+   # Strip all intermediate lines to not worry about 
appeasing Jinja
+   lines = rendered_template.split("\n")
+   lines = [line for line in lines if line]
+   rendered_template = "\n".join(lines)
+
if rendered_template:
output.write(rendered_template + "\n")
 

[gentoo-commits] proj/pambase:master commit in: templates/

[Mikle Kolyada]

commit: acd1f9046c8d79ba5e232043131f6c9842d357e7
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Tue Aug  4 13:35:41 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Tue Aug  4 13:35:41 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=acd1f904

fix pam_ssh formatting

Signed-off-by: Mikle Kolyada  gentoo.org>

 templates/system-auth.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 13f5c0d..e8a6d91 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -35,7 +35,7 @@ password  [success=1 default=ignore]  pam_krb5.so {{ 
krb5_params }}
 password   requiredpam_unix.so try_first_pass {{ 
unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ 
unix_extended_encryption|default('', true) }} {{ debug|default('', true) }}
 password   optionalpam_permit.so
 
-{%- if pam_ssh -%}
+{%- if pam_ssh %}
 sessionoptionalpam_ssh.so
 {% endif -%}
 

[gentoo-commits] proj/pambase:master commit in: templates/

[Mikle Kolyada]

commit: 7f7b677eca0487d304e114714890feadae06b9a2
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Tue Aug  4 12:41:04 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Tue Aug  4 12:41:04 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=7f7b677e

fix a typo in logic

Signed-off-by: Mikle Kolyada  gentoo.org>

 templates/system-login.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/system-login.tpl b/templates/system-login.tpl
index 2f404bc..d8df530 100644
--- a/templates/system-login.tpl
+++ b/templates/system-login.tpl
@@ -21,7 +21,7 @@ session   requiredpam_selinux.so close
 {% endif -%}
 
 sessionrequiredpam_env.so envfile=/etc/profile.env {{ 
debug|default('', true) }}
-{% if not miniaml -%}
+{% if not minimal -%}
 sessionoptionalpam_lastlog.so silent {{ 
debug|default('', true) }}
 {% endif -%}
 sessioninclude system-auth

[gentoo-commits] proj/pambase:master commit in: /, templates/

[Mikle Kolyada]

commit: 405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Tue Aug  4 11:20:43 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Tue Aug  4 11:20:43 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=405452a4

New pambase era

pambase was simplified and rewritten in python

Signed-off-by: Mikle Kolyada  gentoo.org>

 .gitignore | 12 +--
 LICENSE| 23 ++
 Makefile   | 96 --
 README |  8 --
 basic-conf | 52 
 linux-pam-conf | 26 --
 login.in   | 10 ---
 other.in   |  4 -
 pambase.py | 95 +
 su.in  | 11 ---
 system-auth.in | 57 -
 system-login.in| 58 -
 system-session.inc | 25 --
 templates/login.tpl|  9 ++
 templates/other.tpl|  4 +
 passwd.in => templates/passwd.tpl  |  4 +-
 templates/su.tpl   |  8 ++
 templates/system-auth.tpl  | 54 
 .../system-local-login.tpl |  0
 templates/system-login.tpl | 39 +
 .../system-remote-login.tpl|  0
 system-services.in => templates/system-service.tpl |  6 +-
 templates/system-session.tpl   | 16 
 23 files changed, 252 insertions(+), 365 deletions(-)

diff --git a/.gitignore b/.gitignore
index 2c63905..844c82f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,2 @@
-login
-passwd
-su
-system-auth
-system-login
-system-local-login
-system-remote-login
-system-services
-other
-pambase-*.tar.bz2
+stack/
+.idea/

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 000..6e891ee
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,23 @@
+MIT License
+
+Copyright (c) 2020 Mikhail Koliada
+Copyright (c) 2020 Sam James
+Copyright (c) 2020 Gentoo Authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

diff --git a/Makefile b/Makefile
deleted file mode 100644
index 941edfb..000
--- a/Makefile
+++ /dev/null
@@ -1,96 +0,0 @@
-# Reset this to 'cpp' so it gets traditional syntax; cc -E will not work
-# properly.
-CPP=cpp
-
-# The pam.d file to create
-PAMD=login passwd su system-auth system-login system-local-login 
system-remote-login system-services other
-
-# command for git (the DVCS); set this to "true" to ignore GIT support
-# (i.e.: in the ebuild)
-GIT=git
-
-PAMFLAGS = -include linux-pam-conf -include basic-conf 
-DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION)
-
-ifeq "$(PASSWDQC)" "yes"
-PAMFLAGS += -DHAVE_PASSWDQC=1
-endif
-
-ifeq "$(CONSOLEKIT)" "yes"
-PAMFLAGS += -DHAVE_CONSOLEKIT=1
-endif
-
-ifeq "$(SYSTEMD)" "yes"
-PAMFLAGS += -DHAVE_SYSTEMD=1
-endif
-
-ifeq "$(ELOGIND)" "yes"
-PAMFLAGS += -DHAVE_ELOGIND=1
-endif
-
-ifeq "$(GNOME_KEYRING)" "yes"
-PAMFLAGS += -DHAVE_GNOME_KEYRING=1
-endif
-
-ifeq "$(SECURETTY)" "yes"
-PAMFLAGS += -DHAVE_SECURETTY=1
-endif
-
-ifeq "$(SELINUX)" "yes"
-PAMFLAGS += -DHAVE_SELINUX=1
-endif
-
-ifeq "$(MKTEMP)" "yes"
-PAMFLAGS += -DHAVE_MKTEMP=1
-endif
-
-ifeq "$(PAM_SSH)" "yes"
-PAMFLAGS += -DHAVE_PAM_SSH=1
-endif
-
-ifeq "$(KRB5)" "yes"
-PAMFLAGS += -DHAVE_KRB5=1
-endif
-
-ifeq "$(NULLOK)" "yes"
-PAMFLAGS += -DWANT_NULLOK=1
-endif
-
-ifeq "$(SHA512)" "yes"
-PAMFLAGS += -DWANT_SHA512=1
-endif
-
-ifeq "$(DEBUG)" "yes"
-PAMFLAGS += -DDEBUG=debug
-endif
-
-ifeq "$(MINIMAL)" "yes"
-PAMFLAGS += -DMINIMAL
-endif
-
-ifeq "$(LIBCAP)" "yes"
-PAMFLAGS += 

[gentoo-commits] proj/pambase:master commit in: /

[Mikle Kolyada]

commit: 75cd44e94032b13bba41539737d6ac63623217e1
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Thu Jun 18 10:02:10 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Thu Jun 18 10:08:38 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=75cd44e9

move faillock last in auth

Signed-off-by: Mikle Kolyada  gentoo.org>

 system-auth.in  | 12 ++--
 system-login.in | 11 ++-
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/system-auth.in b/system-auth.in
index 6eea7bc..9ae09e4 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -2,12 +2,6 @@
 auth   requiredpam_env.so DEBUG
 #endif
 
-#if HAVE_FAILLOCK
-authrequiredpam_faillock.so preauth silent audit deny=3 
unlock_time=600
-authsufficient  pam_unix.so nullok try_first_pass
-auth[default=die]   pam_faillock.so authfail audit deny=3 
unlock_time=600
-#endif
-
 #if HAVE_PAM_SSH
 auth   sufficient  pam_ssh.so
 #endif
@@ -18,6 +12,12 @@ auth requiredpam_unix.so try_first_pass 
LIKEAUTH NULLOK DEBUG
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a 
bad jump. */
 auth   optionalpam_permit.so
 
+#if HAVE_FAILLOCK
+authrequiredpam_faillock.so preauth silent audit deny=3 
unlock_time=600
+authsufficient  pam_unix.so nullok try_first_pass
+auth[default=die]   pam_faillock.so authfail audit deny=3 
unlock_time=600
+#endif
+
 #if HAVE_KRB5
 accountKRB5_CONTROLpam_krb5.so KRB5_PARAMS
 #endif

diff --git a/system-login.in b/system-login.in
index 9e82d60..ee03613 100644
--- a/system-login.in
+++ b/system-login.in
@@ -1,8 +1,3 @@
-#if HAVE_FAILLOCK
-authrequiredpam_faillock.so preauth silent audit deny=3 
unlock_time=600
-authsufficient pam_unix.so nullok try_first_pass
-auth[default=die]   pam_faillock.so authfail audit deny=3 
unlock_time=600
-#endif
 
 #if HAVE_SHELLS
 auth   requiredpam_shells.so DEBUG
@@ -12,6 +7,12 @@ auth  requiredpam_nologin.so DEBUG_NOLOGIN
 #endif
 auth   include system-auth
 
+#if HAVE_FAILLOCK
+authrequiredpam_faillock.so preauth silent audit deny=3 
unlock_time=600
+authsufficient  pam_unix.so nullok try_first_pass
+auth[default=die]   pam_faillock.so authfail audit deny=3 
unlock_time=600
+#endif
+
 #if HAVE_ACCESS
 accountrequiredpam_access.so DEBUG
 #endif

[gentoo-commits] proj/pambase:master commit in: /

[Mikle Kolyada]

commit: 01ba73d907c3644f9c47179c5407bb7674644e3b
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Wed Jun 17 18:28:53 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Wed Jun 17 18:28:53 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=01ba73d9

fix a typo

Signed-off-by: Mikle Kolyada  gentoo.org>

 system-auth.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system-auth.in b/system-auth.in
index 6067ea1..6eea7bc 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -2,7 +2,7 @@
 auth   requiredpam_env.so DEBUG
 #endif
 
-#if HAVE_FAILOCK
+#if HAVE_FAILLOCK
 authrequiredpam_faillock.so preauth silent audit deny=3 
unlock_time=600
 authsufficient  pam_unix.so nullok try_first_pass
 auth[default=die]   pam_faillock.so authfail audit deny=3 
unlock_time=600

[gentoo-commits] proj/pambase:master commit in: /

[Mikle Kolyada]

commit: 3a158ca2ba9220bc82ac2d76f3dd6aff50511ab1
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Tue Jun 16 16:25:38 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Tue Jun 16 16:25:38 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=3a158ca2

iprove faillock support

Signed-off-by: Mikle Kolyada  gentoo.org>

 system-auth.in  | 11 +++
 system-login.in |  8 ++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/system-auth.in b/system-auth.in
index dbb6971..6067ea1 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -1,6 +1,13 @@
 #if HAVE_ENV
 auth   requiredpam_env.so DEBUG
 #endif
+
+#if HAVE_FAILOCK
+authrequiredpam_faillock.so preauth silent audit deny=3 
unlock_time=600
+authsufficient  pam_unix.so nullok try_first_pass
+auth[default=die]   pam_faillock.so authfail audit deny=3 
unlock_time=600
+#endif
+
 #if HAVE_PAM_SSH
 auth   sufficient  pam_ssh.so
 #endif
@@ -18,6 +25,10 @@ account  requiredpam_unix.so DEBUG
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a 
bad jump. */
 accountoptionalpam_permit.so
 
+#if HAVE_FAILLOCK
+account requiredpam_faillock.so
+#endif
+
 #if HAVE_PASSWDQC
 password   requiredpam_passwdqc.so min=8,8,8,8,8 retry=3
 #endif

diff --git a/system-login.in b/system-login.in
index d93d926..9e82d60 100644
--- a/system-login.in
+++ b/system-login.in
@@ -1,6 +1,9 @@
 #if HAVE_FAILLOCK
-auth   requiredpam_faillock.so dir=/var/log deny=3
+authrequiredpam_faillock.so preauth silent audit deny=3 
unlock_time=600
+authsufficient pam_unix.so nullok try_first_pass
+auth[default=die]   pam_faillock.so authfail audit deny=3 
unlock_time=600
 #endif
+
 #if HAVE_SHELLS
 auth   requiredpam_shells.so DEBUG
 #endif
@@ -19,8 +22,9 @@ account   requiredpam_login_access.so
 accountrequiredpam_nologin.so DEBUG_NOLOGIN
 #endif
 accountinclude system-auth
+
 #if HAVE_FAILLOCK
-accountrequiredpam_faillock.so dir=/var/log deny=3
+account requiredpam_faillock.so
 #endif
 
 password   include system-auth

[gentoo-commits] proj/pambase:master commit in: /

[Mikle Kolyada]

commit: 7348fa57c7ada42820773f8c8b6f06f7181169ee
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Wed Jun 10 11:32:46 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Wed Jun 10 11:32:46 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=7348fa57

New release

- disable cracklib in favor of passwdqc
- disable tally{,2} in favor of faillock

Signed-off-by: Mikle Kolyada  gentoo.org>

 Makefile| 4 
 basic-conf  | 4 ++--
 linux-pam-conf  | 7 +--
 system-auth.in  | 3 ---
 system-login.in | 8 
 5 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/Makefile b/Makefile
index 9afc842..f7e7653 100644
--- a/Makefile
+++ b/Makefile
@@ -11,10 +11,6 @@ GIT=git
 
 PAMFLAGS = -include linux-pam-conf -include basic-conf 
-DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION)
 
-ifeq "$(CRACKLIB)" "yes"
-PAMFLAGS += -DHAVE_CRACKLIB=1
-endif
-
 ifeq "$(PASSWDQC)" "yes"
 PAMFLAGS += -DHAVE_PASSWDQC=1
 endif

diff --git a/basic-conf b/basic-conf
index 5ab72c0..7b1bf00 100644
--- a/basic-conf
+++ b/basic-conf
@@ -1,8 +1,8 @@
-// Only use_authtok (authentication token) when using cracklib or some other 
module
+// Only use_authtok (authentication token) when using passwdqc or some other 
module
 // that checks for passwords, or pam_krb5
 #define AUTHTOK use_authtok
 
-#if HAVE_CRACKLIB || HAVE_PASSWDQC
+#if HAVE_PASSWDQC
 # define PASSWORD_STRENGTH 1
 #endif
 

diff --git a/linux-pam-conf b/linux-pam-conf
index ecd5697..962b2eb 100644
--- a/linux-pam-conf
+++ b/linux-pam-conf
@@ -12,12 +12,7 @@
 # define HAVE_MOTD 1
 # define HAVE_MAIL 1
 # define HAVE_LASTLOG   1
-
-# if LINUX_PAM_VERSION > 0x010100 /* 1.1.0 */
-#  define TALLY_MODULE pam_tally2.so
-# else
-#  define TALLY_MODULE pam_tally.so
-# endif
+# define HAVE_FAILLOCK 1
 
 #endif
 

diff --git a/system-auth.in b/system-auth.in
index e65e4c2..dbb6971 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -18,9 +18,6 @@ account   requiredpam_unix.so DEBUG
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a 
bad jump. */
 accountoptionalpam_permit.so
 
-#if HAVE_CRACKLIB
-password   requiredpam_cracklib.so difok=2 minlen=8 dcredit=2 
ocredit=2 retry=3 DEBUG
-#endif
 #if HAVE_PASSWDQC
 password   requiredpam_passwdqc.so min=8,8,8,8,8 retry=3
 #endif

diff --git a/system-login.in b/system-login.in
index f159f10..d93d926 100644
--- a/system-login.in
+++ b/system-login.in
@@ -1,5 +1,5 @@
-#if defined(TALLY_MODULE)
-auth   requiredTALLY_MODULE onerr=succeed
+#if HAVE_FAILLOCK
+auth   requiredpam_faillock.so dir=/var/log deny=3
 #endif
 #if HAVE_SHELLS
 auth   requiredpam_shells.so DEBUG
@@ -19,8 +19,8 @@ account   requiredpam_login_access.so
 accountrequiredpam_nologin.so DEBUG_NOLOGIN
 #endif
 accountinclude system-auth
-#if defined(TALLY_MODULE)
-accountrequiredTALLY_MODULE onerr=succeed DEBUG
+#if HAVE_FAILLOCK
+accountrequiredpam_faillock.so dir=/var/log deny=3
 #endif
 
 password   include system-auth

[gentoo-commits] proj/pambase:master commit in: /

[Mikle Kolyada]

commit: 59107e0a4fd0c266417d2c8f3082b4abb7b9c6ff
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Wed Jun 10 11:48:30 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Wed Jun 10 11:48:30 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=59107e0a

Revert "allow clang-cpp"

This reverts commit 4a97472903679c7d85ca391aeedaea3ce7797acf.

Signed-off-by: Mikle Kolyada  gentoo.org>

 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index f7e7653..941edfb 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 # Reset this to 'cpp' so it gets traditional syntax; cc -E will not work
 # properly.
-CPP?=cpp
+CPP=cpp
 
 # The pam.d file to create
 PAMD=login passwd su system-auth system-login system-local-login 
system-remote-login system-services other

[gentoo-commits] proj/pambase:master commit in: /

[Mikle Kolyada]

commit: 4a97472903679c7d85ca391aeedaea3ce7797acf
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Wed Apr 29 21:37:16 2020 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Wed Apr 29 21:37:16 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=4a974729

allow clang-cpp

Signed-off-by: Mikle Kolyada  gentoo.org>

 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 39f0082..9afc842 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 # Reset this to 'cpp' so it gets traditional syntax; cc -E will not work
 # properly.
-CPP=cpp
+CPP?=cpp
 
 # The pam.d file to create
 PAMD=login passwd su system-auth system-login system-local-login 
system-remote-login system-services other

[gentoo-commits] proj/pambase:master commit in: /

[David Seifert]

commit: 7eaf47da1d6cd18a8253c25213c34b16ae08e87f
Author: David Seifert  gentoo  org>
AuthorDate: Wed Mar  4 17:32:01 2020 +
Commit: David Seifert  gentoo  org>
CommitDate: Wed Mar  4 17:32:01 2020 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=7eaf47da

Run pam_env.so after pam_systemd.so for better socket support

* Running pam_systemd.so before setting user environment
  variables makes it possible for the user to use variables
  such as `XDG_RUNTIME_DIR` in their own definitions.

Bug: https://bugs.gentoo.org/711450
Signed-off-by: David Seifert  gentoo.org>

 system-auth.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system-auth.in b/system-auth.in
index 02d0e50..e65e4c2 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -34,7 +34,6 @@ password  optionalpam_permit.so
 #if HAVE_PAM_SSH
 sessionoptionalpam_ssh.so
 #endif
-#include "system-session.inc"
 
 #if HAVE_SYSTEMD
 -sessionoptionalpam_systemd.so
@@ -47,3 +46,4 @@ session   optionalpam_ssh.so
 #if HAVE_LIBCAP
 auth   optionalpam_cap.so
 #endif
+#include "system-session.inc"

[gentoo-commits] proj/pambase:master commit in: /

[Mikle Kolyada]

commit: b5eab4d5d631f6a7ccf311d751df4ca1aa68c0ba
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Thu Nov 28 18:20:35 2019 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Thu Nov 28 18:20:35 2019 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=b5eab4d5

handle envfile with pam_env.so

Signed-off-by: Mikle Kolyada  gentoo.org>

 pambase-20191115.tar.xz | Bin 3240 -> 0 bytes
 system-login.in |   2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/pambase-20191115.tar.xz b/pambase-20191115.tar.xz
deleted file mode 100644
index 0b4f92e..000
Binary files a/pambase-20191115.tar.xz and /dev/null differ

diff --git a/system-login.in b/system-login.in
index 064c687..f159f10 100644
--- a/system-login.in
+++ b/system-login.in
@@ -32,7 +32,7 @@ session optionalpam_loginuid.so
 sessionrequiredpam_selinux.so close
 #endif
 #if HAVE_ENV
-sessionrequiredpam_env.so DEBUG
+sessionrequiredpam_env.so envfile=/etc/profile.env 
DEBUG
 #endif
 #if HAVE_LASTLOG
 sessionoptionalpam_lastlog.so silent DEBUG

[gentoo-commits] proj/pambase:master commit in: /

[Mikle Kolyada]

commit: d7bd5491a053af71349e5ede6a45ff5d34a48c91
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Wed Nov 27 09:26:56 2019 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Wed Nov 27 09:26:56 2019 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=d7bd5491

fix libcap function call

Signed-off-by: Mikle Kolyada  gentoo.org>

 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 94cc831..39f0082 100644
--- a/Makefile
+++ b/Makefile
@@ -72,7 +72,7 @@ PAMFLAGS += -DMINIMAL
 endif
 
 ifeq "$(LIBCAP)" "yes"
-PAMFLAGS += -DLIBCAP
+PAMFLAGS += -DHAVE_LIBCAP=1
 endif
 
 all: $(PAMD)

[gentoo-commits] proj/pambase:master commit in: /

[Mikle Kolyada]

commit: dd74d9d2f442163353e56f4bd3cf4d0f24f6f1e4
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Sun Nov 24 14:35:41 2019 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Sun Nov 24 14:35:41 2019 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=dd74d9d2

integrate libcap support

Signed-off-by: Mikle Kolyada  gentoo.org>

 Makefile|   4 
 pambase-20191115.tar.xz | Bin 0 -> 3240 bytes
 system-auth.in  |   4 
 3 files changed, 8 insertions(+)

diff --git a/Makefile b/Makefile
index d036d84..94cc831 100644
--- a/Makefile
+++ b/Makefile
@@ -71,6 +71,10 @@ ifeq "$(MINIMAL)" "yes"
 PAMFLAGS += -DMINIMAL
 endif
 
+ifeq "$(LIBCAP)" "yes"
+PAMFLAGS += -DLIBCAP
+endif
+
 all: $(PAMD)
 
 install: $(PAMD)

diff --git a/pambase-20191115.tar.xz b/pambase-20191115.tar.xz
new file mode 100644
index 000..0b4f92e
Binary files /dev/null and b/pambase-20191115.tar.xz differ

diff --git a/system-auth.in b/system-auth.in
index 4d588fb..02d0e50 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -43,3 +43,7 @@ session   optionalpam_ssh.so
 #if HAVE_ELOGIND
 -sessionoptionalpam_elogind.so
 #endif
+
+#if HAVE_LIBCAP
+auth   optionalpam_cap.so
+#endif

[gentoo-commits] proj/pambase:master commit in: /

[Mikle Kolyada]

commit: 306b4622648909158bac6ff5e315794fd8d5bd09
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Fri Nov 15 18:08:50 2019 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Fri Nov 15 18:08:50 2019 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=306b4622

remove openpam support

Signed-off-by: Mikle Kolyada  gentoo.org>

 Makefile |  7 +--
 openpam-conf | 24 
 2 files changed, 1 insertion(+), 30 deletions(-)

diff --git a/Makefile b/Makefile
index abd7008..d036d84 100644
--- a/Makefile
+++ b/Makefile
@@ -9,12 +9,7 @@ PAMD=login passwd su system-auth system-login 
system-local-login system-remote-l
 # (i.e.: in the ebuild)
 GIT=git
 
-# Get this by default, even if I'd like avoid it...
-ifeq "$(IMPLEMENTATION)" ""
-IMPLEMENTATION=linux-pam
-endif
-
-PAMFLAGS = -include $(IMPLEMENTATION)-conf -include basic-conf 
-DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION)
+PAMFLAGS = -include linux-pam-conf -include basic-conf 
-DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION)
 
 ifeq "$(CRACKLIB)" "yes"
 PAMFLAGS += -DHAVE_CRACKLIB=1

diff --git a/openpam-conf b/openpam-conf
deleted file mode 100644
index e38107c..000
--- a/openpam-conf
+++ /dev/null
@@ -1,24 +0,0 @@
-#if HAVE_CRACKLIB
-# error "pam_cracklib is only supported with Linux-PAM"
-#endif
-
-// OpenPAM only provides basic modules, it's FreeBSD that provides the
-// extended modules, so check for FreeBSD building first.
-#ifdef __FreeBSD__
-# define HAVE_LOGIN_ACCESS 1
-# define SUPPORT_UNIX_SESSION  0
-
-# if defined(DEBUG)
-#  define DEBUG_NOLOGIN DEBUG
-# else
-#  define DEBUG_NOLOGIN
-# endif
-
-# define SUPPORT_NOLOGIN_ACCOUNT   1
-# define SUPPORT_NOLOGIN_AUTH  0
-
-# if defined(WANT_SHA512)
-#  error "SHA512 support is not present for FreeBSD!"
-# endif
-
-#endif /* __FreeBSD__ */

[gentoo-commits] proj/pambase:master commit in: /

[Mikle Kolyada]

commit: e10d88d10cfc7da664e66cf8c5a7bf297ea4b8f7
Author: Mikle Kolyada  gentoo  org>
AuthorDate: Tue Apr  2 13:08:25 2019 +
Commit: Mikle Kolyada  gentoo  org>
CommitDate: Tue Apr  2 13:08:25 2019 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=e10d88d1

add vital patches into the sources

Signed-off-by: Mikle Kolyada  gentoo.org>

 Makefile| 4 
 passwd.in   | 9 +
 system-auth.in  | 4 
 system-login.in | 9 -
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/Makefile b/Makefile
index a459fd0..abd7008 100644
--- a/Makefile
+++ b/Makefile
@@ -32,6 +32,10 @@ ifeq "$(SYSTEMD)" "yes"
 PAMFLAGS += -DHAVE_SYSTEMD=1
 endif
 
+ifeq "$(ELOGIND)" "yes"
+PAMFLAGS += -DHAVE_ELOGIND=1
+endif
+
 ifeq "$(GNOME_KEYRING)" "yes"
 PAMFLAGS += -DHAVE_GNOME_KEYRING=1
 endif

diff --git a/passwd.in b/passwd.in
index 7eabf3d..248bb7c 100644
--- a/passwd.in
+++ b/passwd.in
@@ -1,6 +1,7 @@
-auth   sufficient   pam_rootok.so
-auth   include system-auth
+auth   sufficient  pam_rootok.so
+auth   include system-auth
 
-accountinclude system-auth
+accountinclude system-auth
 
-password   include system-auth
+password   include system-auth
+-password  optionalpam_gnome_keyring.so UNIX_AUTHTOK

diff --git a/system-auth.in b/system-auth.in
index c729004..4d588fb 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -39,3 +39,7 @@ session   optionalpam_ssh.so
 #if HAVE_SYSTEMD
 -sessionoptionalpam_systemd.so
 #endif
+
+#if HAVE_ELOGIND
+-sessionoptionalpam_elogind.so
+#endif

diff --git a/system-login.in b/system-login.in
index 137c40c..064c687 100644
--- a/system-login.in
+++ b/system-login.in
@@ -8,9 +8,6 @@ authrequiredpam_shells.so DEBUG
 auth   requiredpam_nologin.so DEBUG_NOLOGIN
 #endif
 auth   include system-auth
-#if HAVE_GNOME_KEYRING
-auth   optionalpam_gnome_keyring.so
-#endif
 
 #if HAVE_ACCESS
 accountrequiredpam_access.so DEBUG
@@ -27,9 +24,6 @@ account   requiredTALLY_MODULE 
onerr=succeed DEBUG
 #endif
 
 password   include system-auth
-#if HAVE_GNOME_KEYRING
-password   optionalpam_gnome_keyring.so
-#endif
 
 #if HAVE_LOGINUID
 session optionalpam_loginuid.so
@@ -51,9 +45,6 @@ session   optionalpam_ck_connector.so 
nox11
  # Note: modules that run in the user's context must come after this line.
 sessionrequiredpam_selinux.so multiple open
 #endif
-#if HAVE_GNOME_KEYRING
-sessionoptionalpam_gnome_keyring.so auto_start
-#endif
 #if HAVE_MOTD
 sessionoptionalpam_motd.so motd=/etc/motd
 #endif

[gentoo-commits] proj/pambase:master commit in: /

[Mike Frysinger]

commit: abf9fef20f1da54ca161616c059afd10449baced
Author: Sven Vermeulen swift AT gentoo DOT org
AuthorDate: Sun May 17 05:22:20 2015 +
Commit: Mike Frysinger vapier AT gentoo DOT org
CommitDate: Sun May 17 05:22:20 2015 +
URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=abf9fef2

system-login: fix nested selinux comment

URL: https://bugs.gentoo.org/540096

 system-login.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system-login.in b/system-login.in
index e630918..137c40c 100644
--- a/system-login.in
+++ b/system-login.in
@@ -48,7 +48,7 @@ session   include system-auth
 sessionoptionalpam_ck_connector.so nox11
 #endif
 #if HAVE_SELINUX
-# Note: modules that run in the user's context must come after this line.
+ # Note: modules that run in the user's context must come after this line.
 sessionrequiredpam_selinux.so multiple open
 #endif
 #if HAVE_GNOME_KEYRING

[gentoo-commits] proj/pambase:master commit in: /

[Mike Frysinger]

commit: 3013c8e7ab5aee1fa45a0fa6d662b37d08698530
Author: Mike Frysinger vapier AT gentoo DOT org
AuthorDate: Sat Feb 14 03:26:41 2015 +
Commit: Mike Frysinger vapier AT gentoo DOT org
CommitDate: Sat Feb 14 03:26:41 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=3013c8e7

make securetty optional

URL: https://bugs.gentoo.org/539508

---
 Makefile | 4 
 login.in | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/Makefile b/Makefile
index 574d0d1..339de62 100644
--- a/Makefile
+++ b/Makefile
@@ -36,6 +36,10 @@ ifeq $(GNOME_KEYRING) yes
 PAMFLAGS += -DHAVE_GNOME_KEYRING=1
 endif
 
+ifeq $(SECURETTY) yes
+PAMFLAGS += -DHAVE_SECURETTY=1
+endif
+
 ifeq $(SELINUX) yes
 PAMFLAGS += -DHAVE_SELINUX=1
 endif

diff --git a/login.in b/login.in
index 14165a2..5067bc7 100644
--- a/login.in
+++ b/login.in
@@ -1,4 +1,6 @@
+#if HAVE_SECURETTY
 auth   requiredpam_securetty.so
+#endif
 auth   include system-local-login
 
 accountinclude system-local-login

[gentoo-commits] proj/pambase:master commit in: /

[Mike Frysinger]

commit: e8d14735cdcb7a7614eacc2d719737bf5144631c
Author: Mike Frysinger vapier AT gentoo DOT org
AuthorDate: Sat Feb 14 03:54:32 2015 +
Commit: Mike Frysinger vapier AT gentoo DOT org
CommitDate: Sat Feb 14 03:54:32 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=e8d14735

trim trailing whitespace

---
 su.in   | 1 -
 system-auth.in  | 6 +++---
 system-login.in | 7 +++
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/su.in b/su.in
index 121bb9a..889ecfe 100644
--- a/su.in
+++ b/su.in
@@ -9,4 +9,3 @@ password   include  system-auth
 sessioninclude system-auth
 sessionrequired pam_env.so
 sessionoptionalpam_xauth.so
-

diff --git a/system-auth.in b/system-auth.in
index 1f7ffbd..c729004 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -10,14 +10,14 @@ authKRB5_CONTROLpam_krb5.so KRB5_PARAMS
 auth   requiredpam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a 
bad jump. */
 auth   optionalpam_permit.so
- 
+
 #if HAVE_KRB5
 accountKRB5_CONTROLpam_krb5.so KRB5_PARAMS
 #endif
 accountrequiredpam_unix.so DEBUG
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a 
bad jump. */
 accountoptionalpam_permit.so
- 
+
 #if HAVE_CRACKLIB
 password   requiredpam_cracklib.so difok=2 minlen=8 dcredit=2 
ocredit=2 retry=3 DEBUG
 #endif
@@ -30,7 +30,7 @@ password  KRB5_CONTROLpam_krb5.so KRB5_PARAMS
 password   requiredpam_unix.so try_first_pass UNIX_AUTHTOK NULLOK 
UNIX_EXTENDED_ENCRYPTION DEBUG
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a 
bad jump. */
 password   optionalpam_permit.so
- 
+
 #if HAVE_PAM_SSH
 sessionoptionalpam_ssh.so
 #endif

diff --git a/system-login.in b/system-login.in
index 11ac032..d12dcd3 100644
--- a/system-login.in
+++ b/system-login.in
@@ -11,7 +11,7 @@ auth  include system-auth
 #if HAVE_GNOME_KEYRING
 auth   optionalpam_gnome_keyring.so
 #endif
-   
+
 #if HAVE_ACCESS
 accountrequiredpam_access.so DEBUG
 #endif
@@ -25,12 +25,12 @@ account include system-auth
 #if defined(TALLY_MODULE)
 accountrequiredTALLY_MODULE onerr=succeed DEBUG
 #endif
- 
+
 password   include system-auth
 #if HAVE_GNOME_KEYRING
 password   optionalpam_gnome_keyring.so
 #endif
- 
+
 #if HAVE_LOGINUID
 session optionalpam_loginuid.so
 #endif
@@ -59,4 +59,3 @@ session   optionalpam_motd.so 
motd=/etc/motd
 #if HAVE_MAIL
 sessionoptionalpam_mail.so
 #endif
-  

[gentoo-commits] proj/pambase:master commit in: /

[Mike Frysinger]

commit: cb1915bf4f80282177ccb440e886943394803cb5
Author: Mike Frysinger vapier AT gentoo DOT org
AuthorDate: Sat Feb 14 03:57:45 2015 +
Commit: Mike Frysinger vapier AT gentoo DOT org
CommitDate: Sat Feb 14 03:57:45 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=cb1915bf

system-login: move pam_gnome_keyring after pam_selinux

URL: https://bugs.gentoo.org/511600

---
 system-login.in | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/system-login.in b/system-login.in
index d12dcd3..e630918 100644
--- a/system-login.in
+++ b/system-login.in
@@ -47,12 +47,13 @@ session include system-auth
 #if HAVE_CONSOLEKIT
 sessionoptionalpam_ck_connector.so nox11
 #endif
-#if HAVE_GNOME_KEYRING
-sessionoptionalpam_gnome_keyring.so auto_start
-#endif
 #if HAVE_SELINUX
+# Note: modules that run in the user's context must come after this line.
 sessionrequiredpam_selinux.so multiple open
 #endif
+#if HAVE_GNOME_KEYRING
+sessionoptionalpam_gnome_keyring.so auto_start
+#endif
 #if HAVE_MOTD
 sessionoptionalpam_motd.so motd=/etc/motd
 #endif

[gentoo-commits] proj/pambase:master commit in: /

[Mike Frysinger]

commit: adef1185caa1f372420d6dd71d4968115ae0e3bf
Author: Mike Frysinger vapier AT gentoo DOT org
AuthorDate: Sat Feb 14 03:34:50 2015 +
Commit: Mike Frysinger vapier AT gentoo DOT org
CommitDate: Sat Feb 14 03:34:50 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=adef1185

make nullok into a build time option

---
 Makefile   | 4 
 basic-conf | 6 ++
 system-auth.in | 4 ++--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 339de62..a459fd0 100644
--- a/Makefile
+++ b/Makefile
@@ -56,6 +56,10 @@ ifeq $(KRB5) yes
 PAMFLAGS += -DHAVE_KRB5=1
 endif
 
+ifeq $(NULLOK) yes
+PAMFLAGS += -DWANT_NULLOK=1
+endif
+
 ifeq $(SHA512) yes
 PAMFLAGS += -DWANT_SHA512=1
 endif

diff --git a/basic-conf b/basic-conf
index eaa1cb0..5ab72c0 100644
--- a/basic-conf
+++ b/basic-conf
@@ -29,6 +29,12 @@
 #define LIKEAUTH
 #endif
 
+#if WANT_NULLOK
+#define NULLOK nullok
+#else
+#define NULLOK
+#endif
+
 #define KRB5_PARAMS DEBUG ignore_root try_first_pass
 
 /* By using the extended Linux-PAM syntax for this, it is possible to

diff --git a/system-auth.in b/system-auth.in
index 43df701..1f7ffbd 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -7,7 +7,7 @@ authsufficient  pam_ssh.so
 #if HAVE_KRB5
 auth   KRB5_CONTROLpam_krb5.so KRB5_PARAMS
 #endif
-auth   requiredpam_unix.so try_first_pass LIKEAUTH nullok DEBUG
+auth   requiredpam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a 
bad jump. */
 auth   optionalpam_permit.so
  
@@ -27,7 +27,7 @@ password  requiredpam_passwdqc.so min=8,8,8,8,8 
retry=3
 #if HAVE_KRB5
 password   KRB5_CONTROLpam_krb5.so KRB5_PARAMS
 #endif
-password   requiredpam_unix.so try_first_pass UNIX_AUTHTOK nullok 
UNIX_EXTENDED_ENCRYPTION DEBUG
+password   requiredpam_unix.so try_first_pass UNIX_AUTHTOK NULLOK 
UNIX_EXTENDED_ENCRYPTION DEBUG
 /* This is needed to make sure that the Kerberos skip-on-success won't cause a 
bad jump. */
 password   optionalpam_permit.so
  

[gentoo-commits] proj/pambase:master commit in: /

[Samuli Suominen]

commit: c1058bd8ccde0c56454a48339e9afb7a6e7fa80f
Author: Samuli Suominen ssuominen AT gentoo DOT org
AuthorDate: Thu Mar 13 13:52:27 2014 +
Commit: Samuli Suominen ssuominen AT gentoo DOT org
CommitDate: Thu Mar 13 13:52:27 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=c1058bd8

Import -systemd.patch and -systemd-auth.patch from gentoo-x86, see both bugs 
#372229 and #485470

---
 Makefile   | 4 
 system-auth.in | 4 
 2 files changed, 8 insertions(+)

diff --git a/Makefile b/Makefile
index 7d3e22a..ec5d240 100644
--- a/Makefile
+++ b/Makefile
@@ -28,6 +28,10 @@ ifeq $(CONSOLEKIT) yes
 PAMFLAGS += -DHAVE_CONSOLEKIT=1
 endif
 
+ifeq $(SYSTEMD) yes
+PAMFLAGS += -DHAVE_SYSTEMD=1
+endif
+
 ifeq $(GNOME_KEYRING) yes
 PAMFLAGS += -DHAVE_GNOME_KEYRING=1
 endif

diff --git a/system-auth.in b/system-auth.in
index a80d653..43df701 100644
--- a/system-auth.in
+++ b/system-auth.in
@@ -35,3 +35,7 @@ password  optionalpam_permit.so
 sessionoptionalpam_ssh.so
 #endif
 #include system-session.inc
+
+#if HAVE_SYSTEMD
+-sessionoptionalpam_systemd.so
+#endif

[gentoo-commits] proj/pambase:master commit in: /

[Samuli Suominen]

commit: ae72ea9e54b7f5035fb6b3120c0e75e79860e819
Author: Samuli Suominen ssuominen AT gentoo DOT org
AuthorDate: Thu Mar 13 14:13:15 2014 +
Commit: Samuli Suominen ssuominen AT gentoo DOT org
CommitDate: Thu Mar 13 14:13:15 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=ae72ea9e

Import -lastlog-silent.patch from gentoo-x86, see bug #468798

---
 login.in| 2 ++
 system-login.in | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/login.in b/login.in
index 13abd27..14165a2 100644
--- a/login.in
+++ b/login.in
@@ -3,4 +3,6 @@ auth   include  system-local-login
 
 accountinclude system-local-login
 password   include system-local-login
+
+sessionoptional pam_lastlog.so DEBUG
 sessioninclude system-local-login

diff --git a/system-login.in b/system-login.in
index 0c3b5c8..11ac032 100644
--- a/system-login.in
+++ b/system-login.in
@@ -41,7 +41,7 @@ session   requiredpam_selinux.so close
 sessionrequiredpam_env.so DEBUG
 #endif
 #if HAVE_LASTLOG
-sessionoptionalpam_lastlog.so DEBUG
+sessionoptionalpam_lastlog.so silent DEBUG
 #endif
 sessioninclude system-auth
 #if HAVE_CONSOLEKIT

[gentoo-commits] proj/pambase:master commit in: /

[Samuli Suominen]

commit: bec2aa7cdde64d59cf4fdb5de661188da7cc6e59
Author: Samuli Suominen ssuominen AT gentoo DOT org
AuthorDate: Thu Mar 13 14:36:19 2014 +
Commit: Samuli Suominen ssuominen AT gentoo DOT org
CommitDate: Thu Mar 13 14:36:19 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=bec2aa7c

Use xz instead of bzip2 for dist.

---
 Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index ec5d240..574d0d1 100644
--- a/Makefile
+++ b/Makefile
@@ -75,11 +75,11 @@ ifeq $(VERSION) 
 VERSION = $(shell date +%Y%m%d)
 endif
 
-dist: $(PACKAGE)-$(VERSION).tar.bz2
+dist: $(PACKAGE)-$(VERSION).tar.xz
 
-$(PACKAGE)-$(VERSION).tar.bz2: $(shell $(GIT) ls-files)
+$(PACKAGE)-$(VERSION).tar.xz: $(shell $(GIT) ls-files)
$(GIT) tag $(PACKAGE)-$(VERSION)
-   $(GIT) archive --format=tar --prefix=$(PACKAGE)-$(VERSION)/ HEAD | 
bzip2  $@
+   $(GIT) archive --format=tar --prefix=$(PACKAGE)-$(VERSION)/ HEAD | xz  
$@
 
 $(PAMD): %: %.in
$(CPP) -traditional-cpp -P $(PAMFLAGS) $ -o $@