[gentoo-commits] proj/pambase:master commit in: templates/
commit: f6e52e5b96c20426687bc8041b171c9b788d7910 Author: Sam James gentoo org> AuthorDate: Sun Jan 28 08:14:35 2024 + Commit: Sam James gentoo org> CommitDate: Sun Jan 28 08:14:35 2024 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=f6e52e5b system-auth.tpl: fix sssd's pam_deny Closes: https://bugs.gentoo.org/922918 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 4065e89..9a274a4 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -31,7 +31,7 @@ auth sufficient pam_sss.so forward_pass {{ debug|default('', true) }} auth optionalpam_cap.so {% endif %} {% if sssd %} -auth sufficient pam_deny.so +auth requiredpam_deny.so {% endif %} {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: c2060f499d483e11ba4524283c2d95a6a8beb8dc Author: Christopher Byrne gmail com> AuthorDate: Sun Sep 3 16:32:19 2023 + Commit: Sam James gentoo org> CommitDate: Fri Jan 19 05:31:42 2024 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=c2060f49 Add sssd support Bug: https://bugs.gentoo.org/726050 Closes: https://github.com/gentoo/pambase/issues/1 Signed-off-by: Christopher Byrne gmail.com> Closes: https://github.com/gentoo/pambase/pull/17 Signed-off-by: Sam James gentoo.org> pambase.py | 7 ++- templates/system-auth.tpl| 38 -- templates/system-session.tpl | 4 3 files changed, 42 insertions(+), 7 deletions(-) diff --git a/pambase.py b/pambase.py index 3875e89..ceec8cb 100755 --- a/pambase.py +++ b/pambase.py @@ -19,6 +19,7 @@ def main(): parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module') +parser.add_argument('--sssd', action="store_true", help='enable sssd.so module') parser.add_argument('--yescrypt', action="store_true", help='enable yescrypt option for pam_unix.so module') parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module') parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module') @@ -41,7 +42,8 @@ def process_args(args): "unix_authtok", "unix_extended_encryption", "likeauth", -"nullok" +"nullok", +"local_users_only" ] # create a blank dictionary @@ -62,6 +64,9 @@ def process_args(args): if args.krb5: output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip() +if args.sssd: +output["local_users_only"] = "local_users_only" + if args.yescrypt: output["unix_extended_encryption"] = "yescrypt shadow" elif args.sha512: diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 9b078f3..4065e89 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -7,34 +7,55 @@ auth sufficient pam_ssh.so auth [success={{ 4 if homed else 3 }} default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} +{% if sssd %} +auth [default=1 ignore=ignore success=ok]pam_usertype.so isregular +auth [default=3 ignore=ignore success=ok]pam_localuser.so +{% endif %} + auth requisite pam_faillock.so preauth + {% if homed %} auth[success=2 default=ignore] pam_systemd_home.so {% endif %} + +{% if sssd %} +authsufficientpam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} +{% else %} auth[success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +{% endif %} auth [default=die] pam_faillock.so authfail - +{% if sssd %} +auth sufficient pam_sss.so forward_pass {{ debug|default('', true) }} +{% endif %} {% if caps %} auth optionalpam_cap.so {% endif %} - +{% if sssd %} +auth sufficient pam_deny.so +{% endif %} {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} {% if homed %} -account [success=1 default=ignore] pam_systemd_home.so +account [success={{ 2 if sssd else 1 }} default=ignore] pam_systemd_home.so {% endif %} accountrequiredpam_unix.so {{ debug|default('', true) }} account requiredpam_faillock.so +{% if sssd %} +accountsufficient pam_localuser.so +accountsufficient pam_usertype.so issystem +account[default=bad success=ok user_unknown=ignore] pam_sss.so {{ debug|default('', true) }} +accountrequiredpam_permit.so +{% endif %} {% if passwdqc %} password requiredpam_passwdqc.so config=/etc/security/passwdqc.conf {% endif %} {% if pwquality %} -passwordrequiredpam_pwquality.so +passwordrequiredpam_pwquality.so {{ local_users_only|default('', true ) }} {% endif %} {% if pwhistory %} @@ -50,9 +71,14 @@ password[success=1 default=ignore] pam_systemd_home.so {% endif %} {% if passwdqc or pwquality %} -password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} +password {{ 'sufficient' if sssd else 'required' }} pam_unix.so try_first_pass {{ unix_authtok|default('', true) }}
[gentoo-commits] proj/pambase:master commit in: tests/rendered/custom/, templates/, tests/rendered/minimal/, ...
commit: a125db180b5f9325cdabd90d17477090fbba95e5 Author: Daniel Harding living180 net> AuthorDate: Fri May 13 11:25:02 2022 + Commit: Sam James gentoo org> CommitDate: Sun Dec 17 12:45:22 2023 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=a125db18 Honor pam_unix.so return value Commit eb138196aa2d3cb860d5eb5ab1d05985df34ad2c changed the return value of pam_authenticate() for the case when the user enters an incorrect password. Prior to that change pam_authenticate() would return PAM_AUTH_ERR for an incorrect password, while after it would return PAM_PERM_DENIED. The root cause is that after that change, nothing in the stack before the final pam_faillock.so auth entry is setting `impression` in _pam_dispatch_aux(). If the user has not reached the maximum number of tries, pam_faillock.so returns PAM_IGNORE [1] and thus _pam_dispatch_aux() sets `status` to PAM_MUST_FAIL_CODE [2], which is defined to be PAM_PERM_DENIED [3]. This ends up being the return value for pam_authenticate(). This commit addresses the problem by changing the `default` control action for the pam_unix.so auth entry from `ignore` to `bad` (the same as when its control value was `required`). Thus when processing the pam_unix.so entry, _pam_dispatch_aux() will set `impression` to _PAM_NEGATIVE and `status` to the return value of pam_unix.so, PAM_AUTH_ERR [4]. _pam_dispatch_aux() will then continue to the final pam_faillock.so auth entry. Because `impression` is now _PAM_NEGATIVE, _pam_dispatch_aux() will not change the value of `status` and the return value of pam_authenticate() is PAM_AUTH_ERR as desired. Also ensure that `new_authtok_reqd` is handled correctly when returned from from pam_unix.so. [1] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/modules/pam_faillock/pam_faillock.c#L712 [2] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L244 [3] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L17 [4] https://github.com/linux-pam/linux-pam/blob/d3b73b6cd818f4fd9c923822592eccbe8ecdd121/libpam/pam_dispatch.c#L246 Signed-off-by: Daniel Harding living180.net> Closes: https://github.com/gentoo/pambase/pull/10 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 2 +- tests/rendered/custom/system-auth | 2 +- tests/rendered/default/system-auth | 2 +- tests/rendered/minimal/system-auth | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 9739b6f..9b078f3 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -11,7 +11,7 @@ auth requisite pam_faillock.so preauth {% if homed %} auth[success=2 default=ignore] pam_systemd_home.so {% endif %} -auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +auth[success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth [default=die] pam_faillock.so authfail {% if caps %} diff --git a/tests/rendered/custom/system-auth b/tests/rendered/custom/system-auth index a84a45a..aae3914 100644 --- a/tests/rendered/custom/system-auth +++ b/tests/rendered/custom/system-auth @@ -1,6 +1,6 @@ auth requiredpam_env.so auth requisite pam_faillock.so preauth -auth[success=1 default=ignore] pam_unix.so nullok try_first_pass +auth[success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail accountrequiredpam_unix.so account requiredpam_faillock.so diff --git a/tests/rendered/default/system-auth b/tests/rendered/default/system-auth index d84e030..4c069c3 100644 --- a/tests/rendered/default/system-auth +++ b/tests/rendered/default/system-auth @@ -1,6 +1,6 @@ auth requiredpam_env.so auth requisite pam_faillock.so preauth -auth[success=1 default=ignore] pam_unix.so try_first_pass +auth[success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_unix.so try_first_pass auth [default=die] pam_faillock.so authfail accountrequiredpam_unix.so account requiredpam_faillock.so diff --git a/tests/rendered/minimal/system-auth b/tests/rendered/minimal/system-auth index d84e030..4c069c3 100644 --- a/tests/rendered/minimal/system-auth +++ b/tests/rendered/minimal/system-auth @@ -1,6 +1,6 @@ auth requiredpam_env.so auth requisite pam_faillock.so preauth -auth[success=1 default=ignore]
[gentoo-commits] proj/pambase:master commit in: /, .github/workflows/
commit: 6b3b62b5777677930b3ff9e00835f6b1c1e914aa Author: Aliaksei Urbanski gmail com> AuthorDate: Wed Nov 8 15:01:37 2023 + Commit: Sam James gentoo org> CommitDate: Mon Nov 13 06:20:51 2023 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=6b3b62b5 Add a GitHub Actions workflow for tests These changes enable tests on the GitHub side. The implementation relies on Official Gentoo Docker images, since I believe it's a better way to test Gentoo-specific packages. Useful links: * https://www.gentoo.org/news/2020/07/04/official-docker.html * https://github.com/gentoo/gentoo-docker-images * https://github.com/docker/build-push-action * https://docs.docker.com/build/ci/github-actions/cache/ Signed-off-by: Sam James gentoo.org> .dockerignore | 6 ++ .github/workflows/tests.yml | 26 ++ Dockerfile | 14 ++ 3 files changed, 46 insertions(+) diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 000..f502e63 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,6 @@ +.git/ +.github/ +stack/ +.dockerignore +.gitignore +Dockerfile diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 000..652d733 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,26 @@ +name: Tests + +on: + push: + pull_request: +branches: + - master + +jobs: + tests: +runs-on: ubuntu-latest +steps: + - name: Checkout +uses: actions/checkout@v4 + - name: Set up Docker Buildx +uses: docker/setup-buildx-action@v3 + - name: Build the Docker image +uses: docker/build-push-action@v5 +with: + context: . + cache-from: type=gha + cache-to: type=gha,mode=max + load: true + tags: pambase + - name: Run tox +run: docker run pambase diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 000..1d3d150 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,14 @@ +# based on https://github.com/gentoo/gentoo-docker-images + +FROM gentoo/portage:latest as portage +FROM gentoo/stage3:latest + +COPY --from=portage /var/db/repos/gentoo /var/db/repos/gentoo + +ENV ACCEPT_KEYWORDS="~amd64" +RUN emerge -qvu python:3.{10..12} dev-python/tox + +COPY . /usr/src/pambase +WORKDIR /usr/src/pambase + +CMD tox --colored yes
[gentoo-commits] proj/pambase:master commit in: /
commit: b599daf14eda0a238265f11d239c4c772c345fbd Author: Aliaksei Urbanski gmail com> AuthorDate: Wed Nov 8 15:08:15 2023 + Commit: Sam James gentoo org> CommitDate: Mon Nov 13 06:20:51 2023 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=b599daf1 Add README.md Closes: https://github.com/gentoo/pambase/pull/18 Signed-off-by: Sam James gentoo.org> README.md | 18 ++ 1 file changed, 18 insertions(+) diff --git a/README.md b/README.md new file mode 100644 index 000..59f4ecd --- /dev/null +++ b/README.md @@ -0,0 +1,18 @@ +# pambase + +[PAM](https://wiki.gentoo.org/wiki/PAM) base configuration files. + +This repository contains a small [Python](https://wiki.gentoo.org/wiki/Python) script that renders `PAM` configuration templates for [Gentoo Linux](https://www.gentoo.org). + +## Dependencies + +`pambase` depends on [jinja](https://packages.gentoo.org/packages/dev-python/jinja). + +## Testing + +In order to perform tests, run [tox](https://packages.gentoo.org/packages/dev-python/tox). + +Alternatively, you can run tests with [Docker](https://wiki.gentoo.org/wiki/Docker): +```sh +docker run --rm -it $(docker build -q .) +```
[gentoo-commits] proj/pambase:master commit in: tests/rendered/default/, tests/rendered/minimal/, tests/rendered/custom/, /
commit: 93731d4ad939156665887e430086f6853653bc41 Author: Aliaksei Urbanski gmail com> AuthorDate: Tue Nov 7 00:55:56 2023 + Commit: Sam James gentoo org> CommitDate: Mon Nov 13 06:20:50 2023 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=93731d4a Add basic rendering tests with tox Signed-off-by: Aliaksei Urbanski gmail.com> Signed-off-by: Sam James gentoo.org> .gitignore | 1 + tests/rendered/custom/login| 5 + tests/rendered/custom/other| 4 tests/rendered/custom/passwd | 4 tests/rendered/custom/su | 8 tests/rendered/custom/system-auth | 11 +++ tests/rendered/custom/system-local-login | 4 tests/rendered/custom/system-login | 15 +++ tests/rendered/custom/system-remote-login | 4 tests/rendered/custom/system-services | 6 ++ tests/rendered/default/login | 5 + tests/rendered/default/other | 4 tests/rendered/default/passwd | 4 tests/rendered/default/su | 8 tests/rendered/default/system-auth | 10 ++ tests/rendered/default/system-local-login | 4 tests/rendered/default/system-login| 14 ++ tests/rendered/default/system-remote-login | 4 tests/rendered/default/system-services | 6 ++ tests/rendered/minimal/login | 5 + tests/rendered/minimal/other | 4 tests/rendered/minimal/passwd | 4 tests/rendered/minimal/su | 8 tests/rendered/minimal/system-auth | 10 ++ tests/rendered/minimal/system-local-login | 4 tests/rendered/minimal/system-login| 11 +++ tests/rendered/minimal/system-remote-login | 4 tests/rendered/minimal/system-services | 6 ++ tox.ini| 18 ++ 29 files changed, 195 insertions(+) diff --git a/.gitignore b/.gitignore index 844c82f..73c8fab 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ stack/ .idea/ +.tox/ diff --git a/tests/rendered/custom/login b/tests/rendered/custom/login new file mode 100644 index 000..e5a66f2 --- /dev/null +++ b/tests/rendered/custom/login @@ -0,0 +1,5 @@ +auth include system-local-login +accountinclude system-local-login +password include system-local-login +sessionoptionalpam_lastlog.so +sessioninclude system-local-login diff --git a/tests/rendered/custom/other b/tests/rendered/custom/other new file mode 100644 index 000..9544f8e --- /dev/null +++ b/tests/rendered/custom/other @@ -0,0 +1,4 @@ +auth requiredpam_deny.so +accountrequiredpam_deny.so +password requiredpam_deny.so +sessionrequiredpam_deny.so diff --git a/tests/rendered/custom/passwd b/tests/rendered/custom/passwd new file mode 100644 index 000..0bde2a3 --- /dev/null +++ b/tests/rendered/custom/passwd @@ -0,0 +1,4 @@ +auth sufficient pam_rootok.so +auth include system-auth +accountinclude system-auth +password include system-auth diff --git a/tests/rendered/custom/su b/tests/rendered/custom/su new file mode 100644 index 000..a36b633 --- /dev/null +++ b/tests/rendered/custom/su @@ -0,0 +1,8 @@ +auth sufficient pam_rootok.so +auth requiredpam_wheel.so use_uid +auth include system-auth +accountinclude system-auth +password include system-auth +sessioninclude system-auth +sessionrequiredpam_env.so +sessionoptionalpam_xauth.so diff --git a/tests/rendered/custom/system-auth b/tests/rendered/custom/system-auth new file mode 100644 index 000..a84a45a --- /dev/null +++ b/tests/rendered/custom/system-auth @@ -0,0 +1,11 @@ +auth requiredpam_env.so +auth requisite pam_faillock.so preauth +auth[success=1 default=ignore] pam_unix.so nullok try_first_pass +auth [default=die] pam_faillock.so authfail +accountrequiredpam_unix.so +account requiredpam_faillock.so +password requiredpam_passwdqc.so config=/etc/security/passwdqc.conf +password requiredpam_unix.so try_first_pass use_authtok nullok sha512 shadow +sessionrequiredpam_limits.so +sessionrequiredpam_env.so +sessionrequiredpam_unix.so diff --git a/tests/rendered/custom/system-local-login b/tests/rendered/custom/system-local-login new file mode
[gentoo-commits] proj/pambase:master commit in: templates/
commit: ce3e0c4f0648ce44cb239be043a85468b29c4b13 Author: Michael Jones users noreply github com> AuthorDate: Sat Aug 6 05:41:29 2022 + Commit: Sam James gentoo org> CommitDate: Sat Aug 13 18:28:30 2022 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ce3e0c4f other.tpl: Fix whitespace Closes: https://github.com/gentoo/pambase/pull/14 Signed-off-by: Sam James gentoo.org> templates/other.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/other.tpl b/templates/other.tpl index f3b7198..9544f8e 100644 --- a/templates/other.tpl +++ b/templates/other.tpl @@ -1,4 +1,4 @@ auth requiredpam_deny.so accountrequiredpam_deny.so -password requiredpam_deny.so -sessionrequiredpam_deny.so +password requiredpam_deny.so +sessionrequiredpam_deny.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: f039f4766ce2b7cfc0ddec806805a4144534c99b Author: Michael Jones jonesmz com> AuthorDate: Sat Aug 6 06:06:06 2022 + Commit: Sam James gentoo org> CommitDate: Sat Aug 13 18:28:46 2022 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=f039f476 system-login.tpl: Fix whitespace Closes: https://github.com/gentoo/pambase/pull/16 Signed-off-by: Sam James gentoo.org> templates/system-login.tpl | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/system-login.tpl b/templates/system-login.tpl index b4b74cf..0269296 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -4,11 +4,11 @@ auth include system-auth accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so -account requiredpam_time.so +accountrequiredpam_time.so accountinclude system-auth password include system-auth -session optionalpam_loginuid.so +sessionoptionalpam_loginuid.so {% if selinux %} sessionrequiredpam_selinux.so close {% endif %} @@ -32,9 +32,9 @@ session optionalpam_mail.so {% endif %} {% if systemd %} --sessionoptionalpam_systemd.so +-session optionalpam_systemd.so {% endif %} {% if elogind %} --sessionoptionalpam_elogind.so +-session optionalpam_elogind.so {% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 2bb5c1846ca7a3222b8ff071d4bc3e63da68d3f1 Author: Michael Jones users noreply github com> AuthorDate: Sat Aug 6 05:40:20 2022 + Commit: Sam James gentoo org> CommitDate: Sat Aug 13 18:28:11 2022 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=2bb5c184 login.tpl: Fix unnecessary space character Closes: https://github.com/gentoo/pambase/pull/13 Signed-off-by: Sam James gentoo.org> templates/login.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/login.tpl b/templates/login.tpl index 23e262a..cb85249 100644 --- a/templates/login.tpl +++ b/templates/login.tpl @@ -5,5 +5,5 @@ authrequiredpam_securetty.so auth include system-local-login accountinclude system-local-login password include system-local-login -sessionoptionalpam_lastlog.so {{ debug|default('', true) }} +sessionoptionalpam_lastlog.so {{ debug|default('', true) }} sessioninclude system-local-login
[gentoo-commits] proj/pambase:master commit in: templates/
commit: dacde6da43a9c87f896b842946b514cd49db5dd3 Author: Alexandra Parker gmail com> AuthorDate: Sat Feb 12 21:30:29 2022 + Commit: Sam James gentoo org> CommitDate: Mon Feb 14 16:51:51 2022 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=dacde6da homed: add before pam_unix - --homed inserts pam_systemd_home before pam_unix - --homed --krb5 does that and adjusts krb5's jump to 4 modules Signed-off-by: Alexandra Parker gmail.com> Closes: https://bugs.gentoo.org/808993 Closes: https://github.com/gentoo/pambase/pull/9 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 62344ff..9739b6f 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -4,16 +4,14 @@ auth sufficient pam_ssh.so {% endif %} {% if krb5 %} -auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} +auth [success={{ 4 if homed else 3 }} default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} auth requisite pam_faillock.so preauth {% if homed %} -auth [success=2 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass -auth[success=1 default=ignore] pam_systemd_home.so -{% else %} -auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +auth[success=2 default=ignore] pam_systemd_home.so {% endif %} +auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth [default=die] pam_faillock.so authfail {% if caps %}
[gentoo-commits] proj/pambase:master commit in: /
commit: 3b89ab7e52aba0bbb23af40e420d2daf4e07cb84 Author: Mikle Kolyada gentoo org> AuthorDate: Sun Nov 14 11:54:54 2021 + Commit: Mikle Kolyada gentoo org> CommitDate: Sun Nov 14 11:54:54 2021 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=3b89ab7e Add yescrypt support Signed-off-by: Mikle Kolyada gentoo.org> pambase.py | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pambase.py b/pambase.py index c078156..3875e89 100755 --- a/pambase.py +++ b/pambase.py @@ -19,6 +19,7 @@ def main(): parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module') +parser.add_argument('--yescrypt', action="store_true", help='enable yescrypt option for pam_unix.so module') parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module') parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module') parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack') @@ -61,7 +62,9 @@ def process_args(args): if args.krb5: output["krb5_params"] = "{0} ignore_root try_first_pass".format("debug").strip() -if args.sha512: +if args.yescrypt: +output["unix_extended_encryption"] = "yescrypt shadow" +elif args.sha512: output["unix_extended_encryption"] = "sha512 shadow" else: output["unix_extended_encryption"] = "md5 shadow"
[gentoo-commits] proj/pambase:master commit in: templates/
commit: c3471f99454e8d086e133beaaf28b129fb22fc40 Author: Sam James gentoo org> AuthorDate: Tue Feb 2 15:50:25 2021 + Commit: Sam James gentoo org> CommitDate: Tue Feb 2 15:50:25 2021 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=c3471f99 templates/system-auth.tpl: fix try_first_pass typo Closes: https://github.com/gentoo/pambase/issues/6 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 1adee05..62344ff 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -12,7 +12,7 @@ auth requisite pam_faillock.so preauth auth [success=2 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth[success=1 default=ignore] pam_systemd_home.so {% else %} -auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas +auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass {% endif %} auth [default=die] pam_faillock.so authfail
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: fbbc2d49c860857b2fe4b2a6cdb967b0867261c9 Author: Mikle KOlyada gentoo org> AuthorDate: Sat Jan 30 19:50:12 2021 + Commit: Sam James gentoo org> CommitDate: Sun Jan 31 21:37:17 2021 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=fbbc2d49 systemd-auth: add systemd-homed support Signed-off-by: Mikle KOlyada gentoo.org> Closes: https://github.com/gentoo/pambase/pull/5 Signed-off-by: Sam James gentoo.org> pambase.py | 1 + templates/system-auth.tpl| 18 -- templates/system-session.tpl | 4 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/pambase.py b/pambase.py index 278d578..c078156 100755 --- a/pambase.py +++ b/pambase.py @@ -14,6 +14,7 @@ def main(): parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') +parser.add_argument('--homed', action="store_true", help='enable pam_systemd_home.so module') parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 01a29db..1adee05 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -8,16 +8,26 @@ auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} auth requisite pam_faillock.so preauth -auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +{% if homed %} +auth [success=2 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +auth[success=1 default=ignore] pam_systemd_home.so +{% else %} +auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas +{% endif %} auth [default=die] pam_faillock.so authfail {% if caps %} --auth optionalpam_cap.so +auth optionalpam_cap.so {% endif %} {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} + +{% if homed %} +account [success=1 default=ignore] pam_systemd_home.so +{% endif %} + accountrequiredpam_unix.so {{ debug|default('', true) }} account requiredpam_faillock.so @@ -37,6 +47,10 @@ passwordrequiredpam_pwhistory.so use_authtok remember=5 retry=3 password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} +{% if homed %} +password[success=1 default=ignore] pam_systemd_home.so +{% endif %} + {% if passwdqc or pwquality %} password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} {% else %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl index 2a7024b..536db49 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -8,4 +8,8 @@ session optionalpam_mktemp.so session[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} +{% if homed %} +session [success=1 default=ignore] pam_systemd_home.so +{% endif %} + sessionrequiredpam_unix.so {{ debug|default('', true) }}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: 93165fa671e7c6fe41a09302f3c00a140dd6ec9b Author: Sam James gentoo org> AuthorDate: Sun Jan 31 21:36:48 2021 + Commit: Sam James gentoo org> CommitDate: Sun Jan 31 21:37:12 2021 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=93165fa6 Revert "systemd-auth: add systemd-homed support" This reverts commit 5a545eb14a1220af1ba8031f3669471e77edbc2f. Auto-merged on a reverted commit. Signed-off-by: Sam James gentoo.org> pambase.py | 1 - templates/system-auth.tpl| 18 ++ templates/system-session.tpl | 4 3 files changed, 2 insertions(+), 21 deletions(-) diff --git a/pambase.py b/pambase.py index c078156..278d578 100755 --- a/pambase.py +++ b/pambase.py @@ -14,7 +14,6 @@ def main(): parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') -parser.add_argument('--homed', action="store_true", help='enable pam_systemd_home.so module') parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 1adee05..01a29db 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -8,26 +8,16 @@ auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} auth requisite pam_faillock.so preauth -{% if homed %} -auth [success=2 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass -auth[success=1 default=ignore] pam_systemd_home.so -{% else %} -auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas -{% endif %} +auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth [default=die] pam_faillock.so authfail {% if caps %} -auth optionalpam_cap.so +-auth optionalpam_cap.so {% endif %} {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} - -{% if homed %} -account [success=1 default=ignore] pam_systemd_home.so -{% endif %} - accountrequiredpam_unix.so {{ debug|default('', true) }} account requiredpam_faillock.so @@ -47,10 +37,6 @@ passwordrequiredpam_pwhistory.so use_authtok remember=5 retry=3 password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} -{% if homed %} -password[success=1 default=ignore] pam_systemd_home.so -{% endif %} - {% if passwdqc or pwquality %} password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} {% else %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl index 536db49..2a7024b 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -8,8 +8,4 @@ session optionalpam_mktemp.so session[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} -{% if homed %} -session [success=1 default=ignore] pam_systemd_home.so -{% endif %} - sessionrequiredpam_unix.so {{ debug|default('', true) }}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: 2c873cb38ef20d7eb83b5e4aee723c34d64bde3d Author: Sam James gentoo org> AuthorDate: Sun Jan 31 21:36:41 2021 + Commit: Sam James gentoo org> CommitDate: Sun Jan 31 21:37:04 2021 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=2c873cb3 Revert "Add systemd-homed support" This reverts commit 639b45ccb986de7314372a4a841e6f04c536c49a. Unintentionally had this staged still. Signed-off-by: Sam James gentoo.org> pambase.py | 1 - templates/system-auth.tpl| 6 -- templates/system-session.tpl | 4 3 files changed, 11 deletions(-) diff --git a/pambase.py b/pambase.py index b306ca4..c078156 100755 --- a/pambase.py +++ b/pambase.py @@ -9,7 +9,6 @@ def main(): parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module') parser.add_argument('--caps', action="store_true", help='enable pam_cap.so module') -parser.add_argument('--homed', action="store_true", help='enable pam_systemd_homed.so module') parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module') parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 174aacf..1adee05 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -2,9 +2,6 @@ authrequiredpam_env.so {{ debug|default('', true) }} {% if pam_ssh %} auth sufficient pam_ssh.so {% endif %} -{% if homed %} --auth sufficient pam_systemd_home.so -{% endif %} {% if krb5 %} auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} @@ -23,9 +20,6 @@ auth [default=die] pam_faillock.so authfail auth optionalpam_cap.so {% endif %} -{% if homed %} --account sufficient pam_systemd_home.so -{% endif %} {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl index 48653d4..536db49 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -4,10 +4,6 @@ sessionrequiredpam_env.so {{ debug|default('', true) }} sessionoptionalpam_mktemp.so {% endif %} -{% if homed %} --session optionalpam_systemd_home.so -{% endif %} - {%if krb5 %} session[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %}
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: 5a545eb14a1220af1ba8031f3669471e77edbc2f Author: Mikle KOlyada gentoo org> AuthorDate: Sat Jan 30 19:50:12 2021 + Commit: Sam James gentoo org> CommitDate: Sun Jan 31 21:36:01 2021 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=5a545eb1 systemd-auth: add systemd-homed support Signed-off-by: Mikle KOlyada gentoo.org> Closes: https://github.com/gentoo/pambase/pull/5 Signed-off-by: Sam James gentoo.org> pambase.py | 1 + templates/system-auth.tpl| 18 -- templates/system-session.tpl | 4 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/pambase.py b/pambase.py index eb3d4fe..b306ca4 100755 --- a/pambase.py +++ b/pambase.py @@ -15,6 +15,7 @@ def main(): parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') +parser.add_argument('--homed', action="store_true", help='enable pam_systemd_home.so module') parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 53557dc..174aacf 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -11,11 +11,16 @@ auth[success=3 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} auth requisite pam_faillock.so preauth -auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +{% if homed %} +auth [success=2 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass +auth[success=1 default=ignore] pam_systemd_home.so +{% else %} +auth[success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pas +{% endif %} auth [default=die] pam_faillock.so authfail {% if caps %} --auth optionalpam_cap.so +auth optionalpam_cap.so {% endif %} {% if homed %} @@ -24,6 +29,11 @@ auth [default=die] pam_faillock.so authfail {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} + +{% if homed %} +account [success=1 default=ignore] pam_systemd_home.so +{% endif %} + accountrequiredpam_unix.so {{ debug|default('', true) }} account requiredpam_faillock.so @@ -43,6 +53,10 @@ passwordrequiredpam_pwhistory.so use_authtok remember=5 retry=3 password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} +{% if homed %} +password[success=1 default=ignore] pam_systemd_home.so +{% endif %} + {% if passwdqc or pwquality %} password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} {% else %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl index 3dd1d70..48653d4 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -12,4 +12,8 @@ session optionalpam_mktemp.so session[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} +{% if homed %} +session [success=1 default=ignore] pam_systemd_home.so +{% endif %} + sessionrequiredpam_unix.so {{ debug|default('', true) }}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: 639b45ccb986de7314372a4a841e6f04c536c49a Author: Sam James gentoo org> AuthorDate: Fri Jan 29 03:46:42 2021 + Commit: Sam James gentoo org> CommitDate: Fri Jan 29 03:46:42 2021 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=639b45cc Add systemd-homed support Bug: https://bugs.gentoo.org/767784 Signed-off-by: Sam James gentoo.org> pambase.py | 1 + templates/system-auth.tpl| 6 ++ templates/system-session.tpl | 4 3 files changed, 11 insertions(+) diff --git a/pambase.py b/pambase.py index 278d578..eb3d4fe 100755 --- a/pambase.py +++ b/pambase.py @@ -9,6 +9,7 @@ def main(): parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module') parser.add_argument('--caps', action="store_true", help='enable pam_cap.so module') +parser.add_argument('--homed', action="store_true", help='enable pam_systemd_homed.so module') parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module') parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 01a29db..53557dc 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -2,6 +2,9 @@ authrequiredpam_env.so {{ debug|default('', true) }} {% if pam_ssh %} auth sufficient pam_ssh.so {% endif %} +{% if homed %} +-auth sufficient pam_systemd_home.so +{% endif %} {% if krb5 %} auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} @@ -15,6 +18,9 @@ auth [default=die] pam_faillock.so authfail -auth optionalpam_cap.so {% endif %} +{% if homed %} +-account sufficient pam_systemd_home.so +{% endif %} {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl index 2a7024b..3dd1d70 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -4,6 +4,10 @@ sessionrequiredpam_env.so {{ debug|default('', true) }} sessionoptionalpam_mktemp.so {% endif %} +{% if homed %} +-session optionalpam_systemd_home.so +{% endif %} + {%if krb5 %} session[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: ee4f6b1a6b402ebdf3c5763d934f1aaa6b32e633 Author: Mikle KOlyada gentoo org> AuthorDate: Sun Dec 20 17:52:38 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Sun Dec 20 17:52:38 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ee4f6b1a system-login: add pam_time.so Signed-off-by: Mikle KOlyada gentoo.org> templates/system-login.tpl | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/system-login.tpl b/templates/system-login.tpl index 0c60bb6..b4b74cf 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -4,6 +4,7 @@ authinclude system-auth accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so +account requiredpam_time.so accountinclude system-auth password include system-auth
[gentoo-commits] proj/pambase:master commit in: templates/
commit: b725e39af14b57b69a256818bc1c98f98122c6a1 Author: Mikle KOlyada gentoo org> AuthorDate: Sat Dec 19 22:30:15 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Sat Dec 19 22:30:15 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=b725e39a strip pam_permit.so from system-auth Signed-off-by: Mikle KOlyada gentoo.org> templates/system-auth.tpl| 4 templates/system-session.tpl | 2 -- 2 files changed, 6 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 19e08fa..01a29db 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -10,7 +10,6 @@ auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} auth requisite pam_faillock.so preauth auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth [default=die] pam_faillock.so authfail -auth optionalpam_permit.so {% if caps %} -auth optionalpam_cap.so @@ -21,7 +20,6 @@ account [success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} accountrequiredpam_unix.so {{ debug|default('', true) }} account requiredpam_faillock.so -account optionalpam_permit.so {% if passwdqc %} password requiredpam_passwdqc.so config=/etc/security/passwdqc.conf @@ -45,8 +43,6 @@ password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) } passwordrequiredpam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} {% endif %} -password optionalpam_permit.so - {% if pam_ssh %} sessionoptionalpam_ssh.so {% endif %} diff --git a/templates/system-session.tpl b/templates/system-session.tpl index ce3afa5..2a7024b 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -9,5 +9,3 @@ session [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} sessionrequiredpam_unix.so {{ debug|default('', true) }} - -sessionoptionalpam_permit.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 3f36e2c3de28b3cde25a27d05e49d354e098c368 Author: Sam James gentoo org> AuthorDate: Tue Nov 3 07:19:16 2020 + Commit: Sam James gentoo org> CommitDate: Tue Nov 3 07:19:16 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=3f36e2c3 templates/system-auth.tpl: shift cap to be with other auth Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 4ff78e4..19e08fa 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -12,6 +12,10 @@ auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ d auth [default=die] pam_faillock.so authfail auth optionalpam_permit.so +{% if caps %} +-auth optionalpam_cap.so +{% endif %} + {% if krb5 %} account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} @@ -47,8 +51,4 @@ password optionalpam_permit.so sessionoptionalpam_ssh.so {% endif %} -{% if caps %} --auth optionalpam_cap.so -{% endif %} - {% include "templates/system-session.tpl" %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: daeb59effa26ace52bf699229a1bc22afe8808fd Author: Sam James gentoo org> AuthorDate: Mon Nov 2 23:38:12 2020 + Commit: Sam James gentoo org> CommitDate: Mon Nov 2 23:39:38 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=daeb59ef templates/system-auth.tpl: fix pam_cap realm This fixes the pam_cap realm which can only be auth. This is a regression from old pre-rewrite pambase. It was however exposed by the fixing of an incorrect module name (pam_libcap -> pam_cap) not long ago. Bug: https://bugs.gentoo.org/751946 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 6964e05..2f2fe76 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -48,7 +48,7 @@ session optionalpam_ssh.so {% endif %} {% if libcap %} --sessionoptionalpam_cap.so +-auth optionalpam_cap.so {% endif %} {% include "templates/system-session.tpl" %}
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: 94a9b5f76fc8fa1a3c6c34c5baa3fb25825e1dc2 Author: Sam James gentoo org> AuthorDate: Mon Nov 2 23:40:50 2020 + Commit: Sam James gentoo org> CommitDate: Mon Nov 2 23:40:50 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=94a9b5f7 pambase.py: rename --libcap -> --caps Signed-off-by: Sam James gentoo.org> pambase.py| 2 +- templates/system-auth.tpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pambase.py b/pambase.py index de5dddb..278d578 100755 --- a/pambase.py +++ b/pambase.py @@ -8,7 +8,7 @@ import pathlib def main(): parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module') -parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module') +parser.add_argument('--caps', action="store_true", help='enable pam_cap.so module') parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module') parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 2f2fe76..4ff78e4 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -47,7 +47,7 @@ password optionalpam_permit.so sessionoptionalpam_ssh.so {% endif %} -{% if libcap %} +{% if caps %} -auth optionalpam_cap.so {% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: de5f97873c345b69c44df5a9d06fcd69ee6c5ccf Author: Mikle Kolyada gentoo org> AuthorDate: Wed Oct 28 19:24:04 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Wed Oct 28 19:24:04 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=de5f9787 fix number of jumps when pam_krb5 used Signed-off-by: Mikle Kolyada gentoo.org> templates/system-auth.tpl | 2 +- templates/system-login.tpl | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 6edba8d..6964e05 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -4,7 +4,7 @@ authsufficient pam_ssh.so {% endif %} {% if krb5 %} -auth [success=4 default=ignore] pam_krb5.so {{ krb5_params }} +auth [success=3 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} auth requisite pam_faillock.so preauth diff --git a/templates/system-login.tpl b/templates/system-login.tpl index 6a0d544..0c60bb6 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -5,7 +5,6 @@ authinclude system-auth accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so accountinclude system-auth -account requiredpam_faillock.so password include system-auth session optionalpam_loginuid.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 74b99b4462138ed6b496725b2499fb5d17ad9371 Author: Mikle Kolyada gentoo org> AuthorDate: Wed Oct 28 16:07:21 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Wed Oct 28 16:13:35 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=74b99b44 Do not use use_authtok if no passwd module was stacked Signed-off-by: Mikle Kolyada gentoo.org> templates/system-auth.tpl | 5 + 1 file changed, 5 insertions(+) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 2ffd7ea..6edba8d 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -35,7 +35,12 @@ passwordrequiredpam_pwhistory.so use_authtok remember=5 retry=3 password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} +{% if passwdqc or pwquality %} password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} +{% else %} +passwordrequiredpam_unix.so try_first_pass {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} +{% endif %} + password optionalpam_permit.so {% if pam_ssh %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 99919c4b2b59af27e7ad1daa6fbe8c614a8463c0 Author: Sam James gentoo org> AuthorDate: Mon Oct 26 08:32:29 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 26 22:48:06 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=99919c4b templates/system-auth.tpl: skip pam_unix with krb5 Before this change, success on pam_krb5 would result in jumping one line (over pam_permit) back into pam_unix. Incidentally, we did the later stanza correctly. This was a regression from old pambase. Bug: https://bugs.gentoo.org/748405 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 8b61701..668303f 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -4,20 +4,20 @@ auth sufficient pam_ssh.so {% endif %} {% if krb5 %} -auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }} +auth [success=4 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} -auth optionalpam_permit.so auth requisite pam_faillock.so preauth auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth [default=die] pam_faillock.so authfail +auth optionalpam_permit.so {% if krb5 %} -account[success=1 default=ignore] pam_krb5.so {{ krb5_params }} +account[success=2 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} accountrequiredpam_unix.so {{ debug|default('', true) }} -accountoptionalpam_permit.so account requiredpam_faillock.so +account optionalpam_permit.so {% if passwdqc %} password requiredpam_passwdqc.so config=/etc/security/passwdqc.conf
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 473b931a56c9387cc6a1e1eddef2260fc9f3896f Author: Sam James gentoo org> AuthorDate: Mon Oct 26 08:33:23 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 26 21:14:00 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=473b931a templates/system-login.tpl: always need faillock Fixes: eb138196aa2d3cb860d5eb5ab1d05985df34ad2c Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 2 -- templates/system-login.tpl | 2 -- 2 files changed, 4 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index faf18ee..8b61701 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -17,9 +17,7 @@ account [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} accountrequiredpam_unix.so {{ debug|default('', true) }} accountoptionalpam_permit.so -{% if not minimal %} account requiredpam_faillock.so -{% endif %} {% if passwdqc %} password requiredpam_passwdqc.so config=/etc/security/passwdqc.conf diff --git a/templates/system-login.tpl b/templates/system-login.tpl index 889c2d7..6a0d544 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -5,9 +5,7 @@ authinclude system-auth accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so accountinclude system-auth -{% if not minimal %} account requiredpam_faillock.so -{% endif %} password include system-auth session optionalpam_loginuid.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 47a7d6f7477ac279b271babd970d2b4b6839fdb5 Author: Sam James gentoo org> AuthorDate: Mon Oct 26 21:15:18 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 26 22:48:39 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=47a7d6f7 templates/system-auth.tpl: fix libcap module name Bug: https://bugs.gentoo.org/750524 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 668303f..2ffd7ea 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -43,7 +43,7 @@ session optionalpam_ssh.so {% endif %} {% if libcap %} --sessionoptionalpam_libcap.so +-sessionoptionalpam_cap.so {% endif %} {% include "templates/system-session.tpl" %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: eb138196aa2d3cb860d5eb5ab1d05985df34ad2c Author: Sam James gentoo org> AuthorDate: Tue Oct 20 02:32:28 2020 + Commit: Sam James gentoo org> CommitDate: Tue Oct 20 02:38:20 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=eb138196 templates/system-auth.tpl: use faillock in minimal case Bug: https://bugs.gentoo.org/748405 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 7 ++- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index bc28468..faf18ee 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -7,13 +7,10 @@ auth sufficient pam_ssh.so auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} -auth requiredpam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} auth optionalpam_permit.so -{% if not minimal %} -auth requiredpam_faillock.so preauth -auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_faillock.so preauth +auth [success=1 default=ignore] pam_unix.so {{ nullok|default('', true) }} {{ debug|default('', true) }} try_first_pass auth [default=die] pam_faillock.so authfail -{% endif %} {% if krb5 %} account[success=1 default=ignore] pam_krb5.so {{ krb5_params }}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: e0835e729bcf04f501d4610cf3925ec41b37c5f5 Author: Sam James gentoo org> AuthorDate: Mon Oct 12 17:30:18 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 12 17:30:18 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=e0835e72 templates/system-auth.tpl: drop superfluous conf param on faillock pam_faillock defaults to /etc/security/faillock.conf anyway. Closes: https://bugs.gentoo.org/747967 Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 557da9b..bc28468 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -10,7 +10,7 @@ auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }} auth requiredpam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} auth optionalpam_permit.so {% if not minimal %} -auth requiredpam_faillock.so preauth conf=/etc/security/faillock.conf +auth requiredpam_faillock.so preauth auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail {% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: abca630446236ddf83c7686ca8742b305bf8a050 Author: Sam James gentoo org> AuthorDate: Mon Oct 12 15:30:28 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 12 15:30:28 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=abca6304 templates/system-login.tpl: remove duplicate block already in system-auth Do it right this time! Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 5 + templates/system-login.tpl | 6 -- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 11319d6..557da9b 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -9,6 +9,11 @@ auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }} auth requiredpam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} auth optionalpam_permit.so +{% if not minimal %} +auth requiredpam_faillock.so preauth conf=/etc/security/faillock.conf +auth sufficient pam_unix.so nullok try_first_pass +auth [default=die] pam_faillock.so authfail +{% endif %} {% if krb5 %} account[success=1 default=ignore] pam_krb5.so {{ krb5_params }} diff --git a/templates/system-login.tpl b/templates/system-login.tpl index 25843f5..889c2d7 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -2,12 +2,6 @@ auth requiredpam_shells.so {{ debug|default('', true) }} auth requiredpam_nologin.so auth include system-auth -{% if not minimal %} -authrequiredpam_faillock.so preauth conf=/etc/security/faillock.conf -authsufficient pam_unix.so nullok try_first_pass -auth[default=die] pam_faillock.so authfail -{% endif %} - accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so accountinclude system-auth
[gentoo-commits] proj/pambase:master commit in: /
commit: f28eb0e9d1f9d46d6d4d17164a1ed98461c2a377 Author: Sam James gentoo org> AuthorDate: Mon Oct 12 15:25:20 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 12 15:27:54 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=f28eb0e9 templates/system-login.tpl: remove duplicate block from system-auth (again) Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 5 - templates/system-login.tpl | 6 ++ 2 files changed, 6 insertions(+), 5 deletions(-) diff --cc templates/system-auth.tpl index f8484f1,1bb53ae..11319d6 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@@ -9,11 -9,11 +9,6 @@@ auth[success=1 default=ignore auth requiredpam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} auth optionalpam_permit.so --{% if not minimal %} - authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 -authrequiredpam_faillock.so preauth conf=/etc/security/faillock.conf --authsufficient pam_unix.so {{ nullok|default('', true) }} try_first_pass - auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 -auth[default=die] pam_faillock.so authfail --{% endif %} {% if krb5 %} account [success=1 default=ignore] pam_krb5.so {{ krb5_params }} diff --cc templates/system-login.tpl index 889c2d7,bb4f093..25843f5 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@@ -1,7 -1,12 +1,13 @@@ auth requiredpam_shells.so {{ debug|default('', true) }} auth requiredpam_nologin.so auth include system-auth + + {% if not minimal %} + authrequiredpam_faillock.so preauth conf=/etc/security/faillock.conf + authsufficient pam_unix.so nullok try_first_pass + auth[default=die] pam_faillock.so authfail + {% endif %} + account requiredpam_access.so {{ debug|default('', true) }} account requiredpam_nologin.so account include system-auth
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 949722adbb7187b68f392164865a964610221604 Author: Sam James gentoo org> AuthorDate: Sun Oct 11 20:48:41 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 12 14:32:12 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=949722ad templates/system-session.tpl: include pam_krb5.so module name Signed-off-by: Sam James gentoo.org> templates/system-session.tpl | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/templates/system-session.tpl b/templates/system-session.tpl index 1538429..ce3afa5 100644 --- a/templates/system-session.tpl +++ b/templates/system-session.tpl @@ -5,12 +5,9 @@ sessionoptionalpam_mktemp.so {% endif %} {%if krb5 %} -session[success=1 default=ignore] {{ krb5_params }} +session[success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %} sessionrequiredpam_unix.so {{ debug|default('', true) }} -{%if krb5 %} -session [success=1 default=ignore] {{ krb5_params }} -{% endif %} sessionoptionalpam_permit.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 37a3f41da6fa3136c46c9d76a18ad36f4f680303 Author: Sam James gentoo org> AuthorDate: Sun Oct 11 20:57:19 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 12 14:32:12 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=37a3f41d templates/system-login.tpl: move systemd, elogind blocks here Signed-off-by: Sam James gentoo.org> templates/system-auth.tpl | 8 templates/system-login.tpl | 8 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 46fc131..f8484f1 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -47,14 +47,6 @@ password optionalpam_permit.so sessionoptionalpam_ssh.so {% endif %} -{% if systemd %} --sessionoptionalpam_systemd.so -{% endif %} - -{% if elogind %} --sessionoptionalpam_elogind.so -{% endif %} - {% if libcap %} -sessionoptionalpam_libcap.so {% endif %} diff --git a/templates/system-login.tpl b/templates/system-login.tpl index 99801a1..889c2d7 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -32,3 +32,11 @@ session optionalpam_motd.so motd=/etc/motd {% if not minimal %} sessionoptionalpam_mail.so {% endif %} + +{% if systemd %} +-sessionoptionalpam_systemd.so +{% endif %} + +{% if elogind %} +-sessionoptionalpam_elogind.so +{% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: da499cca70c5e77c851c5f75440df188fe2eeabe Author: Sam James gentoo org> AuthorDate: Sun Oct 11 20:55:39 2020 + Commit: Sam James gentoo org> CommitDate: Mon Oct 12 14:32:12 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=da499cca templates/system-login.tpl: remove duplicate block from system-auth Bug: https://bugs.gentoo.org/747868 Signed-off-by: Sam James gentoo.org> templates/system-login.tpl | 5 - 1 file changed, 5 deletions(-) diff --git a/templates/system-login.tpl b/templates/system-login.tpl index d51481b..99801a1 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -1,11 +1,6 @@ auth requiredpam_shells.so {{ debug|default('', true) }} auth requiredpam_nologin.so auth include system-auth -{% if not minimal %} -authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 -authsufficient pam_unix.so nullok try_first_pass -auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 -{% endif %} accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so
[gentoo-commits] proj/pambase:master commit in: templates/
commit: b54edff3a6724bba19fd803042909cc448d169fd Author: Mikle Kolyada gentoo org> AuthorDate: Sat Oct 10 15:35:39 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Sat Oct 10 15:37:14 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=b54edff3 switch pam_faillock.so to its config file Signed-off-by: Mikle Kolyada gentoo.org> templates/system-auth.tpl | 4 ++-- templates/system-login.tpl | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 46fc131..1bb53ae 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -10,9 +10,9 @@ auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }} auth requiredpam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} auth optionalpam_permit.so {% if not minimal %} -authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 +authrequiredpam_faillock.so preauth conf=/etc/security/faillock.conf authsufficient pam_unix.so {{ nullok|default('', true) }} try_first_pass -auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 +auth[default=die] pam_faillock.so authfail {% endif %} {% if krb5 %} diff --git a/templates/system-login.tpl b/templates/system-login.tpl index d51481b..bb4f093 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -2,9 +2,9 @@ authrequiredpam_shells.so {{ debug|default('', true) }} auth requiredpam_nologin.so auth include system-auth {% if not minimal %} -authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 +authrequiredpam_faillock.so preauth conf=/etc/security/faillock.conf authsufficient pam_unix.so nullok try_first_pass -auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 +auth[default=die] pam_faillock.so authfail {% endif %} accountrequiredpam_access.so {{ debug|default('', true) }}
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: 46e6f29b1f9b7edd9541382fddd9b0837900e649 Author: Mikle Kolyada gentoo org> AuthorDate: Sun Sep 13 09:59:15 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Sun Sep 13 10:00:50 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=46e6f29b system-auth: introduce pam_pwhistory Signed-off-by: Mikle Kolyada gentoo.org> pambase.py| 1 + templates/system-auth.tpl | 4 2 files changed, 5 insertions(+) diff --git a/pambase.py b/pambase.py index 83ee97c..de5dddb 100755 --- a/pambase.py +++ b/pambase.py @@ -10,6 +10,7 @@ def main(): parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module') parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module') parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') +parser.add_argument('--pwhistory', action="store_true", help='enable pam_pwhistory.so module') parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 0381e66..46fc131 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -32,6 +32,10 @@ password requiredpam_passwdqc.so config=/etc/security/passwdqc.conf passwordrequiredpam_pwquality.so {% endif %} +{% if pwhistory %} +passwordrequiredpam_pwhistory.so use_authtok remember=5 retry=3 +{% endif %} + {% if krb5 %} password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 1b7c7f7678a6402a0b0aec80b3883fd98516be4e Author: Mikle Kolyada gentoo org> AuthorDate: Wed Sep 9 16:32:10 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Wed Sep 9 16:32:10 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=1b7c7f76 system-auth: switch password modules to configs * pam_passwdqc.so can by managed by the /etc/security/passwdqc.conf * pam_pwquality.so can be managed by the /etc/security/pwquality.conf Both allow users to create their own password polices without touching files in the /etc/pam.d directory Signed-off-by: Mikle Kolyada gentoo.org> templates/system-auth.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 69cc472..0381e66 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -25,11 +25,11 @@ account requiredpam_faillock.so {% endif %} {% if passwdqc %} -password requiredpam_passwdqc.so min=8,8,8,8,8 retry=3 +password requiredpam_passwdqc.so config=/etc/security/passwdqc.conf {% endif %} {% if pwquality %} -passwordrequiredpam_pwquality.so retry=3 minlen=8 lcredit=2 ucredit=2 dcredit=2 ocredit=2 difok=3 enforce_for_root +passwordrequiredpam_pwquality.so {% endif %} {% if krb5 %}
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: ed4f15348fa950b02016154790bb6d180cccf5f9 Author: Mikle Kolyada gentoo org> AuthorDate: Mon Aug 17 07:30:39 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Mon Aug 17 07:30:39 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ed4f1534 make pam_gnome_keyring optional Signed-off-by: Mikle Kolyada gentoo.org> pambase.py | 143 ++- templates/passwd.tpl | 5 +- 2 files changed, 76 insertions(+), 72 deletions(-) diff --git a/pambase.py b/pambase.py index 07e458d..83ee97c 100755 --- a/pambase.py +++ b/pambase.py @@ -6,96 +6,97 @@ import pathlib def main(): - parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') - parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module') - parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') - parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') - parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') - parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') - parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') - parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') - parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') - parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module') - parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module') - parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module') - parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack') - parser.add_argument('--debug', action="store_true", help='enable debug for selected modules') - parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module') - - parsed_args = parser.parse_args() - processed = process_args(parsed_args) - - parse_templates(processed) +parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') +parser.add_argument('--gnome-keyring', action="store_true", help='enable pam_gnome_keyring.so module') +parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module') +parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') +parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') +parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') +parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') +parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') +parser.add_argument('--mktemp', action="store_true", help='enable pam_mktemp.so module') +parser.add_argument('--pam-ssh', action="store_true", help='enable pam_ssh.so module') +parser.add_argument('--securetty', action="store_true", help='enable pam_securetty.so module') +parser.add_argument('--sha512', action="store_true", help='enable sha512 option for pam_unix.so module') +parser.add_argument('--krb5', action="store_true", help='enable pam_krb5.so module') +parser.add_argument('--minimal', action="store_true", help='install minimalistic PAM stack') +parser.add_argument('--debug', action="store_true", help='enable debug for selected modules') +parser.add_argument('--nullok', action="store_true", help='enable nullok option for pam_unix.so module') + +parsed_args = parser.parse_args() +processed = process_args(parsed_args) + +parse_templates(processed) def process_args(args): - # make sure that output directory exists - pathlib.Path("stack").mkdir(parents=True, exist_ok=True) +# make sure that output directory exists +pathlib.Path("stack").mkdir(parents=True, exist_ok=True) - blank_variables = [ - "krb5_authtok", - "unix_authtok", - "unix_extended_encryption", - "likeauth", - "nullok" - ] +blank_variables = [ +"krb5_authtok", +"unix_authtok", +"unix_extended_encryption", +"likeauth", +"nullok" +] - # create a blank dictionary - # then add in our parsed args - output = dict.fromkeys(blank_variables, "") - output.update(vars(args)) +# create a blank dictionary +# then add in our parsed args +output = dict.fromkeys(blank_variables, "") +output.update(vars(args)) - # unconditional variables -
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: 1e2706575348150992737c5415df36f6517b20fe Author: Mikle Kolyada gentoo org> AuthorDate: Sat Aug 15 08:44:57 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Sat Aug 15 08:50:19 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=1e270657 Add pam_pwquality.so support Signed-off-by: Mikle Kolyada gentoo.org> pambase.py| 1 + templates/system-auth.tpl | 4 2 files changed, 5 insertions(+) diff --git a/pambase.py b/pambase.py index d021b81..07e458d 100755 --- a/pambase.py +++ b/pambase.py @@ -9,6 +9,7 @@ def main(): parser = argparse.ArgumentParser(description='basic Gentoo PAM configuration files') parser.add_argument('--libcap', action="store_true", help='enable pam_caps.so module') parser.add_argument('--passwdqc', action="store_true", help='enable pam_passwdqc.so module') + parser.add_argument('--pwquality', action="store_true", help='enable pam_pwquality.so module') parser.add_argument('--elogind', action="store_true", help='enable pam_elogind.so module') parser.add_argument('--systemd', action="store_true", help='enable pam_systemd.so module') parser.add_argument('--selinux', action="store_true", help='enable pam_selinux.so module') diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 298e45c..69cc472 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -28,6 +28,10 @@ account requiredpam_faillock.so password requiredpam_passwdqc.so min=8,8,8,8,8 retry=3 {% endif %} +{% if pwquality %} +passwordrequiredpam_pwquality.so retry=3 minlen=8 lcredit=2 ucredit=2 dcredit=2 ocredit=2 difok=3 enforce_for_root +{% endif %} + {% if krb5 %} password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} {% endif %}
[gentoo-commits] proj/pambase:master commit in: templates/, /
commit: ca96d2bc6bbcf860d12b9d610509c155029fe3cc Author: Sam James gentoo org> AuthorDate: Thu Aug 6 22:46:40 2020 + Commit: Sam James gentoo org> CommitDate: Thu Aug 6 22:46:40 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=ca96d2bc pambase.py: rename system-service -> system-services Some of e.g. OpenRC's installed pam files assume 'system-services': ./supervise-daemon:2:session include system-services ./start-stop-daemon:2:session include system-services Signed-off-by: Sam James gentoo.org> pambase.py| 2 +- templates/{system-service.tpl => system-services.tpl} | 0 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/pambase.py b/pambase.py index 8f04870..d021b81 100755 --- a/pambase.py +++ b/pambase.py @@ -78,7 +78,7 @@ def parse_templates(processed_args): "su", "system-auth", "system-login", - "system-service" + "system-services" ] for template_name in templates: diff --git a/templates/system-service.tpl b/templates/system-services.tpl similarity index 100% rename from templates/system-service.tpl rename to templates/system-services.tpl
[gentoo-commits] proj/pambase:master commit in: /
commit: e879759fba8edeffa2492a0dfcbe9c48570a684b Author: Sam James gentoo org> AuthorDate: Wed Aug 5 06:12:09 2020 + Commit: Sam James gentoo org> CommitDate: Wed Aug 5 06:13:04 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=e879759f pambase.py: strip trailing whitespace in stack Signed-off-by: Sam James gentoo.org> pambase.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pambase.py b/pambase.py index 9765778..8f04870 100755 --- a/pambase.py +++ b/pambase.py @@ -89,7 +89,7 @@ def parse_templates(processed_args): # Strip all intermediate lines to not worry about appeasing Jinja lines = rendered_template.split("\n") - lines = [line for line in lines if line] + lines = [line.strip() for line in lines if line] rendered_template = "\n".join(lines) if rendered_template:
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 4e5e41c2e5607a298f30f679aa7ba8c4994033e3 Author: Sam James gentoo org> AuthorDate: Wed Aug 5 06:10:02 2020 + Commit: Sam James gentoo org> CommitDate: Wed Aug 5 06:10:16 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=4e5e41c2 templates/*: remove unnecessary strips Now obsolete as of 732fb3bbfd7d007fdca78dd4587f1a7bd34bfa6c. Signed-off-by: Sam James gentoo.org> templates/login.tpl | 4 ++-- templates/system-auth.tpl| 44 ++-- templates/system-login.tpl | 28 ++-- templates/system-session.tpl | 12 ++-- 4 files changed, 44 insertions(+), 44 deletions(-) diff --git a/templates/login.tpl b/templates/login.tpl index 7476cb7..23e262a 100644 --- a/templates/login.tpl +++ b/templates/login.tpl @@ -1,6 +1,6 @@ -{% if securetty -%} +{% if securetty %} auth requiredpam_securetty.so -{% endif -%} +{% endif %} auth include system-local-login accountinclude system-local-login diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index e8a6d91..298e45c 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -1,54 +1,54 @@ auth requiredpam_env.so {{ debug|default('', true) }} -{% if pam_ssh -%} +{% if pam_ssh %} auth sufficient pam_ssh.so -{% endif -%} +{% endif %} -{% if krb5 -%} +{% if krb5 %} auth[success=1 default=ignore] pam_krb5.so {{ krb5_params }} -{% endif -%} +{% endif %} auth requiredpam_unix.so try_first_pass {{ likeauth }} {{ nullok|default('', true) }} {{ debug|default('', true) }} auth optionalpam_permit.so -{% if not minimal -%} +{% if not minimal %} authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 authsufficient pam_unix.so {{ nullok|default('', true) }} try_first_pass auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 -{% endif -%} +{% endif %} -{% if krb5 -%} +{% if krb5 %} account[success=1 default=ignore] pam_krb5.so {{ krb5_params }} -{% endif -%} +{% endif %} accountrequiredpam_unix.so {{ debug|default('', true) }} accountoptionalpam_permit.so -{% if not minimal -%} +{% if not minimal %} account requiredpam_faillock.so -{% endif -%} +{% endif %} -{% if passwdqc -%} +{% if passwdqc %} password requiredpam_passwdqc.so min=8,8,8,8,8 retry=3 -{% endif -%} +{% endif %} -{% if krb5 -%} +{% if krb5 %} password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} -{% endif -%} +{% endif %} password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} password optionalpam_permit.so -{%- if pam_ssh %} +{% if pam_ssh %} sessionoptionalpam_ssh.so -{% endif -%} +{% endif %} -{% if systemd -%} +{% if systemd %} -sessionoptionalpam_systemd.so -{% endif -%} +{% endif %} -{% if elogind -%} +{% if elogind %} -sessionoptionalpam_elogind.so -{% endif -%} +{% endif %} -{% if libcap -%} +{% if libcap %} -sessionoptionalpam_libcap.so -{% endif -%} +{% endif %} {% include "templates/system-session.tpl" %} diff --git a/templates/system-login.tpl b/templates/system-login.tpl index d8df530..d51481b 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -1,39 +1,39 @@ auth requiredpam_shells.so {{ debug|default('', true) }} auth requiredpam_nologin.so auth include system-auth -{% if not minimal -%} +{% if not minimal %} authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 authsufficient pam_unix.so nullok try_first_pass auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 -{% endif -%} +{% endif %} accountrequiredpam_access.so {{ debug|default('', true) }} accountrequiredpam_nologin.so accountinclude system-auth -{% if not minimal -%} +{% if not minimal %} account requiredpam_faillock.so -{% endif -%} +{% endif %} password include system-auth session optionalpam_loginuid.so -{% if selinux -%} +{% if selinux %} sessionrequiredpam_selinux.so close -{% endif -%} +{% endif %} sessionrequiredpam_env.so envfile=/etc/profile.env {{ debug|default('', true) }} -{% if not minimal -%} +{% if not minimal %} sessionoptionalpam_lastlog.so silent {{
[gentoo-commits] proj/pambase:master commit in: /
commit: 732fb3bbfd7d007fdca78dd4587f1a7bd34bfa6c Author: Sam James gentoo org> AuthorDate: Wed Aug 5 06:02:52 2020 + Commit: Sam James gentoo org> CommitDate: Wed Aug 5 06:03:49 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=732fb3bb pambase.py: strip all blank lines It's simpler to do this in pambase.py than with Jinja 2, at least for now. Signed-off-by: Sam James gentoo.org> pambase.py | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pambase.py b/pambase.py index 1ebafbe..9765778 100755 --- a/pambase.py +++ b/pambase.py @@ -67,7 +67,7 @@ def process_args(args): def parse_templates(processed_args): load = FileSystemLoader('') - env = Environment(loader=load) + env = Environment(loader=load, trim_blocks=True, lstrip_blocks=True, keep_trailing_newline=True) templates = [ "login", @@ -87,6 +87,11 @@ def parse_templates(processed_args): with open('stack/{0}'.format(template_name), "w+") as output: rendered_template = template.render(processed_args) + # Strip all intermediate lines to not worry about appeasing Jinja + lines = rendered_template.split("\n") + lines = [line for line in lines if line] + rendered_template = "\n".join(lines) + if rendered_template: output.write(rendered_template + "\n")
[gentoo-commits] proj/pambase:master commit in: templates/
commit: acd1f9046c8d79ba5e232043131f6c9842d357e7 Author: Mikle Kolyada gentoo org> AuthorDate: Tue Aug 4 13:35:41 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Tue Aug 4 13:35:41 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=acd1f904 fix pam_ssh formatting Signed-off-by: Mikle Kolyada gentoo.org> templates/system-auth.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl index 13f5c0d..e8a6d91 100644 --- a/templates/system-auth.tpl +++ b/templates/system-auth.tpl @@ -35,7 +35,7 @@ password [success=1 default=ignore] pam_krb5.so {{ krb5_params }} password requiredpam_unix.so try_first_pass {{ unix_authtok|default('', true) }} {{ nullok|default('', true) }} {{ unix_extended_encryption|default('', true) }} {{ debug|default('', true) }} password optionalpam_permit.so -{%- if pam_ssh -%} +{%- if pam_ssh %} sessionoptionalpam_ssh.so {% endif -%}
[gentoo-commits] proj/pambase:master commit in: templates/
commit: 7f7b677eca0487d304e114714890feadae06b9a2 Author: Mikle Kolyada gentoo org> AuthorDate: Tue Aug 4 12:41:04 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Tue Aug 4 12:41:04 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=7f7b677e fix a typo in logic Signed-off-by: Mikle Kolyada gentoo.org> templates/system-login.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/system-login.tpl b/templates/system-login.tpl index 2f404bc..d8df530 100644 --- a/templates/system-login.tpl +++ b/templates/system-login.tpl @@ -21,7 +21,7 @@ session requiredpam_selinux.so close {% endif -%} sessionrequiredpam_env.so envfile=/etc/profile.env {{ debug|default('', true) }} -{% if not miniaml -%} +{% if not minimal -%} sessionoptionalpam_lastlog.so silent {{ debug|default('', true) }} {% endif -%} sessioninclude system-auth
[gentoo-commits] proj/pambase:master commit in: /, templates/
commit: 405452a4aa5a9ae06169b0aa1c394a4cae9c1c5c Author: Mikle Kolyada gentoo org> AuthorDate: Tue Aug 4 11:20:43 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Tue Aug 4 11:20:43 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=405452a4 New pambase era pambase was simplified and rewritten in python Signed-off-by: Mikle Kolyada gentoo.org> .gitignore | 12 +-- LICENSE| 23 ++ Makefile | 96 -- README | 8 -- basic-conf | 52 linux-pam-conf | 26 -- login.in | 10 --- other.in | 4 - pambase.py | 95 + su.in | 11 --- system-auth.in | 57 - system-login.in| 58 - system-session.inc | 25 -- templates/login.tpl| 9 ++ templates/other.tpl| 4 + passwd.in => templates/passwd.tpl | 4 +- templates/su.tpl | 8 ++ templates/system-auth.tpl | 54 .../system-local-login.tpl | 0 templates/system-login.tpl | 39 + .../system-remote-login.tpl| 0 system-services.in => templates/system-service.tpl | 6 +- templates/system-session.tpl | 16 23 files changed, 252 insertions(+), 365 deletions(-) diff --git a/.gitignore b/.gitignore index 2c63905..844c82f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,10 +1,2 @@ -login -passwd -su -system-auth -system-login -system-local-login -system-remote-login -system-services -other -pambase-*.tar.bz2 +stack/ +.idea/ diff --git a/LICENSE b/LICENSE new file mode 100644 index 000..6e891ee --- /dev/null +++ b/LICENSE @@ -0,0 +1,23 @@ +MIT License + +Copyright (c) 2020 Mikhail Koliada +Copyright (c) 2020 Sam James +Copyright (c) 2020 Gentoo Authors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/Makefile b/Makefile deleted file mode 100644 index 941edfb..000 --- a/Makefile +++ /dev/null @@ -1,96 +0,0 @@ -# Reset this to 'cpp' so it gets traditional syntax; cc -E will not work -# properly. -CPP=cpp - -# The pam.d file to create -PAMD=login passwd su system-auth system-login system-local-login system-remote-login system-services other - -# command for git (the DVCS); set this to "true" to ignore GIT support -# (i.e.: in the ebuild) -GIT=git - -PAMFLAGS = -include linux-pam-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION) - -ifeq "$(PASSWDQC)" "yes" -PAMFLAGS += -DHAVE_PASSWDQC=1 -endif - -ifeq "$(CONSOLEKIT)" "yes" -PAMFLAGS += -DHAVE_CONSOLEKIT=1 -endif - -ifeq "$(SYSTEMD)" "yes" -PAMFLAGS += -DHAVE_SYSTEMD=1 -endif - -ifeq "$(ELOGIND)" "yes" -PAMFLAGS += -DHAVE_ELOGIND=1 -endif - -ifeq "$(GNOME_KEYRING)" "yes" -PAMFLAGS += -DHAVE_GNOME_KEYRING=1 -endif - -ifeq "$(SECURETTY)" "yes" -PAMFLAGS += -DHAVE_SECURETTY=1 -endif - -ifeq "$(SELINUX)" "yes" -PAMFLAGS += -DHAVE_SELINUX=1 -endif - -ifeq "$(MKTEMP)" "yes" -PAMFLAGS += -DHAVE_MKTEMP=1 -endif - -ifeq "$(PAM_SSH)" "yes" -PAMFLAGS += -DHAVE_PAM_SSH=1 -endif - -ifeq "$(KRB5)" "yes" -PAMFLAGS += -DHAVE_KRB5=1 -endif - -ifeq "$(NULLOK)" "yes" -PAMFLAGS += -DWANT_NULLOK=1 -endif - -ifeq "$(SHA512)" "yes" -PAMFLAGS += -DWANT_SHA512=1 -endif - -ifeq "$(DEBUG)" "yes" -PAMFLAGS += -DDEBUG=debug -endif - -ifeq "$(MINIMAL)" "yes" -PAMFLAGS += -DMINIMAL -endif - -ifeq "$(LIBCAP)" "yes" -PAMFLAGS +=
[gentoo-commits] proj/pambase:master commit in: /
commit: 75cd44e94032b13bba41539737d6ac63623217e1 Author: Mikle Kolyada gentoo org> AuthorDate: Thu Jun 18 10:02:10 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Thu Jun 18 10:08:38 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=75cd44e9 move faillock last in auth Signed-off-by: Mikle Kolyada gentoo.org> system-auth.in | 12 ++-- system-login.in | 11 ++- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/system-auth.in b/system-auth.in index 6eea7bc..9ae09e4 100644 --- a/system-auth.in +++ b/system-auth.in @@ -2,12 +2,6 @@ auth requiredpam_env.so DEBUG #endif -#if HAVE_FAILLOCK -authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 -authsufficient pam_unix.so nullok try_first_pass -auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 -#endif - #if HAVE_PAM_SSH auth sufficient pam_ssh.so #endif @@ -18,6 +12,12 @@ auth requiredpam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ auth optionalpam_permit.so +#if HAVE_FAILLOCK +authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 +authsufficient pam_unix.so nullok try_first_pass +auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 +#endif + #if HAVE_KRB5 accountKRB5_CONTROLpam_krb5.so KRB5_PARAMS #endif diff --git a/system-login.in b/system-login.in index 9e82d60..ee03613 100644 --- a/system-login.in +++ b/system-login.in @@ -1,8 +1,3 @@ -#if HAVE_FAILLOCK -authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 -authsufficient pam_unix.so nullok try_first_pass -auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 -#endif #if HAVE_SHELLS auth requiredpam_shells.so DEBUG @@ -12,6 +7,12 @@ auth requiredpam_nologin.so DEBUG_NOLOGIN #endif auth include system-auth +#if HAVE_FAILLOCK +authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 +authsufficient pam_unix.so nullok try_first_pass +auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 +#endif + #if HAVE_ACCESS accountrequiredpam_access.so DEBUG #endif
[gentoo-commits] proj/pambase:master commit in: /
commit: 01ba73d907c3644f9c47179c5407bb7674644e3b Author: Mikle Kolyada gentoo org> AuthorDate: Wed Jun 17 18:28:53 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Wed Jun 17 18:28:53 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=01ba73d9 fix a typo Signed-off-by: Mikle Kolyada gentoo.org> system-auth.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system-auth.in b/system-auth.in index 6067ea1..6eea7bc 100644 --- a/system-auth.in +++ b/system-auth.in @@ -2,7 +2,7 @@ auth requiredpam_env.so DEBUG #endif -#if HAVE_FAILOCK +#if HAVE_FAILLOCK authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 authsufficient pam_unix.so nullok try_first_pass auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
[gentoo-commits] proj/pambase:master commit in: /
commit: 3a158ca2ba9220bc82ac2d76f3dd6aff50511ab1 Author: Mikle Kolyada gentoo org> AuthorDate: Tue Jun 16 16:25:38 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Tue Jun 16 16:25:38 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=3a158ca2 iprove faillock support Signed-off-by: Mikle Kolyada gentoo.org> system-auth.in | 11 +++ system-login.in | 8 ++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/system-auth.in b/system-auth.in index dbb6971..6067ea1 100644 --- a/system-auth.in +++ b/system-auth.in @@ -1,6 +1,13 @@ #if HAVE_ENV auth requiredpam_env.so DEBUG #endif + +#if HAVE_FAILOCK +authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 +authsufficient pam_unix.so nullok try_first_pass +auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 +#endif + #if HAVE_PAM_SSH auth sufficient pam_ssh.so #endif @@ -18,6 +25,10 @@ account requiredpam_unix.so DEBUG /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ accountoptionalpam_permit.so +#if HAVE_FAILLOCK +account requiredpam_faillock.so +#endif + #if HAVE_PASSWDQC password requiredpam_passwdqc.so min=8,8,8,8,8 retry=3 #endif diff --git a/system-login.in b/system-login.in index d93d926..9e82d60 100644 --- a/system-login.in +++ b/system-login.in @@ -1,6 +1,9 @@ #if HAVE_FAILLOCK -auth requiredpam_faillock.so dir=/var/log deny=3 +authrequiredpam_faillock.so preauth silent audit deny=3 unlock_time=600 +authsufficient pam_unix.so nullok try_first_pass +auth[default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 #endif + #if HAVE_SHELLS auth requiredpam_shells.so DEBUG #endif @@ -19,8 +22,9 @@ account requiredpam_login_access.so accountrequiredpam_nologin.so DEBUG_NOLOGIN #endif accountinclude system-auth + #if HAVE_FAILLOCK -accountrequiredpam_faillock.so dir=/var/log deny=3 +account requiredpam_faillock.so #endif password include system-auth
[gentoo-commits] proj/pambase:master commit in: /
commit: 7348fa57c7ada42820773f8c8b6f06f7181169ee Author: Mikle Kolyada gentoo org> AuthorDate: Wed Jun 10 11:32:46 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Wed Jun 10 11:32:46 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=7348fa57 New release - disable cracklib in favor of passwdqc - disable tally{,2} in favor of faillock Signed-off-by: Mikle Kolyada gentoo.org> Makefile| 4 basic-conf | 4 ++-- linux-pam-conf | 7 +-- system-auth.in | 3 --- system-login.in | 8 5 files changed, 7 insertions(+), 19 deletions(-) diff --git a/Makefile b/Makefile index 9afc842..f7e7653 100644 --- a/Makefile +++ b/Makefile @@ -11,10 +11,6 @@ GIT=git PAMFLAGS = -include linux-pam-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION) -ifeq "$(CRACKLIB)" "yes" -PAMFLAGS += -DHAVE_CRACKLIB=1 -endif - ifeq "$(PASSWDQC)" "yes" PAMFLAGS += -DHAVE_PASSWDQC=1 endif diff --git a/basic-conf b/basic-conf index 5ab72c0..7b1bf00 100644 --- a/basic-conf +++ b/basic-conf @@ -1,8 +1,8 @@ -// Only use_authtok (authentication token) when using cracklib or some other module +// Only use_authtok (authentication token) when using passwdqc or some other module // that checks for passwords, or pam_krb5 #define AUTHTOK use_authtok -#if HAVE_CRACKLIB || HAVE_PASSWDQC +#if HAVE_PASSWDQC # define PASSWORD_STRENGTH 1 #endif diff --git a/linux-pam-conf b/linux-pam-conf index ecd5697..962b2eb 100644 --- a/linux-pam-conf +++ b/linux-pam-conf @@ -12,12 +12,7 @@ # define HAVE_MOTD 1 # define HAVE_MAIL 1 # define HAVE_LASTLOG 1 - -# if LINUX_PAM_VERSION > 0x010100 /* 1.1.0 */ -# define TALLY_MODULE pam_tally2.so -# else -# define TALLY_MODULE pam_tally.so -# endif +# define HAVE_FAILLOCK 1 #endif diff --git a/system-auth.in b/system-auth.in index e65e4c2..dbb6971 100644 --- a/system-auth.in +++ b/system-auth.in @@ -18,9 +18,6 @@ account requiredpam_unix.so DEBUG /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ accountoptionalpam_permit.so -#if HAVE_CRACKLIB -password requiredpam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 DEBUG -#endif #if HAVE_PASSWDQC password requiredpam_passwdqc.so min=8,8,8,8,8 retry=3 #endif diff --git a/system-login.in b/system-login.in index f159f10..d93d926 100644 --- a/system-login.in +++ b/system-login.in @@ -1,5 +1,5 @@ -#if defined(TALLY_MODULE) -auth requiredTALLY_MODULE onerr=succeed +#if HAVE_FAILLOCK +auth requiredpam_faillock.so dir=/var/log deny=3 #endif #if HAVE_SHELLS auth requiredpam_shells.so DEBUG @@ -19,8 +19,8 @@ account requiredpam_login_access.so accountrequiredpam_nologin.so DEBUG_NOLOGIN #endif accountinclude system-auth -#if defined(TALLY_MODULE) -accountrequiredTALLY_MODULE onerr=succeed DEBUG +#if HAVE_FAILLOCK +accountrequiredpam_faillock.so dir=/var/log deny=3 #endif password include system-auth
[gentoo-commits] proj/pambase:master commit in: /
commit: 59107e0a4fd0c266417d2c8f3082b4abb7b9c6ff Author: Mikle Kolyada gentoo org> AuthorDate: Wed Jun 10 11:48:30 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Wed Jun 10 11:48:30 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=59107e0a Revert "allow clang-cpp" This reverts commit 4a97472903679c7d85ca391aeedaea3ce7797acf. Signed-off-by: Mikle Kolyada gentoo.org> Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index f7e7653..941edfb 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # Reset this to 'cpp' so it gets traditional syntax; cc -E will not work # properly. -CPP?=cpp +CPP=cpp # The pam.d file to create PAMD=login passwd su system-auth system-login system-local-login system-remote-login system-services other
[gentoo-commits] proj/pambase:master commit in: /
commit: 4a97472903679c7d85ca391aeedaea3ce7797acf Author: Mikle Kolyada gentoo org> AuthorDate: Wed Apr 29 21:37:16 2020 + Commit: Mikle Kolyada gentoo org> CommitDate: Wed Apr 29 21:37:16 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=4a974729 allow clang-cpp Signed-off-by: Mikle Kolyada gentoo.org> Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 39f0082..9afc842 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # Reset this to 'cpp' so it gets traditional syntax; cc -E will not work # properly. -CPP=cpp +CPP?=cpp # The pam.d file to create PAMD=login passwd su system-auth system-login system-local-login system-remote-login system-services other
[gentoo-commits] proj/pambase:master commit in: /
commit: 7eaf47da1d6cd18a8253c25213c34b16ae08e87f Author: David Seifert gentoo org> AuthorDate: Wed Mar 4 17:32:01 2020 + Commit: David Seifert gentoo org> CommitDate: Wed Mar 4 17:32:01 2020 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=7eaf47da Run pam_env.so after pam_systemd.so for better socket support * Running pam_systemd.so before setting user environment variables makes it possible for the user to use variables such as `XDG_RUNTIME_DIR` in their own definitions. Bug: https://bugs.gentoo.org/711450 Signed-off-by: David Seifert gentoo.org> system-auth.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system-auth.in b/system-auth.in index 02d0e50..e65e4c2 100644 --- a/system-auth.in +++ b/system-auth.in @@ -34,7 +34,6 @@ password optionalpam_permit.so #if HAVE_PAM_SSH sessionoptionalpam_ssh.so #endif -#include "system-session.inc" #if HAVE_SYSTEMD -sessionoptionalpam_systemd.so @@ -47,3 +46,4 @@ session optionalpam_ssh.so #if HAVE_LIBCAP auth optionalpam_cap.so #endif +#include "system-session.inc"
[gentoo-commits] proj/pambase:master commit in: /
commit: b5eab4d5d631f6a7ccf311d751df4ca1aa68c0ba Author: Mikle Kolyada gentoo org> AuthorDate: Thu Nov 28 18:20:35 2019 + Commit: Mikle Kolyada gentoo org> CommitDate: Thu Nov 28 18:20:35 2019 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=b5eab4d5 handle envfile with pam_env.so Signed-off-by: Mikle Kolyada gentoo.org> pambase-20191115.tar.xz | Bin 3240 -> 0 bytes system-login.in | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/pambase-20191115.tar.xz b/pambase-20191115.tar.xz deleted file mode 100644 index 0b4f92e..000 Binary files a/pambase-20191115.tar.xz and /dev/null differ diff --git a/system-login.in b/system-login.in index 064c687..f159f10 100644 --- a/system-login.in +++ b/system-login.in @@ -32,7 +32,7 @@ session optionalpam_loginuid.so sessionrequiredpam_selinux.so close #endif #if HAVE_ENV -sessionrequiredpam_env.so DEBUG +sessionrequiredpam_env.so envfile=/etc/profile.env DEBUG #endif #if HAVE_LASTLOG sessionoptionalpam_lastlog.so silent DEBUG
[gentoo-commits] proj/pambase:master commit in: /
commit: d7bd5491a053af71349e5ede6a45ff5d34a48c91 Author: Mikle Kolyada gentoo org> AuthorDate: Wed Nov 27 09:26:56 2019 + Commit: Mikle Kolyada gentoo org> CommitDate: Wed Nov 27 09:26:56 2019 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=d7bd5491 fix libcap function call Signed-off-by: Mikle Kolyada gentoo.org> Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 94cc831..39f0082 100644 --- a/Makefile +++ b/Makefile @@ -72,7 +72,7 @@ PAMFLAGS += -DMINIMAL endif ifeq "$(LIBCAP)" "yes" -PAMFLAGS += -DLIBCAP +PAMFLAGS += -DHAVE_LIBCAP=1 endif all: $(PAMD)
[gentoo-commits] proj/pambase:master commit in: /
commit: dd74d9d2f442163353e56f4bd3cf4d0f24f6f1e4 Author: Mikle Kolyada gentoo org> AuthorDate: Sun Nov 24 14:35:41 2019 + Commit: Mikle Kolyada gentoo org> CommitDate: Sun Nov 24 14:35:41 2019 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=dd74d9d2 integrate libcap support Signed-off-by: Mikle Kolyada gentoo.org> Makefile| 4 pambase-20191115.tar.xz | Bin 0 -> 3240 bytes system-auth.in | 4 3 files changed, 8 insertions(+) diff --git a/Makefile b/Makefile index d036d84..94cc831 100644 --- a/Makefile +++ b/Makefile @@ -71,6 +71,10 @@ ifeq "$(MINIMAL)" "yes" PAMFLAGS += -DMINIMAL endif +ifeq "$(LIBCAP)" "yes" +PAMFLAGS += -DLIBCAP +endif + all: $(PAMD) install: $(PAMD) diff --git a/pambase-20191115.tar.xz b/pambase-20191115.tar.xz new file mode 100644 index 000..0b4f92e Binary files /dev/null and b/pambase-20191115.tar.xz differ diff --git a/system-auth.in b/system-auth.in index 4d588fb..02d0e50 100644 --- a/system-auth.in +++ b/system-auth.in @@ -43,3 +43,7 @@ session optionalpam_ssh.so #if HAVE_ELOGIND -sessionoptionalpam_elogind.so #endif + +#if HAVE_LIBCAP +auth optionalpam_cap.so +#endif
[gentoo-commits] proj/pambase:master commit in: /
commit: 306b4622648909158bac6ff5e315794fd8d5bd09 Author: Mikle Kolyada gentoo org> AuthorDate: Fri Nov 15 18:08:50 2019 + Commit: Mikle Kolyada gentoo org> CommitDate: Fri Nov 15 18:08:50 2019 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=306b4622 remove openpam support Signed-off-by: Mikle Kolyada gentoo.org> Makefile | 7 +-- openpam-conf | 24 2 files changed, 1 insertion(+), 30 deletions(-) diff --git a/Makefile b/Makefile index abd7008..d036d84 100644 --- a/Makefile +++ b/Makefile @@ -9,12 +9,7 @@ PAMD=login passwd su system-auth system-login system-local-login system-remote-l # (i.e.: in the ebuild) GIT=git -# Get this by default, even if I'd like avoid it... -ifeq "$(IMPLEMENTATION)" "" -IMPLEMENTATION=linux-pam -endif - -PAMFLAGS = -include $(IMPLEMENTATION)-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION) +PAMFLAGS = -include linux-pam-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION) ifeq "$(CRACKLIB)" "yes" PAMFLAGS += -DHAVE_CRACKLIB=1 diff --git a/openpam-conf b/openpam-conf deleted file mode 100644 index e38107c..000 --- a/openpam-conf +++ /dev/null @@ -1,24 +0,0 @@ -#if HAVE_CRACKLIB -# error "pam_cracklib is only supported with Linux-PAM" -#endif - -// OpenPAM only provides basic modules, it's FreeBSD that provides the -// extended modules, so check for FreeBSD building first. -#ifdef __FreeBSD__ -# define HAVE_LOGIN_ACCESS 1 -# define SUPPORT_UNIX_SESSION 0 - -# if defined(DEBUG) -# define DEBUG_NOLOGIN DEBUG -# else -# define DEBUG_NOLOGIN -# endif - -# define SUPPORT_NOLOGIN_ACCOUNT 1 -# define SUPPORT_NOLOGIN_AUTH 0 - -# if defined(WANT_SHA512) -# error "SHA512 support is not present for FreeBSD!" -# endif - -#endif /* __FreeBSD__ */
[gentoo-commits] proj/pambase:master commit in: /
commit: e10d88d10cfc7da664e66cf8c5a7bf297ea4b8f7 Author: Mikle Kolyada gentoo org> AuthorDate: Tue Apr 2 13:08:25 2019 + Commit: Mikle Kolyada gentoo org> CommitDate: Tue Apr 2 13:08:25 2019 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=e10d88d1 add vital patches into the sources Signed-off-by: Mikle Kolyada gentoo.org> Makefile| 4 passwd.in | 9 + system-auth.in | 4 system-login.in | 9 - 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/Makefile b/Makefile index a459fd0..abd7008 100644 --- a/Makefile +++ b/Makefile @@ -32,6 +32,10 @@ ifeq "$(SYSTEMD)" "yes" PAMFLAGS += -DHAVE_SYSTEMD=1 endif +ifeq "$(ELOGIND)" "yes" +PAMFLAGS += -DHAVE_ELOGIND=1 +endif + ifeq "$(GNOME_KEYRING)" "yes" PAMFLAGS += -DHAVE_GNOME_KEYRING=1 endif diff --git a/passwd.in b/passwd.in index 7eabf3d..248bb7c 100644 --- a/passwd.in +++ b/passwd.in @@ -1,6 +1,7 @@ -auth sufficient pam_rootok.so -auth include system-auth +auth sufficient pam_rootok.so +auth include system-auth -accountinclude system-auth +accountinclude system-auth -password include system-auth +password include system-auth +-password optionalpam_gnome_keyring.so UNIX_AUTHTOK diff --git a/system-auth.in b/system-auth.in index c729004..4d588fb 100644 --- a/system-auth.in +++ b/system-auth.in @@ -39,3 +39,7 @@ session optionalpam_ssh.so #if HAVE_SYSTEMD -sessionoptionalpam_systemd.so #endif + +#if HAVE_ELOGIND +-sessionoptionalpam_elogind.so +#endif diff --git a/system-login.in b/system-login.in index 137c40c..064c687 100644 --- a/system-login.in +++ b/system-login.in @@ -8,9 +8,6 @@ authrequiredpam_shells.so DEBUG auth requiredpam_nologin.so DEBUG_NOLOGIN #endif auth include system-auth -#if HAVE_GNOME_KEYRING -auth optionalpam_gnome_keyring.so -#endif #if HAVE_ACCESS accountrequiredpam_access.so DEBUG @@ -27,9 +24,6 @@ account requiredTALLY_MODULE onerr=succeed DEBUG #endif password include system-auth -#if HAVE_GNOME_KEYRING -password optionalpam_gnome_keyring.so -#endif #if HAVE_LOGINUID session optionalpam_loginuid.so @@ -51,9 +45,6 @@ session optionalpam_ck_connector.so nox11 # Note: modules that run in the user's context must come after this line. sessionrequiredpam_selinux.so multiple open #endif -#if HAVE_GNOME_KEYRING -sessionoptionalpam_gnome_keyring.so auto_start -#endif #if HAVE_MOTD sessionoptionalpam_motd.so motd=/etc/motd #endif
[gentoo-commits] proj/pambase:master commit in: /
commit: abf9fef20f1da54ca161616c059afd10449baced Author: Sven Vermeulen swift AT gentoo DOT org AuthorDate: Sun May 17 05:22:20 2015 + Commit: Mike Frysinger vapier AT gentoo DOT org CommitDate: Sun May 17 05:22:20 2015 + URL:https://gitweb.gentoo.org/proj/pambase.git/commit/?id=abf9fef2 system-login: fix nested selinux comment URL: https://bugs.gentoo.org/540096 system-login.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system-login.in b/system-login.in index e630918..137c40c 100644 --- a/system-login.in +++ b/system-login.in @@ -48,7 +48,7 @@ session include system-auth sessionoptionalpam_ck_connector.so nox11 #endif #if HAVE_SELINUX -# Note: modules that run in the user's context must come after this line. + # Note: modules that run in the user's context must come after this line. sessionrequiredpam_selinux.so multiple open #endif #if HAVE_GNOME_KEYRING
[gentoo-commits] proj/pambase:master commit in: /
commit: 3013c8e7ab5aee1fa45a0fa6d662b37d08698530 Author: Mike Frysinger vapier AT gentoo DOT org AuthorDate: Sat Feb 14 03:26:41 2015 + Commit: Mike Frysinger vapier AT gentoo DOT org CommitDate: Sat Feb 14 03:26:41 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=3013c8e7 make securetty optional URL: https://bugs.gentoo.org/539508 --- Makefile | 4 login.in | 2 ++ 2 files changed, 6 insertions(+) diff --git a/Makefile b/Makefile index 574d0d1..339de62 100644 --- a/Makefile +++ b/Makefile @@ -36,6 +36,10 @@ ifeq $(GNOME_KEYRING) yes PAMFLAGS += -DHAVE_GNOME_KEYRING=1 endif +ifeq $(SECURETTY) yes +PAMFLAGS += -DHAVE_SECURETTY=1 +endif + ifeq $(SELINUX) yes PAMFLAGS += -DHAVE_SELINUX=1 endif diff --git a/login.in b/login.in index 14165a2..5067bc7 100644 --- a/login.in +++ b/login.in @@ -1,4 +1,6 @@ +#if HAVE_SECURETTY auth requiredpam_securetty.so +#endif auth include system-local-login accountinclude system-local-login
[gentoo-commits] proj/pambase:master commit in: /
commit: e8d14735cdcb7a7614eacc2d719737bf5144631c Author: Mike Frysinger vapier AT gentoo DOT org AuthorDate: Sat Feb 14 03:54:32 2015 + Commit: Mike Frysinger vapier AT gentoo DOT org CommitDate: Sat Feb 14 03:54:32 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=e8d14735 trim trailing whitespace --- su.in | 1 - system-auth.in | 6 +++--- system-login.in | 7 +++ 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/su.in b/su.in index 121bb9a..889ecfe 100644 --- a/su.in +++ b/su.in @@ -9,4 +9,3 @@ password include system-auth sessioninclude system-auth sessionrequired pam_env.so sessionoptionalpam_xauth.so - diff --git a/system-auth.in b/system-auth.in index 1f7ffbd..c729004 100644 --- a/system-auth.in +++ b/system-auth.in @@ -10,14 +10,14 @@ authKRB5_CONTROLpam_krb5.so KRB5_PARAMS auth requiredpam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ auth optionalpam_permit.so - + #if HAVE_KRB5 accountKRB5_CONTROLpam_krb5.so KRB5_PARAMS #endif accountrequiredpam_unix.so DEBUG /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ accountoptionalpam_permit.so - + #if HAVE_CRACKLIB password requiredpam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 DEBUG #endif @@ -30,7 +30,7 @@ password KRB5_CONTROLpam_krb5.so KRB5_PARAMS password requiredpam_unix.so try_first_pass UNIX_AUTHTOK NULLOK UNIX_EXTENDED_ENCRYPTION DEBUG /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ password optionalpam_permit.so - + #if HAVE_PAM_SSH sessionoptionalpam_ssh.so #endif diff --git a/system-login.in b/system-login.in index 11ac032..d12dcd3 100644 --- a/system-login.in +++ b/system-login.in @@ -11,7 +11,7 @@ auth include system-auth #if HAVE_GNOME_KEYRING auth optionalpam_gnome_keyring.so #endif - + #if HAVE_ACCESS accountrequiredpam_access.so DEBUG #endif @@ -25,12 +25,12 @@ account include system-auth #if defined(TALLY_MODULE) accountrequiredTALLY_MODULE onerr=succeed DEBUG #endif - + password include system-auth #if HAVE_GNOME_KEYRING password optionalpam_gnome_keyring.so #endif - + #if HAVE_LOGINUID session optionalpam_loginuid.so #endif @@ -59,4 +59,3 @@ session optionalpam_motd.so motd=/etc/motd #if HAVE_MAIL sessionoptionalpam_mail.so #endif -
[gentoo-commits] proj/pambase:master commit in: /
commit: cb1915bf4f80282177ccb440e886943394803cb5 Author: Mike Frysinger vapier AT gentoo DOT org AuthorDate: Sat Feb 14 03:57:45 2015 + Commit: Mike Frysinger vapier AT gentoo DOT org CommitDate: Sat Feb 14 03:57:45 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=cb1915bf system-login: move pam_gnome_keyring after pam_selinux URL: https://bugs.gentoo.org/511600 --- system-login.in | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/system-login.in b/system-login.in index d12dcd3..e630918 100644 --- a/system-login.in +++ b/system-login.in @@ -47,12 +47,13 @@ session include system-auth #if HAVE_CONSOLEKIT sessionoptionalpam_ck_connector.so nox11 #endif -#if HAVE_GNOME_KEYRING -sessionoptionalpam_gnome_keyring.so auto_start -#endif #if HAVE_SELINUX +# Note: modules that run in the user's context must come after this line. sessionrequiredpam_selinux.so multiple open #endif +#if HAVE_GNOME_KEYRING +sessionoptionalpam_gnome_keyring.so auto_start +#endif #if HAVE_MOTD sessionoptionalpam_motd.so motd=/etc/motd #endif
[gentoo-commits] proj/pambase:master commit in: /
commit: adef1185caa1f372420d6dd71d4968115ae0e3bf Author: Mike Frysinger vapier AT gentoo DOT org AuthorDate: Sat Feb 14 03:34:50 2015 + Commit: Mike Frysinger vapier AT gentoo DOT org CommitDate: Sat Feb 14 03:34:50 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=adef1185 make nullok into a build time option --- Makefile | 4 basic-conf | 6 ++ system-auth.in | 4 ++-- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 339de62..a459fd0 100644 --- a/Makefile +++ b/Makefile @@ -56,6 +56,10 @@ ifeq $(KRB5) yes PAMFLAGS += -DHAVE_KRB5=1 endif +ifeq $(NULLOK) yes +PAMFLAGS += -DWANT_NULLOK=1 +endif + ifeq $(SHA512) yes PAMFLAGS += -DWANT_SHA512=1 endif diff --git a/basic-conf b/basic-conf index eaa1cb0..5ab72c0 100644 --- a/basic-conf +++ b/basic-conf @@ -29,6 +29,12 @@ #define LIKEAUTH #endif +#if WANT_NULLOK +#define NULLOK nullok +#else +#define NULLOK +#endif + #define KRB5_PARAMS DEBUG ignore_root try_first_pass /* By using the extended Linux-PAM syntax for this, it is possible to diff --git a/system-auth.in b/system-auth.in index 43df701..1f7ffbd 100644 --- a/system-auth.in +++ b/system-auth.in @@ -7,7 +7,7 @@ authsufficient pam_ssh.so #if HAVE_KRB5 auth KRB5_CONTROLpam_krb5.so KRB5_PARAMS #endif -auth requiredpam_unix.so try_first_pass LIKEAUTH nullok DEBUG +auth requiredpam_unix.so try_first_pass LIKEAUTH NULLOK DEBUG /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ auth optionalpam_permit.so @@ -27,7 +27,7 @@ password requiredpam_passwdqc.so min=8,8,8,8,8 retry=3 #if HAVE_KRB5 password KRB5_CONTROLpam_krb5.so KRB5_PARAMS #endif -password requiredpam_unix.so try_first_pass UNIX_AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG +password requiredpam_unix.so try_first_pass UNIX_AUTHTOK NULLOK UNIX_EXTENDED_ENCRYPTION DEBUG /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ password optionalpam_permit.so
[gentoo-commits] proj/pambase:master commit in: /
commit: c1058bd8ccde0c56454a48339e9afb7a6e7fa80f Author: Samuli Suominen ssuominen AT gentoo DOT org AuthorDate: Thu Mar 13 13:52:27 2014 + Commit: Samuli Suominen ssuominen AT gentoo DOT org CommitDate: Thu Mar 13 13:52:27 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=c1058bd8 Import -systemd.patch and -systemd-auth.patch from gentoo-x86, see both bugs #372229 and #485470 --- Makefile | 4 system-auth.in | 4 2 files changed, 8 insertions(+) diff --git a/Makefile b/Makefile index 7d3e22a..ec5d240 100644 --- a/Makefile +++ b/Makefile @@ -28,6 +28,10 @@ ifeq $(CONSOLEKIT) yes PAMFLAGS += -DHAVE_CONSOLEKIT=1 endif +ifeq $(SYSTEMD) yes +PAMFLAGS += -DHAVE_SYSTEMD=1 +endif + ifeq $(GNOME_KEYRING) yes PAMFLAGS += -DHAVE_GNOME_KEYRING=1 endif diff --git a/system-auth.in b/system-auth.in index a80d653..43df701 100644 --- a/system-auth.in +++ b/system-auth.in @@ -35,3 +35,7 @@ password optionalpam_permit.so sessionoptionalpam_ssh.so #endif #include system-session.inc + +#if HAVE_SYSTEMD +-sessionoptionalpam_systemd.so +#endif
[gentoo-commits] proj/pambase:master commit in: /
commit: ae72ea9e54b7f5035fb6b3120c0e75e79860e819 Author: Samuli Suominen ssuominen AT gentoo DOT org AuthorDate: Thu Mar 13 14:13:15 2014 + Commit: Samuli Suominen ssuominen AT gentoo DOT org CommitDate: Thu Mar 13 14:13:15 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=ae72ea9e Import -lastlog-silent.patch from gentoo-x86, see bug #468798 --- login.in| 2 ++ system-login.in | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/login.in b/login.in index 13abd27..14165a2 100644 --- a/login.in +++ b/login.in @@ -3,4 +3,6 @@ auth include system-local-login accountinclude system-local-login password include system-local-login + +sessionoptional pam_lastlog.so DEBUG sessioninclude system-local-login diff --git a/system-login.in b/system-login.in index 0c3b5c8..11ac032 100644 --- a/system-login.in +++ b/system-login.in @@ -41,7 +41,7 @@ session requiredpam_selinux.so close sessionrequiredpam_env.so DEBUG #endif #if HAVE_LASTLOG -sessionoptionalpam_lastlog.so DEBUG +sessionoptionalpam_lastlog.so silent DEBUG #endif sessioninclude system-auth #if HAVE_CONSOLEKIT
[gentoo-commits] proj/pambase:master commit in: /
commit: bec2aa7cdde64d59cf4fdb5de661188da7cc6e59 Author: Samuli Suominen ssuominen AT gentoo DOT org AuthorDate: Thu Mar 13 14:36:19 2014 + Commit: Samuli Suominen ssuominen AT gentoo DOT org CommitDate: Thu Mar 13 14:36:19 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/pambase.git;a=commit;h=bec2aa7c Use xz instead of bzip2 for dist. --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index ec5d240..574d0d1 100644 --- a/Makefile +++ b/Makefile @@ -75,11 +75,11 @@ ifeq $(VERSION) VERSION = $(shell date +%Y%m%d) endif -dist: $(PACKAGE)-$(VERSION).tar.bz2 +dist: $(PACKAGE)-$(VERSION).tar.xz -$(PACKAGE)-$(VERSION).tar.bz2: $(shell $(GIT) ls-files) +$(PACKAGE)-$(VERSION).tar.xz: $(shell $(GIT) ls-files) $(GIT) tag $(PACKAGE)-$(VERSION) - $(GIT) archive --format=tar --prefix=$(PACKAGE)-$(VERSION)/ HEAD | bzip2 $@ + $(GIT) archive --format=tar --prefix=$(PACKAGE)-$(VERSION)/ HEAD | xz $@ $(PAMD): %: %.in $(CPP) -traditional-cpp -P $(PAMFLAGS) $ -o $@