From 072f95fb6991a1ef56182e4c7133dc15701ccceb Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 Nov 2021 05:08:51 -0500 Subject: [PATCH] import authselect-1.2.2-3.el8 --- ...st_pass-has-no-effect-on-pam_unix-an.patch | 246 ++++++++++++++++++ ...02-cli-use-gettext-on-common-options.patch | 40 +++ ...atch => 0003-po-update-translations.patch} | 0 SPECS/authselect.spec | 14 +- 4 files changed, 296 insertions(+), 4 deletions(-) create mode 100644 SOURCES/0001-profiles-try_first_pass-has-no-effect-on-pam_unix-an.patch create mode 100644 SOURCES/0002-cli-use-gettext-on-common-options.patch rename SOURCES/{0001-po-update-translations.patch => 0003-po-update-translations.patch} (100%) diff --git a/SOURCES/0001-profiles-try_first_pass-has-no-effect-on-pam_unix-an.patch b/SOURCES/0001-profiles-try_first_pass-has-no-effect-on-pam_unix-an.patch new file mode 100644 index 0000000..ca72a32 --- /dev/null +++ b/SOURCES/0001-profiles-try_first_pass-has-no-effect-on-pam_unix-an.patch @@ -0,0 +1,246 @@ +From a8def58508ab4cc137700555a74e71de88ccb6bf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 13 May 2021 10:42:13 +0200 +Subject: [PATCH] profiles: try_first_pass has no effect on pam_unix and + pam_pwquality + +Resolves: +https://github.com/authselect/authselect/issues/247 +--- + profiles/minimal/password-auth | 6 +++--- + profiles/minimal/system-auth | 6 +++--- + profiles/nis/password-auth | 6 +++--- + profiles/nis/system-auth | 6 +++--- + profiles/sssd/password-auth | 6 +++--- + profiles/sssd/system-auth | 6 +++--- + profiles/winbind/password-auth | 6 +++--- + profiles/winbind/system-auth | 6 +++--- + src/man/authselect-profiles.5.adoc | 6 +++--- + 9 files changed, 27 insertions(+), 27 deletions(-) + +diff --git a/profiles/minimal/password-auth b/profiles/minimal/password-auth +index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644 +--- a/profiles/minimal/password-auth ++++ b/profiles/minimal/password-auth +@@ -1,7 +1,7 @@ + auth required pam_env.so + auth required pam_faildelay.so delay=2000000 + auth required pam_faillock.so preauth silent {include if "with-faillock"} +-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass ++auth sufficient pam_unix.so {if not "without-nullok":nullok} + auth required pam_faillock.so authfail {include if "with-faillock"} + auth required pam_deny.so + +@@ -9,8 +9,8 @@ account required pam_access.so + account required pam_faillock.so {include if "with-faillock"} + account required pam_unix.so + +-password requisite pam_pwquality.so try_first_pass +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok ++password requisite pam_pwquality.so ++password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok + password required pam_deny.so + + session optional pam_keyinit.so revoke +diff --git a/profiles/minimal/system-auth b/profiles/minimal/system-auth +index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644 +--- a/profiles/minimal/system-auth ++++ b/profiles/minimal/system-auth +@@ -1,7 +1,7 @@ + auth required pam_env.so + auth required pam_faildelay.so delay=2000000 + auth required pam_faillock.so preauth silent {include if "with-faillock"} +-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass ++auth sufficient pam_unix.so {if not "without-nullok":nullok} + auth required pam_faillock.so authfail {include if "with-faillock"} + auth required pam_deny.so + +@@ -9,8 +9,8 @@ account required pam_access.so + account required pam_faillock.so {include if "with-faillock"} + account required pam_unix.so + +-password requisite pam_pwquality.so try_first_pass +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok ++password requisite pam_pwquality.so ++password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok + password required pam_deny.so + + session optional pam_keyinit.so revoke +diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth +index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..fca075b3e8a289aef2055cc8bb8551540957e70f 100644 +--- a/profiles/nis/password-auth ++++ b/profiles/nis/password-auth +@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay= + auth required pam_faillock.so preauth silent {include if "with-faillock"} + auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} + auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} +-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass ++auth sufficient pam_unix.so {if not "without-nullok":nullok} + auth required pam_faillock.so authfail {include if "with-faillock"} + auth required pam_deny.so + +@@ -11,8 +11,8 @@ account required pam_access.so + account required pam_faillock.so {include if "with-faillock"} + account required pam_unix.so broken_shadow + +-password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis ++password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only} ++password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis + password required pam_deny.so + + session optional pam_keyinit.so revoke +diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth +index 057b31e074f29c46b492fa310a954e281631800e..c4a74b857f8759082973936bd7d4e5b8718680c4 100644 +--- a/profiles/nis/system-auth ++++ b/profiles/nis/system-auth +@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth + auth sufficient pam_fprintd.so {include if "with-fingerprint"} + auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} + auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} +-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass ++auth sufficient pam_unix.so {if not "without-nullok":nullok} + auth required pam_faillock.so authfail {include if "with-faillock"} + auth required pam_deny.so + +@@ -12,8 +12,8 @@ account required pam_access.so + account required pam_faillock.so {include if "with-faillock"} + account required pam_unix.so broken_shadow + +-password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis ++password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only} ++password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis + password required pam_deny.so + + session optional pam_keyinit.so revoke +diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth +index d6953428cca7d6518f63c3fdbaabc4746c35f91b..b75926205f233d65553caa5d33f1d06c1c77a32e 100644 +--- a/profiles/sssd/password-auth ++++ b/profiles/sssd/password-auth +@@ -6,7 +6,7 @@ auth sufficient pam_u2f.so cue + auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} + auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular + auth [default=1 ignore=ignore success=ok] pam_localuser.so +-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass ++auth sufficient pam_unix.so {if not "without-nullok":nullok} + auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular + auth sufficient pam_sss.so forward_pass + auth required pam_faillock.so authfail {include if "with-faillock"} +@@ -20,8 +20,8 @@ account sufficient pam_usertype.so issyste + account [default=bad success=ok user_unknown=ignore] pam_sss.so + account required pam_permit.so + +-password requisite pam_pwquality.so try_first_pass local_users_only +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok ++password requisite pam_pwquality.so local_users_only ++password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok + password sufficient pam_sss.so use_authtok + password required pam_deny.so + +diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth +index 58d51067feb36850fb11bbba73067495f88c0b9e..e4bdb2b40255c056257ba5569a0b5b21ebaeb261 100644 +--- a/profiles/sssd/system-auth ++++ b/profiles/sssd/system-auth +@@ -11,7 +11,7 @@ auth [default=1 ignore=ignore success=ok] pam_usertype.so isregul + auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"} + auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"} + auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"} +-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass ++auth sufficient pam_unix.so {if not "without-nullok":nullok} + auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular + auth sufficient pam_sss.so forward_pass + auth required pam_faillock.so authfail {include if "with-faillock"} +@@ -25,8 +25,8 @@ account sufficient pam_usertype.so issyste + account [default=bad success=ok user_unknown=ignore] pam_sss.so + account required pam_permit.so + +-password requisite pam_pwquality.so try_first_pass local_users_only +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok ++password requisite pam_pwquality.so local_users_only ++password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok + password sufficient pam_sss.so use_authtok + password required pam_deny.so + +diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth +index bbeca057d49102889e3eeee040ea256dbd751eef..75e1e529944afa68fd06e4dd189d722fd80d9336 100644 +--- a/profiles/winbind/password-auth ++++ b/profiles/winbind/password-auth +@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay= + auth required pam_faillock.so preauth silent {include if "with-faillock"} + auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} + auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} +-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass ++auth sufficient pam_unix.so {if not "without-nullok":nullok} + auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular + auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass + auth required pam_faillock.so authfail {include if "with-faillock"} +@@ -17,8 +17,8 @@ account sufficient pam_usertype.so issyste + account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth} + account required pam_permit.so + +-password requisite pam_pwquality.so try_first_pass local_users_only +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok ++password requisite pam_pwquality.so local_users_only ++password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok + password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok + password required pam_deny.so + +diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth +index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..ae5262f2bb8c9ee8848c66eb00b15ff3d1fb8230 100644 +--- a/profiles/winbind/system-auth ++++ b/profiles/winbind/system-auth +@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth + auth sufficient pam_fprintd.so {include if "with-fingerprint"} + auth sufficient pam_u2f.so cue {include if "with-pam-u2f"} + auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"} +-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass ++auth sufficient pam_unix.so {if not "without-nullok":nullok} + auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular + auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass + auth required pam_faillock.so authfail {include if "with-faillock"} +@@ -18,8 +18,8 @@ account sufficient pam_usertype.so issyste + account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth} + account required pam_permit.so + +-password requisite pam_pwquality.so try_first_pass local_users_only +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok ++password requisite pam_pwquality.so local_users_only ++password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok + password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok + password required pam_deny.so + +diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc +index 0890b8b0acef811a639f6cd763b2d24f0c489881..4baa2800c766f59cf250cc5570c259f636a2305b 100644 +--- a/src/man/authselect-profiles.5.adoc ++++ b/src/man/authselect-profiles.5.adoc +@@ -154,7 +154,7 @@ for pam_faillock. + auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} + auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet + auth [default=1 ignore=ignore success=ok] pam_localuser.so +- auth sufficient pam_unix.so nullok try_first_pass ++ auth sufficient pam_unix.so nullok + auth requisite pam_succeed_if.so uid >= 1000 quiet_success + auth sufficient pam_sss.so forward_pass + auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"} +@@ -172,7 +172,7 @@ to include both features but only "with-smartcard-required" is necessary. + auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} + auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet + auth [default=1 ignore=ignore success=ok] pam_localuser.so +- auth sufficient pam_unix.so nullok try_first_pass ++ auth sufficient pam_unix.so nullok + auth requisite pam_succeed_if.so uid >= 1000 quiet_success + auth sufficient pam_sss.so forward_pass + auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"} +@@ -193,7 +193,7 @@ previous example. + auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"} + auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"} + auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"} +- auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass ++ auth sufficient pam_unix.so {if not "without-nullok":nullok} + auth requisite pam_succeed_if.so uid >= 1000 quiet_success + auth sufficient pam_sss.so forward_pass + auth required pam_deny.so +-- +2.20.1 + diff --git a/SOURCES/0002-cli-use-gettext-on-common-options.patch b/SOURCES/0002-cli-use-gettext-on-common-options.patch new file mode 100644 index 0000000..dc3b898 --- /dev/null +++ b/SOURCES/0002-cli-use-gettext-on-common-options.patch @@ -0,0 +1,40 @@ +From 3a3d9380eafcf4c53d3733b39dbb45b67dc3a566 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 29 Jun 2021 14:04:24 +0200 +Subject: [PATCH] cli: use gettext on common options + +Also make --debug description the same as in cli_tool_print_common_opts. + +These options are printed when a wrong argument is given on the command line. E.g. + authselect select --invalid-arg +--- + src/cli/cli_tool.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/cli/cli_tool.c b/src/cli/cli_tool.c +index 3cc6b735eb45bc45afd21907a690b732f6844f3b..64807af3cb0c3aeb70ff652962dca62a3b99c431 100644 +--- a/src/cli/cli_tool.c ++++ b/src/cli/cli_tool.c +@@ -87,12 +87,16 @@ static void cli_tool_print_common_opts(int min_len) + static struct poptOption *cli_tool_common_opts_table(void) + { + static struct poptOption options[] = { +- {"debug", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'd', "Print more verbose debugging information", NULL }, +- {"trace", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 't', "Print trace messages", NULL }, +- {"warn", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'w', "Print warning messages", NULL }, ++ {"debug", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'd', NULL, NULL }, ++ {"trace", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 't', NULL, NULL }, ++ {"warn", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'w', NULL, NULL }, + POPT_TABLEEND + }; + ++ options[0].descrip = _("Print error messages"); ++ options[1].descrip = _("Print trace messages"); ++ options[2].descrip = _("Print warning messages"); ++ + return options; + } + +-- +2.20.1 + diff --git a/SOURCES/0001-po-update-translations.patch b/SOURCES/0003-po-update-translations.patch similarity index 100% rename from SOURCES/0001-po-update-translations.patch rename to SOURCES/0003-po-update-translations.patch diff --git a/SPECS/authselect.spec b/SPECS/authselect.spec index 87c9a78..46fab6c 100644 --- a/SPECS/authselect.spec +++ b/SPECS/authselect.spec @@ -3,7 +3,7 @@ Name: authselect Version: 1.2.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Configures authentication and identity sources from supported profiles URL: https://github.com/authselect/authselect @@ -12,7 +12,9 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz %global makedir %{_builddir}/%{name}-%{version} -Patch0001: 0001-po-update-translations.patch +Patch0001: 0001-profiles-try_first_pass-has-no-effect-on-pam_unix-an.patch +Patch0002: 0002-cli-use-gettext-on-common-options.patch +Patch0003: 0003-po-update-translations.patch # Downstream only Patch0901: 0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch @@ -288,8 +290,12 @@ exit 0 exit 0 %changelog -* Fri Mar 12 2021 Pavel Březina - 1.2.2-2 -- Update translations (RHBZ #1899676) +* Wed Jul 14 2021 Pavel Březina - 1.2.2-3 +- Update translations (RHBZ #1961625) + +* Wed Jul 14 2021 Pavel Březina - 1.2.2-2 +- try_first_pass option no longer works on some PAM modules in RHEL8 (RHBZ #1949070) +- Need to localize the description of --debug option in authselect show (RHBZ #1970408) * Wed Nov 25 2020 Pavel Březina - 1.2.2-1 - Rebase to authselect-1.2.2 (RHBZ #1892761)