rpms/authselect
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Auto sync2gitlab import of authselect-1.2.2-3.el8.src.rpm

Browse Source
This commit is contained in:
James Antill 2022-05-26 00:53:38 -04:00
parent 2c7a70503d
commit 229052d667
10 changed files with 9132 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/authselect-1.2.2.tar.gz

246
0001-profiles-try_first_pass-has-no-effect-on-pam_unix-an.patch Normal file
View File

@ -0,0 +1,246 @@
From a8def58508ab4cc137700555a74e71de88ccb6bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 13 May 2021 10:42:13 +0200
Subject: [PATCH] profiles: try_first_pass has no effect on pam_unix and
pam_pwquality
Resolves:
https://github.com/authselect/authselect/issues/247
---
profiles/minimal/password-auth | 6 +++---
profiles/minimal/system-auth | 6 +++---
profiles/nis/password-auth | 6 +++---
profiles/nis/system-auth | 6 +++---
profiles/sssd/password-auth | 6 +++---
profiles/sssd/system-auth | 6 +++---
profiles/winbind/password-auth | 6 +++---
profiles/winbind/system-auth | 6 +++---
src/man/authselect-profiles.5.adoc | 6 +++---
9 files changed, 27 insertions(+), 27 deletions(-)
diff --git a/profiles/minimal/password-auth b/profiles/minimal/password-auth
index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644
--- a/profiles/minimal/password-auth
+++ b/profiles/minimal/password-auth
@@ -1,7 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent {include if "with-faillock"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
@@ -9,8 +9,8 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
-password requisite pam_pwquality.so try_first_pass
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/minimal/system-auth b/profiles/minimal/system-auth
index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644
--- a/profiles/minimal/system-auth
+++ b/profiles/minimal/system-auth
@@ -1,7 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent {include if "with-faillock"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
@@ -9,8 +9,8 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
-password requisite pam_pwquality.so try_first_pass
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..fca075b3e8a289aef2055cc8bb8551540957e70f 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
@@ -11,8 +11,8 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so broken_shadow
-password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 057b31e074f29c46b492fa310a954e281631800e..c4a74b857f8759082973936bd7d4e5b8718680c4 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
@@ -12,8 +12,8 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so broken_shadow
-password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index d6953428cca7d6518f63c3fdbaabc4746c35f91b..b75926205f233d65553caa5d33f1d06c1c77a32e 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -6,7 +6,7 @@ auth sufficient pam_u2f.so cue
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -20,8 +20,8 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so local_users_only
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 58d51067feb36850fb11bbba73067495f88c0b9e..e4bdb2b40255c056257ba5569a0b5b21ebaeb261 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -11,7 +11,7 @@ auth [default=1 ignore=ignore success=ok] pam_usertype.so isregul
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -25,8 +25,8 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so local_users_only
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index bbeca057d49102889e3eeee040ea256dbd751eef..75e1e529944afa68fd06e4dd189d722fd80d9336 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -17,8 +17,8 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so local_users_only
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..ae5262f2bb8c9ee8848c66eb00b15ff3d1fb8230 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -18,8 +18,8 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so local_users_only
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc
index 0890b8b0acef811a639f6cd763b2d24f0c489881..4baa2800c766f59cf250cc5570c259f636a2305b 100644
--- a/src/man/authselect-profiles.5.adoc
+++ b/src/man/authselect-profiles.5.adoc
@@ -154,7 +154,7 @@ for pam_faillock.
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
- auth sufficient pam_unix.so nullok try_first_pass
+ auth sufficient pam_unix.so nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -172,7 +172,7 @@ to include both features but only "with-smartcard-required" is necessary.
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
- auth sufficient pam_unix.so nullok try_first_pass
+ auth sufficient pam_unix.so nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -193,7 +193,7 @@ previous example.
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
- auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+ auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
--
2.20.1

40
0002-cli-use-gettext-on-common-options.patch Normal file
View File

@ -0,0 +1,40 @@
From 3a3d9380eafcf4c53d3733b39dbb45b67dc3a566 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 29 Jun 2021 14:04:24 +0200
Subject: [PATCH] cli: use gettext on common options
Also make --debug description the same as in cli_tool_print_common_opts.
These options are printed when a wrong argument is given on the command line. E.g.
authselect select --invalid-arg
---
src/cli/cli_tool.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/cli/cli_tool.c b/src/cli/cli_tool.c
index 3cc6b735eb45bc45afd21907a690b732f6844f3b..64807af3cb0c3aeb70ff652962dca62a3b99c431 100644
--- a/src/cli/cli_tool.c
+++ b/src/cli/cli_tool.c
@@ -87,12 +87,16 @@ static void cli_tool_print_common_opts(int min_len)
static struct poptOption *cli_tool_common_opts_table(void)
{
static struct poptOption options[] = {
- {"debug", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'd', "Print more verbose debugging information", NULL },
- {"trace", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 't', "Print trace messages", NULL },
- {"warn", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'w', "Print warning messages", NULL },
+ {"debug", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'd', NULL, NULL },
+ {"trace", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 't', NULL, NULL },
+ {"warn", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'w', NULL, NULL },
POPT_TABLEEND
};
+ options[0].descrip = _("Print error messages");
+ options[1].descrip = _("Print trace messages");
+ options[2].descrip = _("Print warning messages");
+
return options;
}
--
2.20.1

8081
0003-po-update-translations.patch Normal file
View File

File diff suppressed because it is too large Load Diff

24
0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch Normal file
View File

@ -0,0 +1,24 @@
From 009be0fc33866a590de8720cb0f3dab811e10059 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 30 Oct 2018 14:08:12 +0100
Subject: [PATCH] rhel8: remove mention of Fedora Change page in compat tool
---
src/compat/authcompat.py.in.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 0be644222a44185cb08ff696afad5adf05995093..42cc6f3c0e38d8e14d62bd5acdc171176a6cb51f 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -469,7 +469,6 @@ class AuthCompat:
"It does not provide all capabilities of authconfig.\n"))
print(_("IMPORTANT: authconfig is replaced by authselect, "
"please update your scripts."))
- print(_("See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault"))
print(_("See man authselect-migration(7) to help you with migration to authselect"))
options = self.options.getSetButUnsupported()
--
2.17.2

283
0902-rhel8-remove-ecryptfs-support.patch Normal file
View File

@ -0,0 +1,283 @@
From 8f39d5ebcf18b9d987af5ad851fe1637ce1fce22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 10 Jun 2019 10:53:15 +0200
Subject: [PATCH] rhel8: remove ecryptfs support
---
profiles/nis/README | 3 ---
profiles/nis/fingerprint-auth | 1 -
profiles/nis/password-auth | 1 -
profiles/nis/postlogin | 4 ----
profiles/nis/system-auth | 1 -
profiles/sssd/README | 3 ---
profiles/sssd/fingerprint-auth | 1 -
profiles/sssd/password-auth | 1 -
profiles/sssd/postlogin | 4 ----
profiles/sssd/smartcard-auth | 1 -
profiles/sssd/system-auth | 1 -
profiles/winbind/README | 3 ---
profiles/winbind/fingerprint-auth | 1 -
profiles/winbind/password-auth | 1 -
profiles/winbind/postlogin | 4 ----
profiles/winbind/system-auth | 1 -
src/compat/authcompat.py.in.in | 1 -
src/compat/authcompat_Options.py | 2 +-
src/man/authselect-migration.7.adoc | 5 ++---
19 files changed, 3 insertions(+), 36 deletions(-)
diff --git a/profiles/nis/README b/profiles/nis/README
index b8453bd357a1cec0d3c1981257271170f029fe8c..8b2cc1baa8a3429039f5bbeb0778113238ef6633 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -21,9 +21,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
-with-ecryptfs::
- Enable automatic per-user ecryptfs.
-
with-fingerprint::
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
index 278487b2a0f9ce103afebb0809ffffa2cfbbba7e..8d6bc3fe8ada7305280503bfa350cd78723c988a 100644
--- a/profiles/nis/fingerprint-auth
+++ b/profiles/nis/fingerprint-auth
@@ -16,7 +16,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 2ce77fded674684987849b027debe2b17a7bac94..46786cc8c2c90a2be98d71684b9286c37ff5b678 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -21,7 +21,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
--- a/profiles/nis/postlogin
+++ b/profiles/nis/postlogin
@@ -1,7 +1,3 @@
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index d1f270a9e6f0ded1ff2d9c24fcd78c31e7a6debe..25148b060ecd0b52868386abf14ca5a9fd8fdfc3 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -22,7 +22,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/README b/profiles/sssd/README
index a2b52b7d4178bfaca260d31267dac396b514e656..b007621a4abd6423605507af5b03131c58a44f29 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -40,9 +40,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
-with-ecryptfs::
- Enable automatic per-user ecryptfs.
-
with-smartcard::
Enable authentication with smartcards through SSSD. Please note that
smartcard support must be also explicitly enabled within
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index 01b70f3533149d00700859f3e0a1c3f2abb33a8a..b9bbc63d96e1d982a54b537402fed5e2201ce533 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -18,7 +18,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index c61630d5a71772c61cbdcce00bb5b64a83e87d8e..fe2e3a4bf68fb53e46af56577c9d67c7eabf2fff 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -27,7 +27,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
--- a/profiles/sssd/postlogin
+++ b/profiles/sssd/postlogin
@@ -1,7 +1,3 @@
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index a47f44389d89797b2404ce44a78c2bc8a936225d..a15a033f58b766074ccc6a271f146341ff62f2e4 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -16,7 +16,6 @@ account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 0c53fc0c326a6ab9b9720c3c0de4f7377431f689..788c92ba27f9b0febdbe00f265bc75e754aca8df 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -32,7 +32,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/README b/profiles/winbind/README
index e711b546c51fbe1ccf30b203cb854398d5e95caa..72f55e640c04bd539bef979da71d6d9ee0a2fd72 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -33,9 +33,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
-with-ecryptfs::
- Enable automatic per-user ecryptfs.
-
with-fingerprint::
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
index 0beff74eba83f12c4ad5a6147a6194608cd047e3..cdc61a1e9ff2ff8d58b58a076f001933092d0a90 100644
--- a/profiles/winbind/fingerprint-auth
+++ b/profiles/winbind/fingerprint-auth
@@ -17,7 +17,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index 455add4c0c6aa2fecc850dc2b315998c6b4c4fb5..d60fb34c1c9a4f49f68b5c036a72127996bff9be 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -24,7 +24,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
--- a/profiles/winbind/postlogin
+++ b/profiles/winbind/postlogin
@@ -1,7 +1,3 @@
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 5b383f70df6f03f59c6ab3b1dd5686382745b978..c169d7f3b75893ba61d60e085ef86bb658debf5b 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -25,7 +25,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index e4b8c05c6a11a215529ba66f8b36b72a6ac18448..4e39b7ec66d0e2ba911c7280467ba78fd29c196c 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -520,7 +520,6 @@ class AuthCompat:
'smartcard' : 'with-smartcard',
'requiresmartcard' : 'with-smartcard-required',
'fingerprint' : 'with-fingerprint',
- 'ecryptfs' : 'with-ecryptfs',
'mkhomedir' : 'with-mkhomedir',
'faillock' : 'with-faillock',
'pamaccess' : 'with-pamaccess',
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
index c8f52ab6773c4cd5371f32121dba8053f3443261..433a3340bac29739174e78928701214c08ec6f3c 100644
--- a/src/compat/authcompat_Options.py
+++ b/src/compat/authcompat_Options.py
@@ -93,7 +93,6 @@ class Options:
Option.Valued ("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")),
Option.Feature("requiresmartcard",_("require smart card for authentication by default")),
Option.Feature("fingerprint", _("authentication with fingerprint readers by default")),
- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")),
Option.Feature("krb5", _("Kerberos authentication by default")),
Option.Valued ("krb5kdc", _("<server>"), _("default Kerberos KDC")),
Option.Valued ("krb5adminserver", _("<server>"), _("default Kerberos admin server")),
@@ -141,6 +140,7 @@ class Options:
# layers and will produce warning when used. They will not affect
# the system.
Option.UnsupportedFeature("cache"),
+ Option.UnsupportedFeature("ecryptfs"),
Option.UnsupportedFeature("shadow"),
Option.UnsupportedSwitch ("useshadow"),
Option.UnsupportedFeature("md5"),
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c89e9c4ffb 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -80,7 +80,6 @@ configuration file for required services.
|*Authconfig options* |*Authselect profile feature*
|--enablesmartcard |with-smartcard
|--enablefingerprint |with-fingerprint
-|--enableecryptfs |with-ecryptfs
|--enablemkhomedir |with-mkhomedir
|--enablefaillock |with-faillock
|--enablepamaccess |with-pamaccess
@@ -95,8 +94,8 @@ authselect select sssd with-faillock
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
authselect select sssd with-smartcard
-authconfig --enableecryptfs --enablepamaccess --updateall
-authselect select sssd with-ecryptfs with-pamaccess
+authconfig --enablepamaccess --updateall
+authselect select sssd with-pamaccess
authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
realm join -U Administrator --client-software=winbind WINBINDDOMAIN
--
2.20.1

42
0903-rhel8-Revert-profiles-add-support-for-resolved.patch Normal file
View File

@ -0,0 +1,42 @@
From f2eaf5548f32cb4db51aa5002ad964a975310d5e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 25 Nov 2020 14:05:00 +0100
Subject: [PATCH] rhel8: Revert "profiles: add support for resolved"
systemd-resolved should not be enabled by default on rhel8.
This reverts commit c5294c508a940291440eb32d5d750f33baf1ae54.
---
profiles/minimal/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf
index a9e4bc79a1090304542ccd8b43d1107eeb5304df..a39e4d32ebf79e8bf05f2db5753b01596222dc35 100644
--- a/profiles/minimal/nsswitch.conf
+++ b/profiles/minimal/nsswitch.conf
@@ -2,7 +2,7 @@ aliases: files {exclude if "with-custom
automount: files {exclude if "with-custom-automount"}
ethers: files {exclude if "with-custom-ethers"}
group: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"}
-hosts: resolve [!UNAVAIL=return] files myhostname dns {exclude if "with-custom-hosts"}
+hosts: files dns myhostname {exclude if "with-custom-hosts"}
initgroups: files {exclude if "with-custom-initgroups"}
netgroup: files {exclude if "with-custom-netgroup"}
networks: files {exclude if "with-custom-networks"}
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 50a3ffb7431a91b88b4bfef4c09df19310fac7e7..9bee7d839f84ff39d54cb6ead9dea38e51736b4d 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -2,7 +2,7 @@ aliases: files nis {exclude if "with-custom-aliases"}
automount: files nis {exclude if "with-custom-automount"}
ethers: files nis {exclude if "with-custom-ethers"}
group: files nis systemd {exclude if "with-custom-group"}
-hosts: resolve [!UNAVAIL=return] files nis myhostname dns {exclude if "with-custom-hosts"}
+hosts: files nis dns myhostname {exclude if "with-custom-hosts"}
initgroups: files nis {exclude if "with-custom-initgroups"}
netgroup: files nis {exclude if "with-custom-netgroup"}
networks: files nis {exclude if "with-custom-networks"}
--
2.25.4

1
EMPTY
View File

@ -1 +0,0 @@

414
authselect.spec Normal file
View File

@ -0,0 +1,414 @@
# Do not terminate build if language files are empty.
%define _empty_manifest_terminate_build 0
Name: authselect
Version: 1.2.2
Release: 3%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/authselect/authselect
License: GPLv3+
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%global makedir %{_builddir}/%{name}-%{version}
Patch0001: 0001-profiles-try_first_pass-has-no-effect-on-pam_unix-an.patch
Patch0002: 0002-cli-use-gettext-on-common-options.patch
Patch0003: 0003-po-update-translations.patch
# Downstream only
Patch0901: 0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch
Patch0902: 0902-rhel8-remove-ecryptfs-support.patch
Patch0903: 0903-rhel8-Revert-profiles-add-support-for-resolved.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: findutils
BuildRequires: libtool
BuildRequires: m4
BuildRequires: gcc
BuildRequires: pkgconfig
BuildRequires: pkgconfig(popt)
BuildRequires: gettext-devel
BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libselinux-devel
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
Suggests: fprintd-pam
Suggests: oddjob-mkhomedir
%description
Authselect is designed to be a replacement for authconfig but it takes
a different approach to configure the system. Instead of letting
the administrator build the PAM stack with a tool (which may potentially
end up with a broken configuration), it would ship several tested stacks
(profiles) that solve a use-case and are well tested and supported.
At the same time, some obsolete features of authconfig are not
supported by authselect.
%package libs
Summary: Utility library used by the authselect tool
# Required by scriptlets
Requires: coreutils
Requires: findutils
Requires: gawk
Requires: grep
Requires: sed
Requires: systemd
Requires: pam >= 1.3.1-9
%description libs
Common library files for authselect. This package is used by the authselect
command line tool and any other potential front-ends.
%package compat
Summary: Tool to provide minimum backwards compatibility with authconfig
Obsoletes: authconfig < 7.0.1-6
Provides: authconfig
BuildRequires: python3-devel
Requires: authselect%{?_isa} = %{version}-%{release}
Recommends: oddjob-mkhomedir
Suggests: sssd
Suggests: realmd
Suggests: samba-winbind
# Required by scriptlets
Requires: sed
%description compat
This package will replace %{_sbindir}/authconfig with a tool that will
translate some of the authconfig calls into authselect calls. It provides
only minimum backward compatibility and users are encouraged to migrate
to authselect completely.
%package devel
Summary: Development libraries and headers for authselect
Requires: authselect-libs%{?_isa} = %{version}-%{release}
%description devel
System header files and development libraries for authselect. Useful if
you develop a front-end for the authselect library.
%prep
%setup -q
for p in %patches ; do
%__patch -p1 -i $p
done
%build
autoreconf -if
%configure --with-pythonbin="%{__python3}"
%make_build
%check
%make_build check
%install
%make_install
# Find translations
%find_lang %{name}
%find_lang %{name} %{name}.8.lang --with-man
%find_lang %{name}-migration %{name}-migration.7.lang --with-man
%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man
# We want this file to contain only manual page translations
%__sed -i '/LC_MESSAGES/d' %{name}.8.lang
# Remove .la and .a files created by libtool
find $RPM_BUILD_ROOT -name "*.la" -exec %__rm -f {} \;
find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%ldconfig_scriptlets libs
%files libs -f %{name}.lang -f %{name}-profiles.5.lang
%dir %{_sysconfdir}/authselect
%dir %{_sysconfdir}/authselect/custom
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/authselect.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-db
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-locks
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/fingerprint-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/nsswitch.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/password-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf
%dir %{_localstatedir}/lib/authselect
%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-db
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-locks
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/fingerprint-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/nsswitch.conf
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/password-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/postlogin
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/smartcard-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/system-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created
%dir %{_datadir}/authselect
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/minimal/
%dir %{_datadir}/authselect/default/nis/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/minimal/nsswitch.conf
%{_datadir}/authselect/default/minimal/password-auth
%{_datadir}/authselect/default/minimal/postlogin
%{_datadir}/authselect/default/minimal/README
%{_datadir}/authselect/default/minimal/REQUIREMENTS
%{_datadir}/authselect/default/minimal/system-auth
%{_datadir}/authselect/default/nis/dconf-db
%{_datadir}/authselect/default/nis/dconf-locks
%{_datadir}/authselect/default/nis/fingerprint-auth
%{_datadir}/authselect/default/nis/nsswitch.conf
%{_datadir}/authselect/default/nis/password-auth
%{_datadir}/authselect/default/nis/postlogin
%{_datadir}/authselect/default/nis/README
%{_datadir}/authselect/default/nis/REQUIREMENTS
%{_datadir}/authselect/default/nis/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
%{_datadir}/authselect/default/sssd/nsswitch.conf
%{_datadir}/authselect/default/sssd/password-auth
%{_datadir}/authselect/default/sssd/postlogin
%{_datadir}/authselect/default/sssd/README
%{_datadir}/authselect/default/sssd/REQUIREMENTS
%{_datadir}/authselect/default/sssd/smartcard-auth
%{_datadir}/authselect/default/sssd/system-auth
%{_datadir}/authselect/default/winbind/dconf-db
%{_datadir}/authselect/default/winbind/dconf-locks
%{_datadir}/authselect/default/winbind/fingerprint-auth
%{_datadir}/authselect/default/winbind/nsswitch.conf
%{_datadir}/authselect/default/winbind/password-auth
%{_datadir}/authselect/default/winbind/postlogin
%{_datadir}/authselect/default/winbind/README
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/system-auth
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
%{_datadir}/doc/authselect/COPYING
%{_datadir}/doc/authselect/README.md
%license COPYING
%doc README.md
%files compat
%{_sbindir}/authconfig
%{python3_sitelib}/authselect/
%files devel
%{_includedir}/authselect.h
%{_libdir}/libauthselect.so
%{_libdir}/pkgconfig/authselect.pc
%files -f %{name}.8.lang -f %{name}-migration.7.lang
%{_bindir}/authselect
%{_mandir}/man8/authselect.8*
%{_mandir}/man7/authselect-migration.7*
%{_sysconfdir}/bash_completion.d/authselect-completion.sh
%global validfile %{_localstatedir}/lib/rpm-state/%{name}.config-valid
%preun
if [ $1 == 0 ] ; then
# Remove authselect symbolic links so all authselect files can be
# deleted safely. If this fail, the uninstallation must fail to avoid
# breaking the system by removing PAM files. However, the command can
# only fail if it can not write to the file system.
%{_bindir}/authselect uninstall
fi
%pre libs
%__rm -f %{validfile}
if [ $1 -gt 1 ] ; then
# Remember if the current configuration is valid
%{_bindir}/authselect check &> /dev/null
if [ $? -eq 0 ]; then
touch %{validfile}
fi
fi
exit 0
%posttrans libs
# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then
%__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null
# If we are upgrading from older version, we want to remove these comments.
%__sed -i '/^# Generated by authselect on .*$/{$!{
N;N # Read also next two lines
/# Generated by authselect on .*\n# Do not modify this file manually.\n/d
}}' %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
fi
# If the configuration is valid and we are upgrading from older version
# we need to create these files since they were added in 1.0.
if [ -f %{validfile} ]; then
FILES="nsswitch.conf system-auth password-auth fingerprint-auth \
smartcard-auth postlogin dconf-db dconf-locks"
for FILE in $FILES ; do
%__cp -n %{_sysconfdir}/authselect/$FILE \
%{_localstatedir}/lib/authselect/$FILE &> /dev/null
done
%__rm -f %{validfile}
fi
# Apply any changes to profiles (validates configuration first internally)
%{_bindir}/authselect apply-changes &> /dev/null
# Enable with-sudo feature if sssd-sudo responder is enabled. RHBZ#1582111
CURRENT=`%{_bindir}/authselect current --raw 2> /dev/null`
if [ $? -eq 0 ]; then
PROFILE=`echo $CURRENT | %__awk '{print $1;}'`
if [ $PROFILE == "sssd" ] ; then
if %__grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then
%{_bindir}/authselect enable-feature with-sudo &> /dev/null
elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then
%{_bindir}/authselect enable-feature with-sudo &> /dev/null
fi
fi
fi
exit 0
%posttrans compat
# Fix for RHBZ#1618865
# Remove invalid lines from pwquality.conf generated by authconfig compat tool
# - previous version could write some options without value, which is invalid
# - we delete all options without value from existing file
%__sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null
exit 0
%changelog
* Wed Jul 14 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
- Update translations (RHBZ #1961625)
* Wed Jul 14 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-2
- try_first_pass option no longer works on some PAM modules in RHEL8 (RHBZ #1949070)
- Need to localize the description of --debug option in authselect show (RHBZ #1970408)
* Wed Nov 25 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.2-1
- Rebase to authselect-1.2.2 (RHBZ #1892761)
* Fri Jun 19 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-2
- Update translations (RHBZ #1820533)
* Tue May 12 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-1
- Rebase to authselect-1.2.1 (RHBZ #1810471)
- CLI commands are now correctly translated (RHBZ #1816009)
- Remove unsupported features from sssd profile description (RHBZ #1830251)
- add `with-files-access-provider` to sssd profile (RHBZ #1734094)
- switch to pam_usertype module (RHBZ #1773567)
- fix typo in sssd profile description (RHBZ #1787638)
- add minimal profile (RHBZ #1654018)
* Thu Jul 4 2019 Pavel Březina <pbrezina@redhat.com> - 1.1-2
- Update translations (RHBZ #1689973)
* Mon Jun 10 2019 Pavel Březina <pbrezina@redhat.com> - 1.1-1
- Rebase to authselect-1.1 (RHBZ #1685516)
- Notify that oddjob-mkhomedir needs to be enabled manually (RHBZ #1694103)
- Ask for smartcard insertion when smartcard authentication is required (RHBZ #1674397)
- Update translations (RHBZ #1689973)
* Mon Feb 25 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-13
- Revert pam_systemd.so to be optional
- Resolves: #rhbz1643928 - pam_systemd shouldn't be optional in system-auth
* Mon Feb 4 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-12
- make authselect work with selinux disabled (RHBZ #1668025)
- require smartcard authentication only for specific services (RHBZ #1665058)
- update translations (RHBZ #1608286)
* Fri Jan 11 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-11
- require libselinux needed by (RHBZ #1664650)
* Fri Jan 11 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-10
- invalid selinux context for files under /etc/authselect (RHBZ #1664650)
* Tue Dec 4 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-9
- fix sources for official rhel translations (RHBZ #1608286)
- fix coverity warnings for authselect enable-features should error on unknown features (RHBZ #1651637)
* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-8
- add official rhel translations (RHBZ #1608286)
* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-7
- pam_systemd shouldn't be optional in system-auth (RHBZ #1643928)
- compat tool: support --enablerequiresmartcard (RHBZ #1649277)
- compat tool: support --smartcardaction=0 (RHBZ #1649279)
- remove ecryptfs from authselect since it is not present in rhel8 (RHBZ #1649282)
- authselect enable-features should error on unknown features (RHBZ #1651637)
* Wed Oct 31 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-6
- Remove mention of Fedora Change page from compat tool (RHBZ #1644309)
* Wed Oct 10 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-5
- Support for "require smartcard for login option" (RHBZ #1611012)
* Mon Oct 1 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-4
- add official rhel translations (RHBZ #1608286)
* Fri Sep 28 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-3
- scriptlet can fail if coreutils is not installed (RHBZ #1630896)
- fix typo (require systemd instead of systemctl)
* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-2
- authconfig --update overwrites current profile (RHBZ #1628492)
- authselect profile nis enhancements (RHBZ #1628493)
- scriptlet can fail if coreutils is not installed (RHBZ #1630896)
- authconfig --update --enablenis stops ypserv (RHBZ #1632567)
- compat tool generates invalid pwquality configuration (RHBZ #1628491)
* Mon Aug 13 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-1
- Rebase to 1.0 (RHBZ #1614235)
* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.4-4
- Rebuild for platform-python
* Mon May 14 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-3
- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)
* Wed Apr 25 2018 Christian Heimes <cheimes@redhat.com> - 0.4-2
- Don't disable oddjobd.service (RHBZ #1571844)
* Mon Apr 9 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-1
- rebasing to 0.4
* Tue Mar 6 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.2-1
- rebasing to 0.3.2
- authselect-compat now only suggests packages, not recommends
* Mon Mar 5 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.1-1
- rebasing to 0.3.1
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-3
- Provide authconfig
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-2
- Properly own all appropriate directories
- Remove unneeded %%defattr
- Remove deprecated Group tag
- Make Obsoletes versioned
- Remove unneeded ldconfig scriptlets
* Tue Feb 20 2018 Pavel Březina <pbrezina@redhat.com> - 0.3-1
- rebasing to 0.3
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-2
- fix rpmlint errors
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-1
- rebasing to 0.2
* Mon Jul 31 2017 Jakub Hrozek <jakub.hrozek@posteo.se> - 0.1-1
- initial packaging

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (authselect-1.2.2.tar.gz) = 3d75eba6ba1771a71a9c60d817064c9cd46bf03515b75a855ac15aed28c7b2b851e33aff3ebbc8092fcb07a9d86607ebe0199208b1be9839b5bddeba68020faf