diff --git a/authselect-1.2.3-yescrypt_support.patch b/authselect-1.2.3-yescrypt_support.patch new file mode 100644 index 0000000..d2979df --- /dev/null +++ b/authselect-1.2.3-yescrypt_support.patch @@ -0,0 +1,146 @@ +Index: authselect-1.2.3/profiles/minimal/password-auth +=================================================================== +--- authselect-1.2.3.orig/profiles/minimal/password-auth ++++ authselect-1.2.3/profiles/minimal/password-auth +@@ -10,7 +10,7 @@ account required + account required pam_unix.so + + password requisite pam_pwquality.so try_first_pass +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok ++password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok + password required pam_deny.so + + session optional pam_keyinit.so revoke +Index: authselect-1.2.3/profiles/minimal/system-auth +=================================================================== +--- authselect-1.2.3.orig/profiles/minimal/system-auth ++++ authselect-1.2.3/profiles/minimal/system-auth +@@ -10,7 +10,7 @@ account required + account required pam_unix.so + + password requisite pam_pwquality.so try_first_pass +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok ++password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok + password required pam_deny.so + + session optional pam_keyinit.so revoke +Index: authselect-1.2.3/profiles/nis/password-auth +=================================================================== +--- authselect-1.2.3.orig/profiles/nis/password-auth ++++ authselect-1.2.3/profiles/nis/password-auth +@@ -12,7 +12,7 @@ account required + account required pam_unix.so broken_shadow + + password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis ++password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis + password required pam_deny.so + + session optional pam_keyinit.so revoke +Index: authselect-1.2.3/profiles/nis/system-auth +=================================================================== +--- authselect-1.2.3.orig/profiles/nis/system-auth ++++ authselect-1.2.3/profiles/nis/system-auth +@@ -13,7 +13,7 @@ account required + account required pam_unix.so broken_shadow + + password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis ++password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis + password required pam_deny.so + + session optional pam_keyinit.so revoke +Index: authselect-1.2.3/profiles/sssd/password-auth +=================================================================== +--- authselect-1.2.3.orig/profiles/sssd/password-auth ++++ authselect-1.2.3/profiles/sssd/password-auth +@@ -21,7 +21,7 @@ account [default=bad success=ok user + account required pam_permit.so + + password requisite pam_pwquality.so try_first_pass local_users_only +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok ++password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok + password sufficient pam_sss.so use_authtok + password required pam_deny.so + +Index: authselect-1.2.3/profiles/sssd/system-auth +=================================================================== +--- authselect-1.2.3.orig/profiles/sssd/system-auth ++++ authselect-1.2.3/profiles/sssd/system-auth +@@ -26,7 +26,7 @@ account [default=bad success=ok user + account required pam_permit.so + + password requisite pam_pwquality.so try_first_pass local_users_only +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok ++password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok + password sufficient pam_sss.so use_authtok + password required pam_deny.so + +Index: authselect-1.2.3/profiles/winbind/password-auth +=================================================================== +--- authselect-1.2.3.orig/profiles/winbind/password-auth ++++ authselect-1.2.3/profiles/winbind/password-auth +@@ -18,7 +18,7 @@ account [default=bad success=ok user + account required pam_permit.so + + password requisite pam_pwquality.so try_first_pass local_users_only +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok ++password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok + password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok + password required pam_deny.so + +Index: authselect-1.2.3/profiles/winbind/system-auth +=================================================================== +--- authselect-1.2.3.orig/profiles/winbind/system-auth ++++ authselect-1.2.3/profiles/winbind/system-auth +@@ -19,7 +19,7 @@ account [default=bad success=ok user + account required pam_permit.so + + password requisite pam_pwquality.so try_first_pass local_users_only +-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok ++password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok + password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok + password required pam_deny.so + +Index: authselect-1.2.3/src/compat/authcompat_Options.py +=================================================================== +--- authselect-1.2.3.orig/src/compat/authcompat_Options.py ++++ authselect-1.2.3/src/compat/authcompat_Options.py +@@ -145,7 +145,7 @@ class Options: + Option.UnsupportedSwitch ("useshadow"), + Option.UnsupportedFeature("md5"), + Option.UnsupportedSwitch ("usemd5"), +- Option.UnsupportedValued ("passalgo", _("")), ++ Option.UnsupportedValued ("passalgo", _("")), + Option.UnsupportedValued ("ldaploadcacert", _("")), + Option.UnsupportedValued ("smartcardmodule", _("")), + Option.UnsupportedValued ("smbsecurity", _("")), +Index: authselect-1.2.3/src/man/authselect-migration.7.adoc +=================================================================== +--- authselect-1.2.3.orig/src/man/authselect-migration.7.adoc ++++ authselect-1.2.3/src/man/authselect-migration.7.adoc +@@ -1,6 +1,6 @@ + authselect-migration(7) + ======================= +-:revdate: 2018-03-18 ++:revdate: 2021-06-04 + + NAME + ---- +@@ -85,8 +85,16 @@ configuration file for required services + |--enablefaillock |with-faillock + |--enablepamaccess |with-pamaccess + |--enablewinbindkrb5 |with-krb5 ++|--enableshadow |_none_ ++|--passalgo |_none_ + |================================================== + ++NOTE: Authconfig options `--enableshadow` and `--passalgo=sha512` were often ++used to make sure that passwords are stored in `/etc/shadow` using `sha512` ++algorithm. *The authselect profiles now use the yescrypt hashing method* and ++it cannot be changed through an option (only by creating a custom profile). ++You can just omit these options. ++ + .Examples + ---- + authconfig --enableldap --enableldapauth --enablefaillock --updateall diff --git a/authselect.spec b/authselect.spec index d18bd8c..b2e108f 100644 --- a/authselect.spec +++ b/authselect.spec @@ -3,13 +3,16 @@ Name: authselect Version: 1.2.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Configures authentication and identity sources from supported profiles URL: https://github.com/authselect/authselect License: GPLv3+ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz +# Backported (partially) from https://github.com/authselect/authselect/pull/253. +Patch0: %{name}-1.2.3-yescrypt_support.patch + %global makedir %{_builddir}/%{name}-%{version} BuildRequires: autoconf @@ -292,6 +295,9 @@ exit 0 exit 0 %changelog +* Mon Jun 21 2021 Björn Esser - 1.2.3-3 +- Backport support for yescrypt hash method + * Fri Jun 04 2021 Python Maint - 1.2.3-2 - Rebuilt for Python 3.10