rpms/authselect
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import authselect-1.2.5-1.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-09-27 15:59:36 -04:00 committed by root
parent 7e52fa4b6e
commit 306a4a4836
9 changed files with 86 additions and 8444 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.authselect.metadata
View File

@ -1 +1 @@
7409561c3379931675241b7858ab27fee13bd2ed SOURCES/authselect-1.2.2.tar.gz
4eb7fbb53b31d92f0fae17d6fd5e5da46bc8b434 SOURCES/authselect-1.2.5.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/authselect-1.2.2.tar.gz
SOURCES/authselect-1.2.5.tar.gz

246
SOURCES/0001-profiles-try_first_pass-has-no-effect-on-pam_unix-an.patch
View File

@ -1,246 +0,0 @@
From a8def58508ab4cc137700555a74e71de88ccb6bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 13 May 2021 10:42:13 +0200
Subject: [PATCH] profiles: try_first_pass has no effect on pam_unix and
pam_pwquality
Resolves:
https://github.com/authselect/authselect/issues/247
---
profiles/minimal/password-auth | 6 +++---
profiles/minimal/system-auth | 6 +++---
profiles/nis/password-auth | 6 +++---
profiles/nis/system-auth | 6 +++---
profiles/sssd/password-auth | 6 +++---
profiles/sssd/system-auth | 6 +++---
profiles/winbind/password-auth | 6 +++---
profiles/winbind/system-auth | 6 +++---
src/man/authselect-profiles.5.adoc | 6 +++---
9 files changed, 27 insertions(+), 27 deletions(-)
diff --git a/profiles/minimal/password-auth b/profiles/minimal/password-auth
index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644
--- a/profiles/minimal/password-auth
+++ b/profiles/minimal/password-auth
@@ -1,7 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent {include if "with-faillock"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
@@ -9,8 +9,8 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
-password requisite pam_pwquality.so try_first_pass
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/minimal/system-auth b/profiles/minimal/system-auth
index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644
--- a/profiles/minimal/system-auth
+++ b/profiles/minimal/system-auth
@@ -1,7 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent {include if "with-faillock"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
@@ -9,8 +9,8 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
-password requisite pam_pwquality.so try_first_pass
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..fca075b3e8a289aef2055cc8bb8551540957e70f 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
@@ -11,8 +11,8 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so broken_shadow
-password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 057b31e074f29c46b492fa310a954e281631800e..c4a74b857f8759082973936bd7d4e5b8718680c4 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
@@ -12,8 +12,8 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so broken_shadow
-password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index d6953428cca7d6518f63c3fdbaabc4746c35f91b..b75926205f233d65553caa5d33f1d06c1c77a32e 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -6,7 +6,7 @@ auth sufficient pam_u2f.so cue
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -20,8 +20,8 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so local_users_only
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 58d51067feb36850fb11bbba73067495f88c0b9e..e4bdb2b40255c056257ba5569a0b5b21ebaeb261 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -11,7 +11,7 @@ auth [default=1 ignore=ignore success=ok] pam_usertype.so isregul
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -25,8 +25,8 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so local_users_only
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index bbeca057d49102889e3eeee040ea256dbd751eef..75e1e529944afa68fd06e4dd189d722fd80d9336 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -17,8 +17,8 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so local_users_only
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..ae5262f2bb8c9ee8848c66eb00b15ff3d1fb8230 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -18,8 +18,8 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password requisite pam_pwquality.so local_users_only
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc
index 0890b8b0acef811a639f6cd763b2d24f0c489881..4baa2800c766f59cf250cc5570c259f636a2305b 100644
--- a/src/man/authselect-profiles.5.adoc
+++ b/src/man/authselect-profiles.5.adoc
@@ -154,7 +154,7 @@ for pam_faillock.
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
- auth sufficient pam_unix.so nullok try_first_pass
+ auth sufficient pam_unix.so nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -172,7 +172,7 @@ to include both features but only "with-smartcard-required" is necessary.
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
- auth sufficient pam_unix.so nullok try_first_pass
+ auth sufficient pam_unix.so nullok
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
@@ -193,7 +193,7 @@ previous example.
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
- auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
+ auth sufficient pam_unix.so {if not "without-nullok":nullok}
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
--
2.20.1

40
SOURCES/0002-cli-use-gettext-on-common-options.patch
View File

@ -1,40 +0,0 @@
From 3a3d9380eafcf4c53d3733b39dbb45b67dc3a566 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 29 Jun 2021 14:04:24 +0200
Subject: [PATCH] cli: use gettext on common options
Also make --debug description the same as in cli_tool_print_common_opts.
These options are printed when a wrong argument is given on the command line. E.g.
authselect select --invalid-arg
---
src/cli/cli_tool.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/cli/cli_tool.c b/src/cli/cli_tool.c
index 3cc6b735eb45bc45afd21907a690b732f6844f3b..64807af3cb0c3aeb70ff652962dca62a3b99c431 100644
--- a/src/cli/cli_tool.c
+++ b/src/cli/cli_tool.c
@@ -87,12 +87,16 @@ static void cli_tool_print_common_opts(int min_len)
static struct poptOption *cli_tool_common_opts_table(void)
{
static struct poptOption options[] = {
- {"debug", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'd', "Print more verbose debugging information", NULL },
- {"trace", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 't', "Print trace messages", NULL },
- {"warn", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'w', "Print warning messages", NULL },
+ {"debug", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'd', NULL, NULL },
+ {"trace", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 't', NULL, NULL },
+ {"warn", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'w', NULL, NULL },
POPT_TABLEEND
};
+ options[0].descrip = _("Print error messages");
+ options[1].descrip = _("Print trace messages");
+ options[2].descrip = _("Print warning messages");
+
return options;
}
--
2.20.1

8081
SOURCES/0003-po-update-translations.patch
View File

File diff suppressed because it is too large Load Diff

11
SOURCES/0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch
View File

@ -1,17 +1,18 @@
From 009be0fc33866a590de8720cb0f3dab811e10059 Mon Sep 17 00:00:00 2001
From 2f1fea5ec3132f2ced05887ba24d03e134934930 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 30 Oct 2018 14:08:12 +0100
Subject: [PATCH] rhel8: remove mention of Fedora Change page in compat tool
Subject: [PATCH 1/3] rhel8: remove mention of Fedora Change page in compat
tool
---
src/compat/authcompat.py.in.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 0be644222a44185cb08ff696afad5adf05995093..42cc6f3c0e38d8e14d62bd5acdc171176a6cb51f 100755
index 1a68d95c71b51beabe80e9b07c084ea9c2f3580d..8334293911d1d4c2d98a6d233b91fc348cf06575 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -469,7 +469,6 @@ class AuthCompat:
@@ -471,7 +471,6 @@ class AuthCompat:
"It does not provide all capabilities of authconfig.\n"))
print(_("IMPORTANT: authconfig is replaced by authselect, "
"please update your scripts."))
@ -20,5 +21,5 @@ index 0be644222a44185cb08ff696afad5adf05995093..42cc6f3c0e38d8e14d62bd5acdc17117
options = self.options.getSetButUnsupported()
--
2.17.2
2.34.1

112
SOURCES/0902-rhel8-remove-ecryptfs-support.patch
View File

@ -1,7 +1,7 @@
From 8f39d5ebcf18b9d987af5ad851fe1637ce1fce22 Mon Sep 17 00:00:00 2001
From bfa639947df40c7d601a459af5f0995c89a67200 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 10 Jun 2019 10:53:15 +0200
Subject: [PATCH] rhel8: remove ecryptfs support
Subject: [PATCH 2/3] rhel8: remove ecryptfs support
---
profiles/nis/README | 3 ---
@ -26,7 +26,7 @@ Subject: [PATCH] rhel8: remove ecryptfs support
19 files changed, 3 insertions(+), 36 deletions(-)
diff --git a/profiles/nis/README b/profiles/nis/README
index b8453bd357a1cec0d3c1981257271170f029fe8c..8b2cc1baa8a3429039f5bbeb0778113238ef6633 100644
index 895e8fa8650c04d41bf8bc8d6e3cda18db9bf814..71e23d61a8c1ea773c98524256a5eaad5a75d197 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -21,9 +21,6 @@ with-mkhomedir::
@ -40,28 +40,28 @@ index b8453bd357a1cec0d3c1981257271170f029fe8c..8b2cc1baa8a3429039f5bbeb07781132
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
index 278487b2a0f9ce103afebb0809ffffa2cfbbba7e..8d6bc3fe8ada7305280503bfa350cd78723c988a 100644
index 3a2609df4ca29cdfcbff84b37576bb7b840d72b2..0b2f583a2fcf164647f7de387e9be2982bdf36cb 100644
--- a/profiles/nis/fingerprint-auth
+++ b/profiles/nis/fingerprint-auth
@@ -16,7 +16,6 @@ password required pam_deny.so
@@ -15,7 +15,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 2ce77fded674684987849b027debe2b17a7bac94..46786cc8c2c90a2be98d71684b9286c37ff5b678 100644
index f181a58ab7792c7e1a4234e677cbb7e3d0a6548d..79fb521eb5dff4978203166491b185887d1ec744 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -21,7 +21,6 @@ password required pam_deny.so
@@ -18,7 +18,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
@ -76,19 +76,19 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index d1f270a9e6f0ded1ff2d9c24fcd78c31e7a6debe..25148b060ecd0b52868386abf14ca5a9fd8fdfc3 100644
index bc3f402435aafb5294dbae94096b184af51cf914..38c10c1afcf936c1d24d8edef941ae849d1186fc 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -22,7 +22,6 @@ password required pam_deny.so
@@ -19,7 +19,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/README b/profiles/sssd/README
index a2b52b7d4178bfaca260d31267dac396b514e656..b007621a4abd6423605507af5b03131c58a44f29 100644
index 61d5aedf65b2351cf23cea0a6b6b0932e32f0e48..ab9af237442089ded86b63942dd856397108ccf0 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -40,9 +40,6 @@ with-mkhomedir::
@ -102,28 +102,28 @@ index a2b52b7d4178bfaca260d31267dac396b514e656..b007621a4abd6423605507af5b03131c
Enable authentication with smartcards through SSSD. Please note that
smartcard support must be also explicitly enabled within
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index 01b70f3533149d00700859f3e0a1c3f2abb33a8a..b9bbc63d96e1d982a54b537402fed5e2201ce533 100644
index 20ad3613e66ec85c7d2462d0449854e522383b3a..dc7befe7a4839a1ae5a4d21f4e5232126df55564 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -18,7 +18,6 @@ password required pam_deny.so
@@ -20,7 +20,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index c61630d5a71772c61cbdcce00bb5b64a83e87d8e..fe2e3a4bf68fb53e46af56577c9d67c7eabf2fff 100644
index 3e33dcc09f68055f2f87709e638005929bd577b3..858c6db357d07dc554806f4807f9b0858a649f44 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -27,7 +27,6 @@ password required pam_deny.so
@@ -28,7 +28,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
@ -138,31 +138,31 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index a47f44389d89797b2404ce44a78c2bc8a936225d..a15a033f58b766074ccc6a271f146341ff62f2e4 100644
index 0d8bcab250633b09bce0232a5747f3a7e740d5d7..754847f2d8885ff35cbc57ec2364d82b963caa3b 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -16,7 +16,6 @@ account required pam_permit.so
@@ -18,7 +18,6 @@ account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 0c53fc0c326a6ab9b9720c3c0de4f7377431f689..788c92ba27f9b0febdbe00f265bc75e754aca8df 100644
index a43341120f55bad3fb07dfea1c04453d0a278329..88c49e2dd5b60847d1d19154622a8614a21e5e1f 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -32,7 +32,6 @@ password required pam_deny.so
@@ -35,7 +35,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/README b/profiles/winbind/README
index e711b546c51fbe1ccf30b203cb854398d5e95caa..72f55e640c04bd539bef979da71d6d9ee0a2fd72 100644
index 0048c29256f5d4064edfb84a2f4b761fd09e90f6..6f7a7cab1efc768c4c82791d6a8f00def1771d37 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -33,9 +33,6 @@ with-mkhomedir::
@ -176,28 +176,28 @@ index e711b546c51fbe1ccf30b203cb854398d5e95caa..72f55e640c04bd539bef979da71d6d9e
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
index 0beff74eba83f12c4ad5a6147a6194608cd047e3..cdc61a1e9ff2ff8d58b58a076f001933092d0a90 100644
index e8997c6c78ce7305fa7068fb169c05c68167880d..c5485ab848989a252e4ff4b1376a41202d21fd67 100644
--- a/profiles/winbind/fingerprint-auth
+++ b/profiles/winbind/fingerprint-auth
@@ -17,7 +17,6 @@ password required pam_deny.so
@@ -19,7 +19,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index 455add4c0c6aa2fecc850dc2b315998c6b4c4fb5..d60fb34c1c9a4f49f68b5c036a72127996bff9be 100644
index 58705f3b15165c8d8bd4938889e3fb4d89c1a528..e84e2fcbb2bad9af6156e6e6db23f089f2b5d210 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -24,7 +24,6 @@ password required pam_deny.so
@@ -25,7 +25,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
@ -212,51 +212,51 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 5b383f70df6f03f59c6ab3b1dd5686382745b978..c169d7f3b75893ba61d60e085ef86bb658debf5b 100644
index 994c342441a0ed2738765a9fa7f6cc84f692d1d8..b5c5cfaa964a31b1cd8ac4cb62998c0a0a53a03e 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -25,7 +25,6 @@ password required pam_deny.so
@@ -26,7 +26,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index e4b8c05c6a11a215529ba66f8b36b72a6ac18448..4e39b7ec66d0e2ba911c7280467ba78fd29c196c 100755
index 8334293911d1d4c2d98a6d233b91fc348cf06575..55e205bae2c0b1f7892f8b286c288dfeaa26a60d 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -520,7 +520,6 @@ class AuthCompat:
'smartcard' : 'with-smartcard',
'requiresmartcard' : 'with-smartcard-required',
'fingerprint' : 'with-fingerprint',
- 'ecryptfs' : 'with-ecryptfs',
'mkhomedir' : 'with-mkhomedir',
'faillock' : 'with-faillock',
'pamaccess' : 'with-pamaccess',
@@ -523,7 +523,6 @@ class AuthCompat:
'smartcard': 'with-smartcard',
'requiresmartcard': 'with-smartcard-required',
'fingerprint': 'with-fingerprint',
- 'ecryptfs': 'with-ecryptfs',
'mkhomedir': 'with-mkhomedir',
'faillock': 'with-faillock',
'pamaccess': 'with-pamaccess',
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
index c8f52ab6773c4cd5371f32121dba8053f3443261..433a3340bac29739174e78928701214c08ec6f3c 100644
index d26dedabdfb9519861076b58cddd0dd0eb04b7cb..5c8b21b55014198d6d9dfc98bd807c3c922b06f4 100644
--- a/src/compat/authcompat_Options.py
+++ b/src/compat/authcompat_Options.py
@@ -93,7 +93,6 @@ class Options:
Option.Valued ("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")),
Option.Feature("requiresmartcard",_("require smart card for authentication by default")),
Option.Feature("fingerprint", _("authentication with fingerprint readers by default")),
- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")),
Option.Feature("krb5", _("Kerberos authentication by default")),
Option.Valued ("krb5kdc", _("<server>"), _("default Kerberos KDC")),
Option.Valued ("krb5adminserver", _("<server>"), _("default Kerberos admin server")),
Option.Valued("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")),
Option.Feature("requiresmartcard", _("require smart card for authentication by default")),
Option.Feature("fingerprint", _("authentication with fingerprint readers by default")),
- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")),
Option.Feature("krb5", _("Kerberos authentication by default")),
Option.Valued("krb5kdc", _("<server>"), _("default Kerberos KDC")),
Option.Valued("krb5adminserver", _("<server>"), _("default Kerberos admin server")),
@@ -141,6 +140,7 @@ class Options:
# layers and will produce warning when used. They will not affect
# the system.
Option.UnsupportedFeature("cache"),
+ Option.UnsupportedFeature("ecryptfs"),
Option.UnsupportedFeature("shadow"),
Option.UnsupportedSwitch ("useshadow"),
Option.UnsupportedSwitch("useshadow"),
Option.UnsupportedFeature("md5"),
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c89e9c4ffb 100644
index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..888cd4e5a0750d4e1aa5898887f5f7fd42472741 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -80,7 +80,6 @@ configuration file for required services.
@ -267,7 +267,7 @@ index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c8
|--enablemkhomedir |with-mkhomedir
|--enablefaillock |with-faillock
|--enablepamaccess |with-pamaccess
@@ -95,8 +94,8 @@ authselect select sssd with-faillock
@@ -103,8 +102,8 @@ authselect select sssd with-faillock
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
authselect select sssd with-smartcard
@ -279,5 +279,5 @@ index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c8
authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
realm join -U Administrator --client-software=winbind WINBINDDOMAIN
--
2.20.1
2.34.1

6
SOURCES/0903-rhel8-Revert-profiles-add-support-for-resolved.patch
View File

@ -1,7 +1,7 @@
From f2eaf5548f32cb4db51aa5002ad964a975310d5e Mon Sep 17 00:00:00 2001
From 9009c94f3abf85954ffc04c354c6eaff715b4512 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 25 Nov 2020 14:05:00 +0100
Subject: [PATCH] rhel8: Revert "profiles: add support for resolved"
Subject: [PATCH 3/3] rhel8: Revert "profiles: add support for resolved"
systemd-resolved should not be enabled by default on rhel8.
@ -38,5 +38,5 @@ index 50a3ffb7431a91b88b4bfef4c09df19310fac7e7..9bee7d839f84ff39d54cb6ead9dea38e
netgroup: files nis {exclude if "with-custom-netgroup"}
networks: files nis {exclude if "with-custom-networks"}
--
2.25.4
2.34.1

24
SPECS/authselect.spec
View File

@ -2,8 +2,8 @@
%define _empty_manifest_terminate_build 0
Name: authselect
Version: 1.2.2
Release: 3%{?dist}
Version: 1.2.5
Release: 1%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/authselect/authselect
@ -12,10 +12,6 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%global makedir %{_builddir}/%{name}-%{version}
Patch0001: 0001-profiles-try_first_pass-has-no-effect-on-pam_unix-an.patch
Patch0002: 0002-cli-use-gettext-on-common-options.patch
Patch0003: 0003-po-update-translations.patch
# Downstream only
Patch0901: 0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch
Patch0902: 0902-rhel8-remove-ecryptfs-support.patch
@ -34,6 +30,7 @@ BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libselinux-devel
BuildRequires: python3-devel
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
@ -68,7 +65,6 @@ command line tool and any other potential front-ends.
Summary: Tool to provide minimum backwards compatibility with authconfig
Obsoletes: authconfig < 7.0.1-6
Provides: authconfig
BuildRequires: python3-devel
Requires: authselect%{?_isa} = %{version}-%{release}
Recommends: oddjob-mkhomedir
Suggests: sssd
@ -101,7 +97,7 @@ done
%build
autoreconf -if
%configure --with-pythonbin="%{__python3}"
%configure --with-pythonbin="%{__python3}" --with-compat
%make_build
%check
@ -156,11 +152,15 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%dir %{_datadir}/authselect/default/nis/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/minimal/dconf-db
%{_datadir}/authselect/default/minimal/dconf-locks
%{_datadir}/authselect/default/minimal/fingerprint-auth
%{_datadir}/authselect/default/minimal/nsswitch.conf
%{_datadir}/authselect/default/minimal/password-auth
%{_datadir}/authselect/default/minimal/postlogin
%{_datadir}/authselect/default/minimal/README
%{_datadir}/authselect/default/minimal/REQUIREMENTS
%{_datadir}/authselect/default/minimal/smartcard-auth
%{_datadir}/authselect/default/minimal/system-auth
%{_datadir}/authselect/default/nis/dconf-db
%{_datadir}/authselect/default/nis/dconf-locks
@ -170,6 +170,7 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/nis/postlogin
%{_datadir}/authselect/default/nis/README
%{_datadir}/authselect/default/nis/REQUIREMENTS
%{_datadir}/authselect/default/nis/smartcard-auth
%{_datadir}/authselect/default/nis/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
@ -189,6 +190,7 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/winbind/postlogin
%{_datadir}/authselect/default/winbind/README
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/smartcard-auth
%{_datadir}/authselect/default/winbind/system-auth
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
@ -290,6 +292,12 @@ exit 0
exit 0
%changelog
* Thu May 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.2.5-1
- Rebase to 1.2.5 (RHBZ #2080238)
- sssd profile with-smartcard no longer prevents local users from accessing cron (RHBZ #2070325)
- backup-restore now works correctly (RHBZ #2066535)
- add with-subid to sssd profile (RHBZ #2063750)
* Wed Jul 14 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
- Update translations (RHBZ #1961625)