rpms/authselect
6
0
Fork 0
Code Issues Pull Requests Releases Activity

authselect-1.2.4-1: rebase to 1.2.4

Browse Source
This commit is contained in:
Pavel Březina 2021-08-09 11:56:45 +02:00
parent 2b8ac263d0
commit 5b2aadc5ec
4 changed files with 11 additions and 184 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -14,3 +14,4 @@
/authselect-1.2.1.tar.gz
/authselect-1.2.2.tar.gz
/authselect-1.2.3.tar.gz
/authselect-1.2.4.tar.gz

146
authselect-1.2.3-yescrypt_support.patch
View File

@ -1,146 +0,0 @@
Index: authselect-1.2.3/profiles/minimal/password-auth
===================================================================
--- authselect-1.2.3.orig/profiles/minimal/password-auth
+++ authselect-1.2.3/profiles/minimal/password-auth
@@ -10,7 +10,7 @@ account required
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
Index: authselect-1.2.3/profiles/minimal/system-auth
===================================================================
--- authselect-1.2.3.orig/profiles/minimal/system-auth
+++ authselect-1.2.3/profiles/minimal/system-auth
@@ -10,7 +10,7 @@ account required
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
Index: authselect-1.2.3/profiles/nis/password-auth
===================================================================
--- authselect-1.2.3.orig/profiles/nis/password-auth
+++ authselect-1.2.3/profiles/nis/password-auth
@@ -12,7 +12,7 @@ account required
account required pam_unix.so broken_shadow
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
Index: authselect-1.2.3/profiles/nis/system-auth
===================================================================
--- authselect-1.2.3.orig/profiles/nis/system-auth
+++ authselect-1.2.3/profiles/nis/system-auth
@@ -13,7 +13,7 @@ account required
account required pam_unix.so broken_shadow
password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
Index: authselect-1.2.3/profiles/sssd/password-auth
===================================================================
--- authselect-1.2.3.orig/profiles/sssd/password-auth
+++ authselect-1.2.3/profiles/sssd/password-auth
@@ -21,7 +21,7 @@ account [default=bad success=ok user
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
Index: authselect-1.2.3/profiles/sssd/system-auth
===================================================================
--- authselect-1.2.3.orig/profiles/sssd/system-auth
+++ authselect-1.2.3/profiles/sssd/system-auth
@@ -26,7 +26,7 @@ account [default=bad success=ok user
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
Index: authselect-1.2.3/profiles/winbind/password-auth
===================================================================
--- authselect-1.2.3.orig/profiles/winbind/password-auth
+++ authselect-1.2.3/profiles/winbind/password-auth
@@ -18,7 +18,7 @@ account [default=bad success=ok user
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
Index: authselect-1.2.3/profiles/winbind/system-auth
===================================================================
--- authselect-1.2.3.orig/profiles/winbind/system-auth
+++ authselect-1.2.3/profiles/winbind/system-auth
@@ -19,7 +19,7 @@ account [default=bad success=ok user
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
Index: authselect-1.2.3/src/compat/authcompat_Options.py
===================================================================
--- authselect-1.2.3.orig/src/compat/authcompat_Options.py
+++ authselect-1.2.3/src/compat/authcompat_Options.py
@@ -145,7 +145,7 @@ class Options:
Option.UnsupportedSwitch ("useshadow"),
Option.UnsupportedFeature("md5"),
Option.UnsupportedSwitch ("usemd5"),
- Option.UnsupportedValued ("passalgo", _("<descrypt|bigcrypt|md5|sha256|sha512>")),
+ Option.UnsupportedValued ("passalgo", _("<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>")),
Option.UnsupportedValued ("ldaploadcacert", _("<URL>")),
Option.UnsupportedValued ("smartcardmodule", _("<module>")),
Option.UnsupportedValued ("smbsecurity", _("<user|server|domain|ads>")),
Index: authselect-1.2.3/src/man/authselect-migration.7.adoc
===================================================================
--- authselect-1.2.3.orig/src/man/authselect-migration.7.adoc
+++ authselect-1.2.3/src/man/authselect-migration.7.adoc
@@ -1,6 +1,6 @@
authselect-migration(7)
=======================
-:revdate: 2018-03-18
+:revdate: 2021-06-04
NAME
----
@@ -85,8 +85,16 @@ configuration file for required services
|--enablefaillock |with-faillock
|--enablepamaccess |with-pamaccess
|--enablewinbindkrb5 |with-krb5
+|--enableshadow |_none_
+|--passalgo |_none_
|==================================================
+NOTE: Authconfig options `--enableshadow` and `--passalgo=sha512` were often
+used to make sure that passwords are stored in `/etc/shadow` using `sha512`
+algorithm. *The authselect profiles now use the yescrypt hashing method* and
+it cannot be changed through an option (only by creating a custom profile).
+You can just omit these options.
+
.Examples
----
authconfig --enableldap --enableldapauth --enablefaillock --updateall

46
authselect.spec
View File

@ -2,17 +2,14 @@
%define _empty_manifest_terminate_build 0
Name: authselect
Version: 1.2.3
Release: 4%{?dist}
Version: 1.2.4
Release: 1%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/authselect/authselect
License: GPLv3+
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
# Backported (partially) from https://github.com/authselect/authselect/pull/253.
Patch0: %{name}-1.2.3-yescrypt_support.patch
%global makedir %{_builddir}/%{name}-%{version}
BuildRequires: autoconf
@ -58,26 +55,6 @@ Requires: pam >= 1.3.1-23
Common library files for authselect. This package is used by the authselect
command line tool and any other potential front-ends.
%package compat
Summary: Tool to provide minimum backwards compatibility with authconfig
Obsoletes: authconfig < 7.0.1-6
Provides: authconfig
BuildRequires: python3-devel
BuildRequires: make
Requires: authselect%{?_isa} = %{version}-%{release}
Recommends: oddjob-mkhomedir
Suggests: sssd
Suggests: realmd
Suggests: samba-winbind
# Required by scriptlets
Requires: sed
%description compat
This package will replace %{_sbindir}/authconfig with a tool that will
translate some of the authconfig calls into authselect calls. It provides
only minimum backward compatibility and users are encouraged to migrate
to authselect completely.
%package devel
Summary: Development libraries and headers for authselect
Requires: authselect-libs%{?_isa} = %{version}-%{release}
@ -153,11 +130,13 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/minimal/dconf-db
%{_datadir}/authselect/default/minimal/dconf-locks
%{_datadir}/authselect/default/minimal/fingerprint-auth
%{_datadir}/authselect/default/minimal/nsswitch.conf
%{_datadir}/authselect/default/minimal/password-auth
%{_datadir}/authselect/default/minimal/postlogin
%{_datadir}/authselect/default/minimal/README
%{_datadir}/authselect/default/minimal/REQUIREMENTS
%{_datadir}/authselect/default/minimal/smartcard-auth
%{_datadir}/authselect/default/minimal/system-auth
%{_datadir}/authselect/default/nis/dconf-db
%{_datadir}/authselect/default/nis/dconf-locks
@ -167,6 +146,7 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/nis/postlogin
%{_datadir}/authselect/default/nis/README
%{_datadir}/authselect/default/nis/REQUIREMENTS
%{_datadir}/authselect/default/nis/smartcard-auth
%{_datadir}/authselect/default/nis/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
@ -186,6 +166,7 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/winbind/postlogin
%{_datadir}/authselect/default/winbind/README
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/smartcard-auth
%{_datadir}/authselect/default/winbind/system-auth
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
@ -194,10 +175,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%license COPYING
%doc README.md
%files compat
%{_sbindir}/authconfig
%{python3_sitelib}/authselect/
%files devel
%{_includedir}/authselect.h
%{_libdir}/libauthselect.so
@ -286,15 +263,10 @@ fi
exit 0
%posttrans compat
# Fix for RHBZ#1618865
# Remove invalid lines from pwquality.conf generated by authconfig compat tool
# - previous version could write some options without value, which is invalid
# - we delete all options without value from existing file
%__sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null
exit 0
%changelog
* Mon Aug 9 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.4-1
- Rebase to 1.2.4
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
SHA512 (authselect-1.2.3.tar.gz) = bdcc1b119f482fa00bc5fc8e39074b1c5fe2d3099d3d2318751f2aba11e79c2613b0c24704799c36811b148111be1452602691b764254356c6d81bfee1b2c167
SHA512 (authselect-1.2.4.tar.gz) = a1a049e6bc8c6e3a41de4ed115d6357edd01f5d4838c6d651b21b7b2f1002b1211a52bb29a00c56c8b33eabbc2ffcf98de093b747066d031098ec90b8d5e7e1f