diff --git a/.gitignore b/.gitignore index 7a50909..7c2760e 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ /authselect-1.2.1.tar.gz /authselect-1.2.2.tar.gz /authselect-1.2.3.tar.gz +/authselect-1.2.4.tar.gz diff --git a/authselect-1.2.3-yescrypt_support.patch b/authselect-1.2.3-yescrypt_support.patch deleted file mode 100644 index d2979df..0000000 --- a/authselect-1.2.3-yescrypt_support.patch +++ /dev/null @@ -1,146 +0,0 @@ -Index: authselect-1.2.3/profiles/minimal/password-auth -=================================================================== ---- authselect-1.2.3.orig/profiles/minimal/password-auth -+++ authselect-1.2.3/profiles/minimal/password-auth -@@ -10,7 +10,7 @@ account required - account required pam_unix.so - - password requisite pam_pwquality.so try_first_pass --password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok -+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok - password required pam_deny.so - - session optional pam_keyinit.so revoke -Index: authselect-1.2.3/profiles/minimal/system-auth -=================================================================== ---- authselect-1.2.3.orig/profiles/minimal/system-auth -+++ authselect-1.2.3/profiles/minimal/system-auth -@@ -10,7 +10,7 @@ account required - account required pam_unix.so - - password requisite pam_pwquality.so try_first_pass --password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok -+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok - password required pam_deny.so - - session optional pam_keyinit.so revoke -Index: authselect-1.2.3/profiles/nis/password-auth -=================================================================== ---- authselect-1.2.3.orig/profiles/nis/password-auth -+++ authselect-1.2.3/profiles/nis/password-auth -@@ -12,7 +12,7 @@ account required - account required pam_unix.so broken_shadow - - password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} --password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis -+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis - password required pam_deny.so - - session optional pam_keyinit.so revoke -Index: authselect-1.2.3/profiles/nis/system-auth -=================================================================== ---- authselect-1.2.3.orig/profiles/nis/system-auth -+++ authselect-1.2.3/profiles/nis/system-auth -@@ -13,7 +13,7 @@ account required - account required pam_unix.so broken_shadow - - password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} --password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis -+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis - password required pam_deny.so - - session optional pam_keyinit.so revoke -Index: authselect-1.2.3/profiles/sssd/password-auth -=================================================================== ---- authselect-1.2.3.orig/profiles/sssd/password-auth -+++ authselect-1.2.3/profiles/sssd/password-auth -@@ -21,7 +21,7 @@ account [default=bad success=ok user - account required pam_permit.so - - password requisite pam_pwquality.so try_first_pass local_users_only --password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok -+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok - password sufficient pam_sss.so use_authtok - password required pam_deny.so - -Index: authselect-1.2.3/profiles/sssd/system-auth -=================================================================== ---- authselect-1.2.3.orig/profiles/sssd/system-auth -+++ authselect-1.2.3/profiles/sssd/system-auth -@@ -26,7 +26,7 @@ account [default=bad success=ok user - account required pam_permit.so - - password requisite pam_pwquality.so try_first_pass local_users_only --password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok -+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok - password sufficient pam_sss.so use_authtok - password required pam_deny.so - -Index: authselect-1.2.3/profiles/winbind/password-auth -=================================================================== ---- authselect-1.2.3.orig/profiles/winbind/password-auth -+++ authselect-1.2.3/profiles/winbind/password-auth -@@ -18,7 +18,7 @@ account [default=bad success=ok user - account required pam_permit.so - - password requisite pam_pwquality.so try_first_pass local_users_only --password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok -+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok - password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok - password required pam_deny.so - -Index: authselect-1.2.3/profiles/winbind/system-auth -=================================================================== ---- authselect-1.2.3.orig/profiles/winbind/system-auth -+++ authselect-1.2.3/profiles/winbind/system-auth -@@ -19,7 +19,7 @@ account [default=bad success=ok user - account required pam_permit.so - - password requisite pam_pwquality.so try_first_pass local_users_only --password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok -+password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok - password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok - password required pam_deny.so - -Index: authselect-1.2.3/src/compat/authcompat_Options.py -=================================================================== ---- authselect-1.2.3.orig/src/compat/authcompat_Options.py -+++ authselect-1.2.3/src/compat/authcompat_Options.py -@@ -145,7 +145,7 @@ class Options: - Option.UnsupportedSwitch ("useshadow"), - Option.UnsupportedFeature("md5"), - Option.UnsupportedSwitch ("usemd5"), -- Option.UnsupportedValued ("passalgo", _("")), -+ Option.UnsupportedValued ("passalgo", _("")), - Option.UnsupportedValued ("ldaploadcacert", _("")), - Option.UnsupportedValued ("smartcardmodule", _("")), - Option.UnsupportedValued ("smbsecurity", _("")), -Index: authselect-1.2.3/src/man/authselect-migration.7.adoc -=================================================================== ---- authselect-1.2.3.orig/src/man/authselect-migration.7.adoc -+++ authselect-1.2.3/src/man/authselect-migration.7.adoc -@@ -1,6 +1,6 @@ - authselect-migration(7) - ======================= --:revdate: 2018-03-18 -+:revdate: 2021-06-04 - - NAME - ---- -@@ -85,8 +85,16 @@ configuration file for required services - |--enablefaillock |with-faillock - |--enablepamaccess |with-pamaccess - |--enablewinbindkrb5 |with-krb5 -+|--enableshadow |_none_ -+|--passalgo |_none_ - |================================================== - -+NOTE: Authconfig options `--enableshadow` and `--passalgo=sha512` were often -+used to make sure that passwords are stored in `/etc/shadow` using `sha512` -+algorithm. *The authselect profiles now use the yescrypt hashing method* and -+it cannot be changed through an option (only by creating a custom profile). -+You can just omit these options. -+ - .Examples - ---- - authconfig --enableldap --enableldapauth --enablefaillock --updateall diff --git a/authselect.spec b/authselect.spec index df41848..44f0d15 100644 --- a/authselect.spec +++ b/authselect.spec @@ -2,17 +2,14 @@ %define _empty_manifest_terminate_build 0 Name: authselect -Version: 1.2.3 -Release: 4%{?dist} +Version: 1.2.4 +Release: 1%{?dist} Summary: Configures authentication and identity sources from supported profiles URL: https://github.com/authselect/authselect License: GPLv3+ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz -# Backported (partially) from https://github.com/authselect/authselect/pull/253. -Patch0: %{name}-1.2.3-yescrypt_support.patch - %global makedir %{_builddir}/%{name}-%{version} BuildRequires: autoconf @@ -58,26 +55,6 @@ Requires: pam >= 1.3.1-23 Common library files for authselect. This package is used by the authselect command line tool and any other potential front-ends. -%package compat -Summary: Tool to provide minimum backwards compatibility with authconfig -Obsoletes: authconfig < 7.0.1-6 -Provides: authconfig -BuildRequires: python3-devel -BuildRequires: make -Requires: authselect%{?_isa} = %{version}-%{release} -Recommends: oddjob-mkhomedir -Suggests: sssd -Suggests: realmd -Suggests: samba-winbind -# Required by scriptlets -Requires: sed - -%description compat -This package will replace %{_sbindir}/authconfig with a tool that will -translate some of the authconfig calls into authselect calls. It provides -only minimum backward compatibility and users are encouraged to migrate -to authselect completely. - %package devel Summary: Development libraries and headers for authselect Requires: authselect-libs%{?_isa} = %{version}-%{release} @@ -153,11 +130,13 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; %dir %{_datadir}/authselect/default/winbind/ %{_datadir}/authselect/default/minimal/dconf-db %{_datadir}/authselect/default/minimal/dconf-locks +%{_datadir}/authselect/default/minimal/fingerprint-auth %{_datadir}/authselect/default/minimal/nsswitch.conf %{_datadir}/authselect/default/minimal/password-auth %{_datadir}/authselect/default/minimal/postlogin %{_datadir}/authselect/default/minimal/README %{_datadir}/authselect/default/minimal/REQUIREMENTS +%{_datadir}/authselect/default/minimal/smartcard-auth %{_datadir}/authselect/default/minimal/system-auth %{_datadir}/authselect/default/nis/dconf-db %{_datadir}/authselect/default/nis/dconf-locks @@ -167,6 +146,7 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; %{_datadir}/authselect/default/nis/postlogin %{_datadir}/authselect/default/nis/README %{_datadir}/authselect/default/nis/REQUIREMENTS +%{_datadir}/authselect/default/nis/smartcard-auth %{_datadir}/authselect/default/nis/system-auth %{_datadir}/authselect/default/sssd/dconf-db %{_datadir}/authselect/default/sssd/dconf-locks @@ -186,6 +166,7 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; %{_datadir}/authselect/default/winbind/postlogin %{_datadir}/authselect/default/winbind/README %{_datadir}/authselect/default/winbind/REQUIREMENTS +%{_datadir}/authselect/default/winbind/smartcard-auth %{_datadir}/authselect/default/winbind/system-auth %{_libdir}/libauthselect.so.* %{_mandir}/man5/authselect-profiles.5* @@ -194,10 +175,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; %license COPYING %doc README.md -%files compat -%{_sbindir}/authconfig -%{python3_sitelib}/authselect/ - %files devel %{_includedir}/authselect.h %{_libdir}/libauthselect.so @@ -286,15 +263,10 @@ fi exit 0 -%posttrans compat -# Fix for RHBZ#1618865 -# Remove invalid lines from pwquality.conf generated by authconfig compat tool -# - previous version could write some options without value, which is invalid -# - we delete all options without value from existing file -%__sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null -exit 0 - %changelog +* Mon Aug 9 2021 Pavel Březina - 1.2.4-1 +- Rebase to 1.2.4 + * Wed Jul 21 2021 Fedora Release Engineering - 1.2.3-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild diff --git a/sources b/sources index 39bcdc8..7e5a1ef 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (authselect-1.2.3.tar.gz) = bdcc1b119f482fa00bc5fc8e39074b1c5fe2d3099d3d2318751f2aba11e79c2613b0c24704799c36811b148111be1452602691b764254356c6d81bfee1b2c167 +SHA512 (authselect-1.2.4.tar.gz) = a1a049e6bc8c6e3a41de4ed115d6357edd01f5d4838c6d651b21b7b2f1002b1211a52bb29a00c56c8b33eabbc2ffcf98de093b747066d031098ec90b8d5e7e1f