import authselect-1.2.2-3.el8
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
e66ad16452
commit
7e52fa4b6e
|
|
@ -0,0 +1,246 @@
|
|||
From a8def58508ab4cc137700555a74e71de88ccb6bf Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 13 May 2021 10:42:13 +0200
|
||||
Subject: [PATCH] profiles: try_first_pass has no effect on pam_unix and
|
||||
pam_pwquality
|
||||
|
||||
Resolves:
|
||||
https://github.com/authselect/authselect/issues/247
|
||||
---
|
||||
profiles/minimal/password-auth | 6 +++---
|
||||
profiles/minimal/system-auth | 6 +++---
|
||||
profiles/nis/password-auth | 6 +++---
|
||||
profiles/nis/system-auth | 6 +++---
|
||||
profiles/sssd/password-auth | 6 +++---
|
||||
profiles/sssd/system-auth | 6 +++---
|
||||
profiles/winbind/password-auth | 6 +++---
|
||||
profiles/winbind/system-auth | 6 +++---
|
||||
src/man/authselect-profiles.5.adoc | 6 +++---
|
||||
9 files changed, 27 insertions(+), 27 deletions(-)
|
||||
|
||||
diff --git a/profiles/minimal/password-auth b/profiles/minimal/password-auth
|
||||
index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644
|
||||
--- a/profiles/minimal/password-auth
|
||||
+++ b/profiles/minimal/password-auth
|
||||
@@ -1,7 +1,7 @@
|
||||
auth required pam_env.so
|
||||
auth required pam_faildelay.so delay=2000000
|
||||
auth required pam_faillock.so preauth silent {include if "with-faillock"}
|
||||
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
auth required pam_deny.so
|
||||
|
||||
@@ -9,8 +9,8 @@ account required pam_access.so
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
account required pam_unix.so
|
||||
|
||||
-password requisite pam_pwquality.so try_first_pass
|
||||
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
||||
+password requisite pam_pwquality.so
|
||||
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
diff --git a/profiles/minimal/system-auth b/profiles/minimal/system-auth
|
||||
index c27f07303aa18d2a8a7425eb6c4fbbf4fc5d5209..823cc7d2dc49b529c922877b1d5a4ae355e9672b 100644
|
||||
--- a/profiles/minimal/system-auth
|
||||
+++ b/profiles/minimal/system-auth
|
||||
@@ -1,7 +1,7 @@
|
||||
auth required pam_env.so
|
||||
auth required pam_faildelay.so delay=2000000
|
||||
auth required pam_faillock.so preauth silent {include if "with-faillock"}
|
||||
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
auth required pam_deny.so
|
||||
|
||||
@@ -9,8 +9,8 @@ account required pam_access.so
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
account required pam_unix.so
|
||||
|
||||
-password requisite pam_pwquality.so try_first_pass
|
||||
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
||||
+password requisite pam_pwquality.so
|
||||
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
|
||||
index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..fca075b3e8a289aef2055cc8bb8551540957e70f 100644
|
||||
--- a/profiles/nis/password-auth
|
||||
+++ b/profiles/nis/password-auth
|
||||
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
|
||||
auth required pam_faillock.so preauth silent {include if "with-faillock"}
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
||||
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
auth required pam_deny.so
|
||||
|
||||
@@ -11,8 +11,8 @@ account required pam_access.so
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
account required pam_unix.so broken_shadow
|
||||
|
||||
-password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
|
||||
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
|
||||
+password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
|
||||
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
|
||||
index 057b31e074f29c46b492fa310a954e281631800e..c4a74b857f8759082973936bd7d4e5b8718680c4 100644
|
||||
--- a/profiles/nis/system-auth
|
||||
+++ b/profiles/nis/system-auth
|
||||
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
|
||||
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
||||
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
auth required pam_deny.so
|
||||
|
||||
@@ -12,8 +12,8 @@ account required pam_access.so
|
||||
account required pam_faillock.so {include if "with-faillock"}
|
||||
account required pam_unix.so broken_shadow
|
||||
|
||||
-password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only}
|
||||
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis
|
||||
+password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
|
||||
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
|
||||
index d6953428cca7d6518f63c3fdbaabc4746c35f91b..b75926205f233d65553caa5d33f1d06c1c77a32e 100644
|
||||
--- a/profiles/sssd/password-auth
|
||||
+++ b/profiles/sssd/password-auth
|
||||
@@ -6,7 +6,7 @@ auth sufficient pam_u2f.so cue
|
||||
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth [default=1 ignore=ignore success=ok] pam_localuser.so
|
||||
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth sufficient pam_sss.so forward_pass
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
@@ -20,8 +20,8 @@ account sufficient pam_usertype.so issyste
|
||||
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||
account required pam_permit.so
|
||||
|
||||
-password requisite pam_pwquality.so try_first_pass local_users_only
|
||||
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
||||
+password requisite pam_pwquality.so local_users_only
|
||||
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
|
||||
password sufficient pam_sss.so use_authtok
|
||||
password required pam_deny.so
|
||||
|
||||
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
|
||||
index 58d51067feb36850fb11bbba73067495f88c0b9e..e4bdb2b40255c056257ba5569a0b5b21ebaeb261 100644
|
||||
--- a/profiles/sssd/system-auth
|
||||
+++ b/profiles/sssd/system-auth
|
||||
@@ -11,7 +11,7 @@ auth [default=1 ignore=ignore success=ok] pam_usertype.so isregul
|
||||
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
||||
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
||||
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
||||
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth sufficient pam_sss.so forward_pass
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
@@ -25,8 +25,8 @@ account sufficient pam_usertype.so issyste
|
||||
account [default=bad success=ok user_unknown=ignore] pam_sss.so
|
||||
account required pam_permit.so
|
||||
|
||||
-password requisite pam_pwquality.so try_first_pass local_users_only
|
||||
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
||||
+password requisite pam_pwquality.so local_users_only
|
||||
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
|
||||
password sufficient pam_sss.so use_authtok
|
||||
password required pam_deny.so
|
||||
|
||||
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
|
||||
index bbeca057d49102889e3eeee040ea256dbd751eef..75e1e529944afa68fd06e4dd189d722fd80d9336 100644
|
||||
--- a/profiles/winbind/password-auth
|
||||
+++ b/profiles/winbind/password-auth
|
||||
@@ -3,7 +3,7 @@ auth required pam_faildelay.so delay=
|
||||
auth required pam_faillock.so preauth silent {include if "with-faillock"}
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
||||
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
@@ -17,8 +17,8 @@ account sufficient pam_usertype.so issyste
|
||||
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
|
||||
account required pam_permit.so
|
||||
|
||||
-password requisite pam_pwquality.so try_first_pass local_users_only
|
||||
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
||||
+password requisite pam_pwquality.so local_users_only
|
||||
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
|
||||
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
|
||||
password required pam_deny.so
|
||||
|
||||
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
|
||||
index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..ae5262f2bb8c9ee8848c66eb00b15ff3d1fb8230 100644
|
||||
--- a/profiles/winbind/system-auth
|
||||
+++ b/profiles/winbind/system-auth
|
||||
@@ -4,7 +4,7 @@ auth required pam_faillock.so preauth
|
||||
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
||||
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
|
||||
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
|
||||
-auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
+auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
|
||||
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
|
||||
auth required pam_faillock.so authfail {include if "with-faillock"}
|
||||
@@ -18,8 +18,8 @@ account sufficient pam_usertype.so issyste
|
||||
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
|
||||
account required pam_permit.so
|
||||
|
||||
-password requisite pam_pwquality.so try_first_pass local_users_only
|
||||
-password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
|
||||
+password requisite pam_pwquality.so local_users_only
|
||||
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
|
||||
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
|
||||
password required pam_deny.so
|
||||
|
||||
diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc
|
||||
index 0890b8b0acef811a639f6cd763b2d24f0c489881..4baa2800c766f59cf250cc5570c259f636a2305b 100644
|
||||
--- a/src/man/authselect-profiles.5.adoc
|
||||
+++ b/src/man/authselect-profiles.5.adoc
|
||||
@@ -154,7 +154,7 @@ for pam_faillock.
|
||||
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
||||
auth [default=1 ignore=ignore success=ok] pam_localuser.so
|
||||
- auth sufficient pam_unix.so nullok try_first_pass
|
||||
+ auth sufficient pam_unix.so nullok
|
||||
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||||
auth sufficient pam_sss.so forward_pass
|
||||
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
|
||||
@@ -172,7 +172,7 @@ to include both features but only "with-smartcard-required" is necessary.
|
||||
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
|
||||
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
||||
auth [default=1 ignore=ignore success=ok] pam_localuser.so
|
||||
- auth sufficient pam_unix.so nullok try_first_pass
|
||||
+ auth sufficient pam_unix.so nullok
|
||||
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||||
auth sufficient pam_sss.so forward_pass
|
||||
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
|
||||
@@ -193,7 +193,7 @@ previous example.
|
||||
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
||||
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
|
||||
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
|
||||
- auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
|
||||
+ auth sufficient pam_unix.so {if not "without-nullok":nullok}
|
||||
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
|
||||
auth sufficient pam_sss.so forward_pass
|
||||
auth required pam_deny.so
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
From 3a3d9380eafcf4c53d3733b39dbb45b67dc3a566 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 29 Jun 2021 14:04:24 +0200
|
||||
Subject: [PATCH] cli: use gettext on common options
|
||||
|
||||
Also make --debug description the same as in cli_tool_print_common_opts.
|
||||
|
||||
These options are printed when a wrong argument is given on the command line. E.g.
|
||||
authselect select --invalid-arg
|
||||
---
|
||||
src/cli/cli_tool.c | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/cli/cli_tool.c b/src/cli/cli_tool.c
|
||||
index 3cc6b735eb45bc45afd21907a690b732f6844f3b..64807af3cb0c3aeb70ff652962dca62a3b99c431 100644
|
||||
--- a/src/cli/cli_tool.c
|
||||
+++ b/src/cli/cli_tool.c
|
||||
@@ -87,12 +87,16 @@ static void cli_tool_print_common_opts(int min_len)
|
||||
static struct poptOption *cli_tool_common_opts_table(void)
|
||||
{
|
||||
static struct poptOption options[] = {
|
||||
- {"debug", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'd', "Print more verbose debugging information", NULL },
|
||||
- {"trace", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 't', "Print trace messages", NULL },
|
||||
- {"warn", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'w', "Print warning messages", NULL },
|
||||
+ {"debug", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'd', NULL, NULL },
|
||||
+ {"trace", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 't', NULL, NULL },
|
||||
+ {"warn", '\0', POPT_ARG_NONE | POPT_ARGFLAG_STRIP, NULL, 'w', NULL, NULL },
|
||||
POPT_TABLEEND
|
||||
};
|
||||
|
||||
+ options[0].descrip = _("Print error messages");
|
||||
+ options[1].descrip = _("Print trace messages");
|
||||
+ options[2].descrip = _("Print warning messages");
|
||||
+
|
||||
return options;
|
||||
}
|
||||
|
||||
--
|
||||
2.20.1
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
Name: authselect
|
||||
Version: 1.2.2
|
||||
Release: 1%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: Configures authentication and identity sources from supported profiles
|
||||
URL: https://github.com/authselect/authselect
|
||||
|
||||
|
|
@ -12,6 +12,10 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
|
|||
|
||||
%global makedir %{_builddir}/%{name}-%{version}
|
||||
|
||||
Patch0001: 0001-profiles-try_first_pass-has-no-effect-on-pam_unix-an.patch
|
||||
Patch0002: 0002-cli-use-gettext-on-common-options.patch
|
||||
Patch0003: 0003-po-update-translations.patch
|
||||
|
||||
# Downstream only
|
||||
Patch0901: 0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch
|
||||
Patch0902: 0902-rhel8-remove-ecryptfs-support.patch
|
||||
|
|
@ -286,6 +290,13 @@ exit 0
|
|||
exit 0
|
||||
|
||||
%changelog
|
||||
* Wed Jul 14 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
|
||||
- Update translations (RHBZ #1961625)
|
||||
|
||||
* Wed Jul 14 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-2
|
||||
- try_first_pass option no longer works on some PAM modules in RHEL8 (RHBZ #1949070)
|
||||
- Need to localize the description of --debug option in authselect show (RHBZ #1970408)
|
||||
|
||||
* Wed Nov 25 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.2-1
|
||||
- Rebase to authselect-1.2.2 (RHBZ #1892761)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue