diff --git a/0001-fingerprint-Retain-error-code-returned-by-pam_fprint.patch b/0001-fingerprint-Retain-error-code-returned-by-pam_fprint.patch new file mode 100644 index 0000000..29ac2ef --- /dev/null +++ b/0001-fingerprint-Retain-error-code-returned-by-pam_fprint.patch @@ -0,0 +1,61 @@ +From b75a468d38598920833762a7227b06d73be20709 Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Tue, 9 Mar 2021 14:34:22 +0100 +Subject: [PATCH] fingerprint: Retain error code returned by pam_fprintd.so + +pam_fprintd.so will return PAM_AUTHINFO_UNAVAIL in some situations. It +is important that the fingerprint-auth stack returns this error code, so +that users (i.e. GDM) can tell the difference between an authentication +failure vs. an immediate return because no fingers are enrolled. + +Fix this by changing sufficient to required (i.e. default=bad rather +than default=ignore) in order to ensure that the pam_fprintd.so error +code is returned. +--- + profiles/nis/fingerprint-auth | 2 +- + profiles/sssd/fingerprint-auth | 2 +- + profiles/winbind/fingerprint-auth | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth +index 756993c..f312974 100644 +--- a/profiles/nis/fingerprint-auth ++++ b/profiles/nis/fingerprint-auth +@@ -1,7 +1,7 @@ + {continue if "with-fingerprint"} + auth required pam_env.so + auth required pam_faillock.so preauth silent {include if "with-faillock"} +-auth sufficient pam_fprintd.so ++auth required pam_fprintd.so + auth required pam_faillock.so authfail {include if "with-faillock"} + auth required pam_deny.so + +diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth +index fe3cac7..5ec1673 100644 +--- a/profiles/sssd/fingerprint-auth ++++ b/profiles/sssd/fingerprint-auth +@@ -2,7 +2,7 @@ + auth required pam_env.so + auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"} + auth required pam_faillock.so preauth silent {include if "with-faillock"} +-auth sufficient pam_fprintd.so ++auth required pam_fprintd.so + auth required pam_faillock.so authfail {include if "with-faillock"} + auth required pam_deny.so + +diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth +index c4b8261..07fca0f 100644 +--- a/profiles/winbind/fingerprint-auth ++++ b/profiles/winbind/fingerprint-auth +@@ -1,7 +1,7 @@ + {continue if "with-fingerprint"} + auth required pam_env.so + auth required pam_faillock.so preauth silent {include if "with-faillock"} +-auth sufficient pam_fprintd.so ++auth required pam_fprintd.so + auth required pam_faillock.so authfail {include if "with-faillock"} + auth required pam_deny.so + +-- +2.29.2 + diff --git a/0001-minimal-add-dconf-settings-to-explicitly-disable-fpr.patch b/0001-minimal-add-dconf-settings-to-explicitly-disable-fpr.patch new file mode 100644 index 0000000..b6de965 --- /dev/null +++ b/0001-minimal-add-dconf-settings-to-explicitly-disable-fpr.patch @@ -0,0 +1,49 @@ +From 41197d567e0ef15cdd50b9e7658e9a0b205e6683 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 4 Mar 2021 11:59:37 +0100 +Subject: [PATCH] minimal: add dconf settings to explicitly disable fprint and + smartcard authentication + +Resolves: +https://github.com/authselect/authselect/issues/237 +--- + profiles/Makefile.am | 2 ++ + profiles/minimal/dconf-db | 3 +++ + profiles/minimal/dconf-locks | 2 ++ + 3 files changed, 7 insertions(+) + create mode 100644 profiles/minimal/dconf-db + create mode 100644 profiles/minimal/dconf-locks + +diff --git a/profiles/Makefile.am b/profiles/Makefile.am +index 5dfab8047fc956babe47180601a0336c0a55d15f..95e27147b2b0a229a76a293884d605484d3fa841 100644 +--- a/profiles/Makefile.am ++++ b/profiles/Makefile.am +@@ -9,6 +9,8 @@ dist_profile_minimal_DATA = \ + $(top_srcdir)/profiles/minimal/README \ + $(top_srcdir)/profiles/minimal/REQUIREMENTS \ + $(top_srcdir)/profiles/minimal/system-auth \ ++ $(top_srcdir)/profiles/minimal/dconf-db \ ++ $(top_srcdir)/profiles/minimal/dconf-locks \ + $(NULL) + + profile_nisdir = $(authselect_profile_dir)/nis +diff --git a/profiles/minimal/dconf-db b/profiles/minimal/dconf-db +new file mode 100644 +index 0000000000000000000000000000000000000000..a3868b794bdf9d8d6edf8363b15cb918539b8926 +--- /dev/null ++++ b/profiles/minimal/dconf-db +@@ -0,0 +1,3 @@ ++[org/gnome/login-screen] ++enable-smartcard-authentication=false ++enable-fingerprint-authentication=false +diff --git a/profiles/minimal/dconf-locks b/profiles/minimal/dconf-locks +new file mode 100644 +index 0000000000000000000000000000000000000000..8a36fa9568344338272786394aece872185d0ab3 +--- /dev/null ++++ b/profiles/minimal/dconf-locks +@@ -0,0 +1,2 @@ ++/org/gnome/login-screen/enable-smartcard-authentication ++/org/gnome/login-screen/enable-fingerprint-authentication +-- +2.29.2 + diff --git a/0001-utils-correctly-remove-the-whole-line-if-str-does-no.patch b/0001-utils-correctly-remove-the-whole-line-if-str-does-no.patch deleted file mode 100644 index cc2f282..0000000 --- a/0001-utils-correctly-remove-the-whole-line-if-str-does-no.patch +++ /dev/null @@ -1,264 +0,0 @@ -From 4b913748e413314b69c315c314c3d07e10471712 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Mon, 13 Jul 2020 13:43:03 +0200 -Subject: [PATCH 1/2] utils: correctly remove the whole line if `str` does not - point to its beginning - -The following scenario triggers a bug when the line is not removed completely -and the two lines are merged instead. -``` -BEGINNING {if "condition":true|false} END {include if "condition"} -NEXT LINE - --> -BEGINNING falseNEXT LINE -``` - -This is because `match_string` points after the first condition and we -only remove the line to this point. Therefore we need to interate -before `match_string` so we can find the real line start. - -Resolves: -https://github.com/authselect/authselect/issues/218 ---- - src/lib/files/system.c | 2 +- - src/lib/util/string.c | 10 ++-- - src/lib/util/string.h | 3 +- - src/lib/util/template.c | 16 ++++--- - src/tests/test_util_template.c | 84 ++++++++++++++++++++++++++++++++++ - 5 files changed, 103 insertions(+), 12 deletions(-) - -diff --git a/src/lib/files/system.c b/src/lib/files/system.c -index 453e2f4d6fc42ffd2e9bdfc773a38972802c1cb2..ef354b7583914cec07ff3c017394daa5b6cc27e1 100644 ---- a/src/lib/files/system.c -+++ b/src/lib/files/system.c -@@ -178,7 +178,7 @@ authselect_system_nsswitch_delete_maps(char **maps, - map_len = m[1].rm_eo - m[1].rm_so; - for (i = 0; maps[i] != NULL; i++) { - if (strncmp(map_name, maps[i], map_len) == 0) { -- string_remove_line(match_string, m[1].rm_so); -+ string_remove_line(content, match_string, m[1].rm_so); - break; - } - } -diff --git a/src/lib/util/string.c b/src/lib/util/string.c -index 0f3936681c6c8af1be940f92a21dfc15dafe4e42..e53a81c250711e5caab8e5f4f751371c332e6b92 100644 ---- a/src/lib/util/string.c -+++ b/src/lib/util/string.c -@@ -272,17 +272,21 @@ string_replace_position(char *str, size_t start, size_t end, const char *with) - } - - void --string_remove_line(char *str, size_t inner_position) -+string_remove_line(char *beginning, char *str, size_t inner_position) - { - char *left; - -- for (left = str + inner_position; left != str; left--) { -+ /* str may not be the beginning of the line so we need to refer -+ * to iterate until we reach the beginning */ -+ for (left = str + inner_position; left != beginning; left--) { - if (*(left - 1) == '\n') { - break; - } - } - -- for (; *left != '\0'; left++) { -+ /* Remove the whole line that is in front of our string and then iterate -+ * to the line end or string end. */ -+ for (; left < str || *left != '\0'; left++) { - if (*left == '\n') { - *left = '\0'; - break; -diff --git a/src/lib/util/string.h b/src/lib/util/string.h -index e550d853d3fa0699909b84cc9febdae9d5884b9f..724460e771389ac3c015806111d6052ffbfa7566 100644 ---- a/src/lib/util/string.h -+++ b/src/lib/util/string.h -@@ -142,11 +142,12 @@ string_replace_position(char *str, size_t start, size_t end, const char *with); - * When all replacements are done, call @string_replace_shake() to create - * the final string. - * -+ * @param beginning Pointer to the left most character of the string. - * @param str Destination string. - * @param inner_position Position inside the line the will be removed. - */ - void --string_remove_line(char *str, size_t inner_position); -+string_remove_line(char *beginning, char *str, size_t inner_position); - - /** - * Remove string from @from (including) to @to (excluding). -diff --git a/src/lib/util/template.c b/src/lib/util/template.c -index f86a26a8344f1c140861f1572b74614604624dd5..12324aa9c16b500f481739a46652f65f98863fed 100644 ---- a/src/lib/util/template.c -+++ b/src/lib/util/template.c -@@ -211,6 +211,7 @@ template_match_get_values(const char *match_string, - - static errno_t - template_match_replace(char ***features, -+ char *beginning, - char *match_string, - regmatch_t *match, - enum template_operator op, -@@ -231,7 +232,7 @@ template_match_replace(char ***features, - switch (op) { - case OP_CONTINUE: - if (enabled) { -- string_remove_line(match_string, match->rm_so); -+ string_remove_line(beginning, match_string, match->rm_so); - break; - } - -@@ -239,7 +240,7 @@ template_match_replace(char ***features, - break; - case OP_STOP: - if (!enabled) { -- string_remove_line(match_string, match->rm_so); -+ string_remove_line(beginning, match_string, match->rm_so); - break; - } - -@@ -251,7 +252,7 @@ template_match_replace(char ***features, - break; - } - -- string_remove_line(match_string, match->rm_so); -+ string_remove_line(beginning, match_string, match->rm_so); - break; - case OP_EXCLUDE: - if (!enabled) { -@@ -259,7 +260,7 @@ template_match_replace(char ***features, - break; - } - -- string_remove_line(match_string, match->rm_so); -+ string_remove_line(beginning, match_string, match->rm_so); - break; - case OP_IMPLY: - if (enabled) { -@@ -269,7 +270,7 @@ template_match_replace(char ***features, - } - } - -- string_remove_line(match_string, match->rm_so); -+ string_remove_line(beginning, match_string, match->rm_so); - break; - case OP_IF: - replacement = enabled ? if_true : if_false; -@@ -460,8 +461,9 @@ template_process_operators(const char **features, - goto done; - } - -- ret = template_match_replace(&features_copy, match_string, &m[0], op, -- expression, if_true, if_false, value); -+ ret = template_match_replace(&features_copy, content, match_string, -+ &m[0], op, expression, -+ if_true, if_false, value); - - if (expression != NULL) { - free(expression); -diff --git a/src/tests/test_util_template.c b/src/tests/test_util_template.c -index 90327ea68d0e09df98befde4835e90350f0c6238..fac3f4c94e3553c71ee538a5725fb0a734f89382 100644 ---- a/src/tests/test_util_template.c -+++ b/src/tests/test_util_template.c -@@ -269,6 +269,86 @@ void test_template_imply_if(void **state) - free(result); - } - -+void test_template_if_and_include__true(void **state) -+{ -+ const char *myfeatures[] = { -+ "true", -+ NULL -+ }; -+ -+ const char *template = -+ "L1 {if \"f1\":T1|T2} T3 {include if \"true\"} \n" -+ "L2 \n" -+ ""; -+ const char *expected = -+ "L1 T2 T3\n" -+ "L2\n" -+ ""; -+ -+ char *result = template_generate(template, myfeatures); -+ assert_string_equal(expected, result); -+ free(result); -+} -+ -+void test_template_if_and_include__false(void **state) -+{ -+ const char *myfeatures[] = { -+ NULL -+ }; -+ -+ const char *template = -+ "L1 {if \"f1\":T1|T2} T3 {include if \"true\"} \n" -+ "L2 \n" -+ ""; -+ const char *expected = -+ "L2\n" -+ ""; -+ -+ char *result = template_generate(template, myfeatures); -+ assert_string_equal(expected, result); -+ free(result); -+} -+ -+void test_template_if_and_exclude__true(void **state) -+{ -+ const char *myfeatures[] = { -+ "true", -+ NULL -+ }; -+ -+ const char *template = -+ "L1 {if \"f1\":T1|T2} T3 {exclude if \"true\"} \n" -+ "L2 \n" -+ ""; -+ const char *expected = -+ "L2\n" -+ ""; -+ -+ char *result = template_generate(template, myfeatures); -+ assert_string_equal(expected, result); -+ free(result); -+} -+ -+void test_template_if_and_exclude__false(void **state) -+{ -+ const char *myfeatures[] = { -+ NULL -+ }; -+ -+ const char *template = -+ "L1 {if \"f1\":T1|T2} T3 {exclude if \"true\"} \n" -+ "L2 \n" -+ ""; -+ const char *expected = -+ "L1 T2 T3\n" -+ "L2\n" -+ ""; -+ -+ char *result = template_generate(template, myfeatures); -+ assert_string_equal(expected, result); -+ free(result); -+} -+ - int main(int argc, const char *argv[]) - { - -@@ -281,6 +361,10 @@ int main(int argc, const char *argv[]) - cmocka_unit_test(test_template_continue_if), - cmocka_unit_test(test_template_list_features), - cmocka_unit_test(test_template_imply_if), -+ cmocka_unit_test(test_template_if_and_include__true), -+ cmocka_unit_test(test_template_if_and_include__false), -+ cmocka_unit_test(test_template_if_and_exclude__true), -+ cmocka_unit_test(test_template_if_and_exclude__false), - }; - - return cmocka_run_group_tests(tests, NULL, NULL); --- -2.25.4 - diff --git a/0002-profiles-add-support-for-resolved.patch b/0002-profiles-add-support-for-resolved.patch deleted file mode 100644 index 56b2b7c..0000000 --- a/0002-profiles-add-support-for-resolved.patch +++ /dev/null @@ -1,48 +0,0 @@ -From eb4ef2c111b3b439bda66cc0ac8764343e9d6d6f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Mon, 20 Jul 2020 11:36:14 +0200 -Subject: [PATCH 2/2] profiles: add support for resolved - -Resolved is enabled by default since Fedora 33 so we need to reflect -this change in our profiles. - -It should be OK to enabled it unconditionaly. The module is part of -systemd so it basically can not be uninstalled and it can be safely -disabled through `systemctl disable --now systemd-resolved.service`. - -Resolves: -https://github.com/authselect/authselect/issues/221 ---- - profiles/minimal/nsswitch.conf | 2 +- - profiles/nis/nsswitch.conf | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf -index a39e4d32ebf79e8bf05f2db5753b01596222dc35..7df28821dbb03eaf986660a016a48051eb91d092 100644 ---- a/profiles/minimal/nsswitch.conf -+++ b/profiles/minimal/nsswitch.conf -@@ -2,7 +2,7 @@ aliases: files {exclude if "with-custom - automount: files {exclude if "with-custom-automount"} - ethers: files {exclude if "with-custom-ethers"} - group: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"} --hosts: files dns myhostname {exclude if "with-custom-hosts"} -+hosts: resolve [!UNAVAIL=return] myhostname files dns {exclude if "with-custom-hosts"} - initgroups: files {exclude if "with-custom-initgroups"} - netgroup: files {exclude if "with-custom-netgroup"} - networks: files {exclude if "with-custom-networks"} -diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf -index 9bee7d839f84ff39d54cb6ead9dea38e51736b4d..1aaa2d99eb004851eb2413e7722d971d2e3bc7eb 100644 ---- a/profiles/nis/nsswitch.conf -+++ b/profiles/nis/nsswitch.conf -@@ -2,7 +2,7 @@ aliases: files nis {exclude if "with-custom-aliases"} - automount: files nis {exclude if "with-custom-automount"} - ethers: files nis {exclude if "with-custom-ethers"} - group: files nis systemd {exclude if "with-custom-group"} --hosts: files nis dns myhostname {exclude if "with-custom-hosts"} -+hosts: resolve [!UNAVAIL=return] myhostname files dns {exclude if "with-custom-hosts"} - initgroups: files nis {exclude if "with-custom-initgroups"} - netgroup: files nis {exclude if "with-custom-netgroup"} - networks: files nis {exclude if "with-custom-networks"} --- -2.25.4 - diff --git a/9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch b/9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch new file mode 100644 index 0000000..007679c --- /dev/null +++ b/9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch @@ -0,0 +1,25 @@ +From 2e2a7143cbfa719905cb130a5e67313c65bf3b65 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 30 Oct 2018 14:08:12 +0100 +Subject: [PATCH 1/3] rhel9: remove mention of Fedora Change page in compat + tool + +--- + src/compat/authcompat.py.in.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in +index f879e08eb94e9620dfc28f245b0ea5815df7e4f2..e4b8c05c6a11a215529ba66f8b36b72a6ac18448 100755 +--- a/src/compat/authcompat.py.in.in ++++ b/src/compat/authcompat.py.in.in +@@ -468,7 +468,6 @@ class AuthCompat: + "It does not provide all capabilities of authconfig.\n")) + print(_("IMPORTANT: authconfig is replaced by authselect, " + "please update your scripts.")) +- print(_("See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault")) + print(_("See man authselect-migration(7) to help you with migration to authselect")) + + options = self.options.getSetButUnsupported() +-- +2.29.2 + diff --git a/9002-rhel9-remove-ecryptfs-support.patch b/9002-rhel9-remove-ecryptfs-support.patch new file mode 100644 index 0000000..9a43bca --- /dev/null +++ b/9002-rhel9-remove-ecryptfs-support.patch @@ -0,0 +1,283 @@ +From 6de7d2e033d67f23b33620a2b80f5a6c106bd6f5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 10 Jun 2019 10:53:15 +0200 +Subject: [PATCH 2/3] rhel9: remove ecryptfs support + +--- + profiles/nis/README | 3 --- + profiles/nis/fingerprint-auth | 1 - + profiles/nis/password-auth | 1 - + profiles/nis/postlogin | 4 ---- + profiles/nis/system-auth | 1 - + profiles/sssd/README | 3 --- + profiles/sssd/fingerprint-auth | 1 - + profiles/sssd/password-auth | 1 - + profiles/sssd/postlogin | 4 ---- + profiles/sssd/smartcard-auth | 1 - + profiles/sssd/system-auth | 1 - + profiles/winbind/README | 3 --- + profiles/winbind/fingerprint-auth | 1 - + profiles/winbind/password-auth | 1 - + profiles/winbind/postlogin | 4 ---- + profiles/winbind/system-auth | 1 - + src/compat/authcompat.py.in.in | 1 - + src/compat/authcompat_Options.py | 2 +- + src/man/authselect-migration.7.adoc | 5 ++--- + 19 files changed, 3 insertions(+), 36 deletions(-) + +diff --git a/profiles/nis/README b/profiles/nis/README +index 5dbb9b49fb7708ef3b073aff7e1883e3f9a0bd06..cac3428bf844b0a9d251015988583f4c1b15c3c9 100644 +--- a/profiles/nis/README ++++ b/profiles/nis/README +@@ -21,9 +21,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-fingerprint:: + Enable authentication with fingerprint reader through *pam_fprintd*. + +diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth +index 756993cf1b2095f505208df19dd739dcaed1af31..eebec6d0d6edeae6a3eb224f0ff284016b0fc642 100644 +--- a/profiles/nis/fingerprint-auth ++++ b/profiles/nis/fingerprint-auth +@@ -13,7 +13,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth +index 7997ea8de61ad6392ed01c39727f70253b5cc0ca..9a8ae9cde644a4ac981f4b9553af2f0f428bfebb 100644 +--- a/profiles/nis/password-auth ++++ b/profiles/nis/password-auth +@@ -17,7 +17,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/nis/postlogin ++++ b/profiles/nis/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth +index 057b31e074f29c46b492fa310a954e281631800e..2e7462983d35e4a2f5cef8151ed53baaf7e5c790 100644 +--- a/profiles/nis/system-auth ++++ b/profiles/nis/system-auth +@@ -18,7 +18,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/README b/profiles/sssd/README +index 95ef5dc785ed0530122837b5e08d03590ed1ada5..ac063e8d065d0488279dc2381bdd7f8ac361bfcb 100644 +--- a/profiles/sssd/README ++++ b/profiles/sssd/README +@@ -40,9 +40,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-smartcard:: + Enable authentication with smartcards through SSSD. Please note that + smartcard support must be also explicitly enabled within +diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth +index fe3cac7a976845017d034ac1158a38f889926ce8..ad0a95440ebd006ff88264177598c77afc472dda 100644 +--- a/profiles/sssd/fingerprint-auth ++++ b/profiles/sssd/fingerprint-auth +@@ -18,7 +18,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth +index d6953428cca7d6518f63c3fdbaabc4746c35f91b..6d87cbe0a805bf5d3ab2a6192d570b9e5c6dc143 100644 +--- a/profiles/sssd/password-auth ++++ b/profiles/sssd/password-auth +@@ -27,7 +27,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/sssd/postlogin ++++ b/profiles/sssd/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth +index 230269c42508a50ad5b4677ab6514b9afe4d5fbf..874ffaca1b2c15c81adc4ca130c15834154bdc0e 100644 +--- a/profiles/sssd/smartcard-auth ++++ b/profiles/sssd/smartcard-auth +@@ -16,7 +16,6 @@ account required pam_permit.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth +index 6f914ea91eb7782d60959ced56112f9cc1365347..dfc53b4ce55a0d575dc4fe68004a846f43360ccc 100644 +--- a/profiles/sssd/system-auth ++++ b/profiles/sssd/system-auth +@@ -32,7 +32,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/README b/profiles/winbind/README +index 40a1a459355d2ee8ab98e31d2868cb24261e2c17..0e80bb697f8050ac8eb3c78d4f41945b9bcbba29 100644 +--- a/profiles/winbind/README ++++ b/profiles/winbind/README +@@ -33,9 +33,6 @@ with-mkhomedir:: + Enable automatic creation of home directories for users on their + first login. + +-with-ecryptfs:: +- Enable automatic per-user ecryptfs. +- + with-fingerprint:: + Enable authentication with fingerprint reader through *pam_fprintd*. + +diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth +index c4b8261ca45d4f6b9eda03ea96850bb32d605d30..6262549af2ca8aed540e7a7e1d97e0ba3b2ef088 100644 +--- a/profiles/winbind/fingerprint-auth ++++ b/profiles/winbind/fingerprint-auth +@@ -17,7 +17,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth +index bbeca057d49102889e3eeee040ea256dbd751eef..aef4d5ce6a6ec9496deabc1010cde0370a3ecba7 100644 +--- a/profiles/winbind/password-auth ++++ b/profiles/winbind/password-auth +@@ -24,7 +24,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin +index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644 +--- a/profiles/winbind/postlogin ++++ b/profiles/winbind/postlogin +@@ -1,7 +1,3 @@ +-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- +-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} +- + session optional pam_umask.so silent + session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet + session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed} +diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth +index 8e6026b782f8bd7e64632a9acedf304bd95f29e1..e4bdd0bf1c315c86cc8064625b80161baa5c455f 100644 +--- a/profiles/winbind/system-auth ++++ b/profiles/winbind/system-auth +@@ -25,7 +25,6 @@ password required pam_deny.so + + session optional pam_keyinit.so revoke + session required pam_limits.so +-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"} + -session optional pam_systemd.so + session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"} + session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in +index e4b8c05c6a11a215529ba66f8b36b72a6ac18448..4e39b7ec66d0e2ba911c7280467ba78fd29c196c 100755 +--- a/src/compat/authcompat.py.in.in ++++ b/src/compat/authcompat.py.in.in +@@ -520,7 +520,6 @@ class AuthCompat: + 'smartcard' : 'with-smartcard', + 'requiresmartcard' : 'with-smartcard-required', + 'fingerprint' : 'with-fingerprint', +- 'ecryptfs' : 'with-ecryptfs', + 'mkhomedir' : 'with-mkhomedir', + 'faillock' : 'with-faillock', + 'pamaccess' : 'with-pamaccess', +diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py +index c8f52ab6773c4cd5371f32121dba8053f3443261..433a3340bac29739174e78928701214c08ec6f3c 100644 +--- a/src/compat/authcompat_Options.py ++++ b/src/compat/authcompat_Options.py +@@ -93,7 +93,6 @@ class Options: + Option.Valued ("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")), + Option.Feature("requiresmartcard",_("require smart card for authentication by default")), + Option.Feature("fingerprint", _("authentication with fingerprint readers by default")), +- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")), + Option.Feature("krb5", _("Kerberos authentication by default")), + Option.Valued ("krb5kdc", _(""), _("default Kerberos KDC")), + Option.Valued ("krb5adminserver", _(""), _("default Kerberos admin server")), +@@ -141,6 +140,7 @@ class Options: + # layers and will produce warning when used. They will not affect + # the system. + Option.UnsupportedFeature("cache"), ++ Option.UnsupportedFeature("ecryptfs"), + Option.UnsupportedFeature("shadow"), + Option.UnsupportedSwitch ("useshadow"), + Option.UnsupportedFeature("md5"), +diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc +index 35ba484d576ab8a3d923a124f6b1577085deedd4..a27af036738274d8d392f7fe1f7d59c89e9c4ffb 100644 +--- a/src/man/authselect-migration.7.adoc ++++ b/src/man/authselect-migration.7.adoc +@@ -80,7 +80,6 @@ configuration file for required services. + |*Authconfig options* |*Authselect profile feature* + |--enablesmartcard |with-smartcard + |--enablefingerprint |with-fingerprint +-|--enableecryptfs |with-ecryptfs + |--enablemkhomedir |with-mkhomedir + |--enablefaillock |with-faillock + |--enablepamaccess |with-pamaccess +@@ -95,8 +94,8 @@ authselect select sssd with-faillock + authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall + authselect select sssd with-smartcard + +-authconfig --enableecryptfs --enablepamaccess --updateall +-authselect select sssd with-ecryptfs with-pamaccess ++authconfig --enablepamaccess --updateall ++authselect select sssd with-pamaccess + + authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall + realm join -U Administrator --client-software=winbind WINBINDDOMAIN +-- +2.29.2 + diff --git a/9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch b/9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch new file mode 100644 index 0000000..1d8c8fa --- /dev/null +++ b/9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch @@ -0,0 +1,58 @@ +From 9fc2d8061c811c4522484f4cb62a2025fe9282b2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 18 Feb 2021 13:38:53 +0100 +Subject: [PATCH 3/3] rhel9: sssd: default to files first for users and groups + +The passwd and group databases will now default to files first. +The order "sss files" can be enabled with "with-files-provider" +feature. +--- + profiles/sssd/README | 5 +++++ + profiles/sssd/REQUIREMENTS | 4 ++++ + profiles/sssd/nsswitch.conf | 4 ++-- + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/profiles/sssd/README b/profiles/sssd/README +index ac063e8d065d0488279dc2381bdd7f8ac361bfcb..699d490b90710a53c3959f196b9ef435149a4bd0 100644 +--- a/profiles/sssd/README ++++ b/profiles/sssd/README +@@ -76,6 +76,11 @@ with-sudo:: + with-pamaccess:: + Check access.conf during account authorization. + ++with-files-domain:: ++ If set, SSSD will be contacted before "files" when resolving users and ++ groups. The order in nsswitch.conf will be set to "sss files" instead of ++ "files sss" for passwd and group maps. ++ + with-files-access-provider:: + If set, account management for local users is handled also by pam_sss. This + is needed if there is an explicitly configured domain with id_provider=files +diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS +index cbffac54bbd2598c2a53cd3014ebeb271dad9c57..ba3b3bd0fa143c3cc74d00faaf6ff94a2b4aaf84 100644 +--- a/profiles/sssd/REQUIREMENTS ++++ b/profiles/sssd/REQUIREMENTS +@@ -14,3 +14,7 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo + - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module {include if "with-mkhomedir"} + is present and oddjobd service is enabled and active {include if "with-mkhomedir"} + - systemctl enable --now oddjobd.service {include if "with-mkhomedir"} ++ {include if "with-files-domain"} ++- with-files-domain is selected, make sure the files provider is enabled in SSSD {include if "with-files-domain"} ++ - set enable_files_domain=true in [sssd] section of /etc/sssd/sssd.conf {include if "with-files-domain"} ++ - or create a custom domain with id_provider=files {include if "with-files-domain"} +\ No newline at end of file +diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf +index 9734bbbe68e7cf73a4a560e3573162d353e551e8..91c9fe9ef60fde07d55269247c885db0f738c776 100644 +--- a/profiles/sssd/nsswitch.conf ++++ b/profiles/sssd/nsswitch.conf +@@ -1,5 +1,5 @@ +-passwd: sss files systemd {exclude if "with-custom-passwd"} +-group: sss files systemd {exclude if "with-custom-group"} ++passwd: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-passwd"} ++group: {if "with-files-domain":sss files|files sss} systemd {exclude if "with-custom-group"} + netgroup: sss files {exclude if "with-custom-netgroup"} + automount: sss files {exclude if "with-custom-automount"} + services: sss files {exclude if "with-custom-services"} +-- +2.29.2 + diff --git a/authselect.spec b/authselect.spec index a4c0051..f26faa5 100644 --- a/authselect.spec +++ b/authselect.spec @@ -3,13 +3,23 @@ Name: authselect Version: 1.2.2 -Release: 2%{?dist} +Release: 6%{?dist} Summary: Configures authentication and identity sources from supported profiles URL: https://github.com/authselect/authselect License: GPLv3+ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz +Patch0001: 0001-minimal-add-dconf-settings-to-explicitly-disable-fpr.patch +Patch0002: 0001-fingerprint-Retain-error-code-returned-by-pam_fprint.patch + +### Downstream Patches ### +%if 0%{?rhel} +Patch9001: 9001-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch +Patch9002: 9002-rhel9-remove-ecryptfs-support.patch +Patch9003: 9003-rhel9-sssd-default-to-files-first-for-users-and-grou.patch +%endif + %global makedir %{_builddir}/%{name}-%{version} BuildRequires: autoconf @@ -148,6 +158,8 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \; %dir %{_datadir}/authselect/default/nis/ %dir %{_datadir}/authselect/default/sssd/ %dir %{_datadir}/authselect/default/winbind/ +%{_datadir}/authselect/default/minimal/dconf-db +%{_datadir}/authselect/default/minimal/dconf-locks %{_datadir}/authselect/default/minimal/nsswitch.conf %{_datadir}/authselect/default/minimal/password-auth %{_datadir}/authselect/default/minimal/postlogin @@ -290,6 +302,19 @@ exit 0 exit 0 %changelog +* Tue Mar 09 2021 Benjamin Berg - 1.2.2-6 +- Add patch to make fingerprint-auth return non-failing pam_fprintd.so errors + Resolves: #1935331 + +* Thu Mar 4 2021 Pavel Březina - 1.2.2-5 +- minimal: add dconf settings to explicitly disable fingerprint and smartcard authentication + +* Wed Feb 24 2021 Pavel Březina - 1.2.2-4 +- Prepare authselect for RHEL-9, add downstream-only patches that will be synced + +* Fri Feb 19 2021 Pavel Březina - 1.2.2-3 +- Add RHEL9 only patch + * Tue Jan 26 2021 Fedora Release Engineering - 1.2.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild @@ -393,7 +418,7 @@ exit 0 * Tue Feb 20 2018 Igor Gnatenko - 0.3-2 - Properly own all appropriate directories - Remove unneeded %%defattr -- Remove deprecated Group tag +- Remove deprecated Group tag - Make Obsoletes versioned - Remove unneeded ldconfig scriptlets