Compare commits

..

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

28 changed files with 6702 additions and 29287 deletions

24
.gitignore vendored
View File

@ -1 +1,23 @@
SOURCES/authselect-1.2.6.tar.gz
/0.1-alpha.tar.gz
/0.1.tar.gz
/authselect-0.2.tar.gz
/authselect-0.3.tar.gz
/authselect-0.3.1.tar.gz
/authselect-0.3.2.tar.gz
/authselect-0.4.tar.gz
/authselect-1.0.tar.gz
/authselect-1.0.1.tar.gz
/authselect-1.0.2.tar.gz
/authselect-1.0.3.tar.gz
/authselect-1.1.tar.gz
/authselect-1.2.tar.gz
/authselect-1.2.1.tar.gz
/authselect-1.2.2.tar.gz
/authselect-1.2.3.tar.gz
/authselect-1.2.4.tar.gz
/authselect-1.3.0.tar.gz
/authselect-1.4.0.tar.gz
/authselect-1.4.1.tar.gz
/authselect-1.4.2.tar.gz
/authselect-1.4.3.tar.gz
/authselect-1.5.0.tar.gz

View File

@ -0,0 +1,101 @@
From adb36ae3633e2dfaa9c21bb45d05551f1ea3d749 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 21 Feb 2024 14:27:49 +0100
Subject: [PATCH 01/11] sssd: reintroduce with-files-access-provider
This is still needed to support .k5login file with proxy domain. For
example:
```
[domain/proxy]
id_provider = proxy
proxy_lib_name = files
access_provider = krb5
auth_provider = krb5
krb5_server = kdc.test
krb5_realm = TEST
```
---
profiles/sssd/README | 10 ++++++++++
profiles/sssd/fingerprint-auth | 2 +-
profiles/sssd/password-auth | 2 +-
profiles/sssd/smartcard-auth | 2 +-
profiles/sssd/system-auth | 2 +-
5 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/profiles/sssd/README b/profiles/sssd/README
index 770891a338754b53ee48ba34d9d80c2f2f31cdb6..f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -89,6 +89,16 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
+with-files-access-provider:: If set, account management for local users is
+ handled also by pam_sss. This can be used to support SSSD's proxy domain
+ that is configured to serve users from local files but provide
+ authentication and access management (.k5login file) via Kerberos.
+
+ *WARNING:* SSSD access check will become mandatory for local users and
+ if SSSD is stopped then local users will not be able to log in. Only
+ system accounts (as defined by pam_usertype, including root) will be
+ able to log in.
+
with-gssapi::
If set, pam_sss_gss module is enabled to perform user authentication over
GSSAPI.
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index 94232086a60f56976bd5182f5d10da9c63ec22b6..20ad3613e66ec85c7d2462d0449854e522383b3a 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -11,7 +11,7 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
-account sufficient pam_localuser.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 05487ca293138a1154cb6820dbc9a53770904670..97c33b678706e7eeb86bf45251baa41739f2940f 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -18,7 +18,7 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-account sufficient pam_localuser.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index 540556ce89b727a226bec4d3322a1775ef350253..78cb329bf332f4d629740a0fff7d2dfe43f7d78d 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -11,7 +11,7 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
-account sufficient pam_localuser.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 83f9214fdd0a97ec49a8df52a2e202e034cbc0c6..90c3504a414f0a151475cc207285b230fec381b1 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -25,7 +25,7 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-account sufficient pam_localuser.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
--
2.42.0

View File

@ -0,0 +1,217 @@
From d498f7aa562cf41e0999f7733664c27fa62bcf7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 11:54:44 +0100
Subject: [PATCH 02/11] spec: modify specfile for Fedora 40 and RHEL 10 as
minimal version
- conditionals that are no longer used are removed
- upgrade path is removed
- this was already triggered in Fedora 38, so it is no longer useful
- RHEL is updated to authselect with leapp when going from 7 to 8
we don't want to touch existing configurations
---
rpm/authselect.spec.in | 102 ++---------------------------------------
1 file changed, 3 insertions(+), 99 deletions(-)
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
index 24ce4e603208ce26eb228bbee565c868428a2af1..e2c0482f1e7cfceac4aed3a3a4375bca031ac8c1 100644
--- a/rpm/authselect.spec.in
+++ b/rpm/authselect.spec.in
@@ -12,20 +12,6 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%global makedir %{_builddir}/%{name}-%{version}
-%if 0%{?fedora} >= 35 || 0%{?rhel} >= 10
-%global with_compat 0
-%else
-%global with_compat 1
-%endif
-
-%if 0%{?fedora} >= 36 || 0%{?rhel} >= 10
-%global with_user_nsswitch 0
-%global enforce_authselect 1
-%else
-%global with_user_nsswitch 1
-%global enforce_authselect 0
-%endif
-
# Set the default profile
%{?fedora:%global default_profile local with-silent-lastlog}
%{?rhel:%global default_profile local}
@@ -43,21 +29,14 @@ BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libselinux-devel
-%if %{with_compat}
-BuildRequires: python3-devel
-%endif
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
Suggests: fprintd-pam
Suggests: oddjob-mkhomedir
-%if !%{with_compat}
# Properly obsolete removed authselect-compat package.
-Obsoletes: authselect-compat < 1.2.4
-# Inherited from former authselect-compat package.
-Obsoletes: authconfig < 7.0.1-6
-%endif
+Obsoletes: authselect-compat < 1.3
%description
Authselect is designed to be a replacement for authconfig but it takes
@@ -74,14 +53,6 @@ Summary: Utility library used by the authselect tool
Requires: coreutils
Requires: sed
Suggests: systemd
-%if %{enforce_authselect}
-# authselect now owns nsswitch.conf (glibc) and pam files
-Conflicts: pam < 1.5.2-8
-Conflicts: glibc < 2.34.9000-27
-# systemd, nss-mdns no longer contains nsswitch.conf scriptlets
-Conflicts: systemd < 249.7-4
-Conflicts: nss-mdns < 0.15.1-3
-%endif
%description libs
Common library files for authselect. This package is used by the authselect
@@ -95,25 +66,6 @@ Requires: authselect-libs%{?_isa} = %{version}-%{release}
System header files and development libraries for authselect. Useful if
you develop a front-end for the authselect library.
-%if %{with_compat}
-%package compat
-Summary: Tool to provide minimum backwards compatibility with authconfig
-Obsoletes: authconfig < 7.0.1-6
-Provides: authconfig
-Requires: authselect%{?_isa} = %{version}-%{release}
-Recommends: oddjob-mkhomedir
-Suggests: sssd
-Suggests: realmd
-Suggests: samba-winbind
-
-%description compat
-This package will replace %{_sbindir}/authconfig with a tool that will
-translate some of the authconfig calls into authselect calls. It provides
-only minimum backward compatibility and users are encouraged to migrate
-to authselect completely.
-%endif
-
-
%prep
%setup -q
@@ -123,16 +75,7 @@ done
%build
autoreconf -if
-%configure \
-%if %{with_compat}
- --with-pythonbin="%{__python3}" \
- --with-compat \
-%endif
-%if %{with_user_nsswitch}
- --with-user-nsswitch \
-%endif
- %{nil}
-
+%configure
%make_build
%check
@@ -168,20 +111,14 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
-%if %{enforce_authselect}
%ghost %attr(0644,root,root) %{_sysconfdir}/nsswitch.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/fingerprint-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/password-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth
-%endif
%dir %{_localstatedir}/lib/authselect
%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
-%if %{with_user_nsswitch}
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf
-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created
-%endif
%dir %{_datadir}/authselect
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
@@ -241,12 +178,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_libdir}/libauthselect.so
%{_libdir}/pkgconfig/authselect.pc
-%if %{with_compat}
-%files compat
-%{_sbindir}/authconfig
-%{python3_sitelib}/authselect/
-%endif
-
%files -f %{name}.8.lang -f %{name}-migration.7.lang
%{_bindir}/authselect
%{_mandir}/man8/authselect.8*
@@ -265,47 +196,21 @@ if [ $1 == 0 ] ; then
fi
%pre libs
-%if %{enforce_authselect}
# Check if this is a new installation.
%__rm -f %{forcefile}
if [ $1 -eq 1 ] ; then
touch %{forcefile}
fi
-
-# Check if we are upgrading from older version then authselect-1.3.0
-# The version command is not available on earlier versions
-if [ $1 -gt 1 ] ; then
- %{_bindir}/authselect check &> /dev/null
- if [ $? -ne 0 ]; then
- %{_bindir}/authselect version &> /dev/null
- if [ $? -ne 0 ]; then
- touch %{forcefile}
- fi
- fi
-fi
-%endif
-
exit 0
%posttrans libs
-# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
-%if %{with_user_nsswitch}
-if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then
- %__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
- touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null
-fi
-%endif
# Keep nss-altfiles for all rpm-ostree based systems.
# See https://github.com/authselect/authselect/issues/48
if test -e /run/ostree-booted; then
for PROFILE in `ls %{_datadir}/authselect/default`; do
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
-%if %{with_user_nsswitch}
- %__sed -ie "s/^\(passwd\|group\):\(.*\)systemd\(.*\)/\1:\2systemd altfiles\3/g" %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
-%else
%__sed -ie 's/{if "with-altfiles":altfiles }/altfiles /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
-%endif
done
fi
@@ -314,8 +219,7 @@ if [ $? -eq 6 ]; then
NOBACKUP="--nobackup"
fi
-# If we are upgrading from pre authselect-1.3.0 or this is a new installation
-# select the default configuration.
+# If this is a new installation select the default configuration.
if [ -f %{forcefile} ]; then
%{_bindir}/authselect select %{default_profile} --force $NOBACKUP &> /dev/null
%__rm -f %{forcefile}
--
2.42.0

View File

@ -0,0 +1,471 @@
From 4485f4686c285310b2a11ac545e88e3acef870ea Mon Sep 17 00:00:00 2001
From: Weblate <noreply@weblate.org>
Date: Tue, 20 Feb 2024 21:36:02 +0100
Subject: [PATCH 03/11] po: update translations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
(Finnish) currently translated at 100.0% (349 of 349 strings)
Translation: authselect/master
Translate-URL: https://translate.fedoraproject.org/projects/authselect/master-application/fi/
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
po: update translations
(Turkish) currently translated at 100.0% (349 of 349 strings)
Translation: authselect/master
Translate-URL: https://translate.fedoraproject.org/projects/authselect/master-application/tr/
Co-authored-by: Jan Kuparinen <copper_fin@hotmail.com>
Co-authored-by: Oğuz Ersen <oguz@ersen.moe>
Co-authored-by: Weblate <noreply@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/authselect/master-authselect8adoc/
Translation: authselect/master-authselect.8.adoc
---
po/fi.po | 11 +++++------
po/tr.po | 12 ++++++------
src/man/po/authselect.8.adoc.ca.po | 2 +-
src/man/po/authselect.8.adoc.cs.po | 2 +-
src/man/po/authselect.8.adoc.de.po | 2 +-
src/man/po/authselect.8.adoc.es.po | 2 +-
src/man/po/authselect.8.adoc.fa.po | 2 +-
src/man/po/authselect.8.adoc.fi.po | 2 +-
src/man/po/authselect.8.adoc.fr.po | 2 +-
src/man/po/authselect.8.adoc.hu.po | 2 +-
src/man/po/authselect.8.adoc.it.po | 2 +-
src/man/po/authselect.8.adoc.ja.po | 2 +-
src/man/po/authselect.8.adoc.ko.po | 2 +-
src/man/po/authselect.8.adoc.nl.po | 2 +-
src/man/po/authselect.8.adoc.pl.po | 2 +-
src/man/po/authselect.8.adoc.pt.po | 2 +-
src/man/po/authselect.8.adoc.pt_BR.po | 2 +-
src/man/po/authselect.8.adoc.ru.po | 2 +-
src/man/po/authselect.8.adoc.si.po | 2 +-
src/man/po/authselect.8.adoc.sv.po | 2 +-
src/man/po/authselect.8.adoc.tr.po | 2 +-
src/man/po/authselect.8.adoc.uk.po | 2 +-
src/man/po/authselect.8.adoc.zh_CN.po | 16 +++++++---------
src/man/po/authselect.8.adoc.zh_TW.po | 2 +-
24 files changed, 39 insertions(+), 42 deletions(-)
diff --git a/po/fi.po b/po/fi.po
index 63f52ad6a8cd85d6f5c06b0a57d194ac94268206..12c84ea64ed09176d2e08e0d02aa47278540758f 100644
--- a/po/fi.po
+++ b/po/fi.po
@@ -1,14 +1,14 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR Red Hat, Inc.
# This file is distributed under the same license as the authselect package.
-# Jan Kuparinen <copper_fin@hotmail.com>, 2021, 2022.
+# Jan Kuparinen <copper_fin@hotmail.com>, 2021, 2022, 2024.
# Ricky Tigg <ricky.tigg@gmail.com>, 2022.
msgid ""
msgstr ""
"Project-Id-Version: authselect 1.2.2\n"
"Report-Msgid-Bugs-To: https://github.com/authselect/authselect\n"
"POT-Creation-Date: 2023-09-27 13:03+0200\n"
-"PO-Revision-Date: 2022-05-23 17:18+0000\n"
+"PO-Revision-Date: 2024-02-20 20:36+0000\n"
"Last-Translator: Jan Kuparinen <copper_fin@hotmail.com>\n"
"Language-Team: Finnish <https://translate.fedoraproject.org/projects/"
"authselect/master-application/fi/>\n"
@@ -17,7 +17,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 4.12.2\n"
+"X-Generator: Weblate 5.4\n"
#: src/lib/authselect.c:47 src/lib/authselect.c:188
msgid "Unable to obtain supported features"
@@ -671,10 +671,9 @@ msgid "Unable to chown file [%s] [%d]: %s"
msgstr "Ei pysty ajamaan chmod tiedostolle [%s] [%d]: %s"
#: src/lib/util/selinux.c:46
-#, fuzzy, c-format
-#| msgid "Unable to create selabel context [%d]: %s"
+#, c-format
msgid "Unable to create selabel handle [%d]: %s"
-msgstr "Selabel-kontekstia [%d] ei voida luoda: %s"
+msgstr "Selabel-kahvaa [%d] ei voida luoda: %s"
#: src/lib/util/selinux.c:55
#, c-format
diff --git a/po/tr.po b/po/tr.po
index 546e09bcb7457a44b43965dc222328cbdfe6f94d..8799903c5c18c48972d6faf464f5ee256460729a 100644
--- a/po/tr.po
+++ b/po/tr.po
@@ -3,13 +3,14 @@
# This file is distributed under the same license as the authselect package.
# Oğuz Ersen <oguzersen@protonmail.com>, 2020, 2021.
# Anonymous <noreply@weblate.org>, 2020.
+# Oğuz Ersen <oguz@ersen.moe>, 2024.
msgid ""
msgstr ""
"Project-Id-Version: authselect 1.1\n"
"Report-Msgid-Bugs-To: https://github.com/authselect/authselect\n"
"POT-Creation-Date: 2023-09-27 13:03+0200\n"
-"PO-Revision-Date: 2021-12-10 17:16+0000\n"
-"Last-Translator: Oğuz Ersen <oguzersen@protonmail.com>\n"
+"PO-Revision-Date: 2024-01-29 17:36+0000\n"
+"Last-Translator: Oğuz Ersen <oguz@ersen.moe>\n"
"Language-Team: Turkish <https://translate.fedoraproject.org/projects/"
"authselect/master-application/tr/>\n"
"Language: tr\n"
@@ -17,7 +18,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 4.9.1\n"
+"X-Generator: Weblate 5.3.1\n"
#: src/lib/authselect.c:47 src/lib/authselect.c:188
msgid "Unable to obtain supported features"
@@ -671,10 +672,9 @@ msgid "Unable to chown file [%s] [%d]: %s"
msgstr "[%s] dosyasının sahibi değiştirilemedi [%d]: %s"
#: src/lib/util/selinux.c:46
-#, fuzzy, c-format
-#| msgid "Unable to create selabel context [%d]: %s"
+#, c-format
msgid "Unable to create selabel handle [%d]: %s"
-msgstr "selabel bağlamı oluşturulamadı [%d]: %s"
+msgstr "selabel tanıtıcısı oluşturulamadı [%d]: %s"
#: src/lib/util/selinux.c:55
#, c-format
diff --git a/src/man/po/authselect.8.adoc.ca.po b/src/man/po/authselect.8.adoc.ca.po
index 8c04b973ccfb0136589965d79a4fc38f57c38523..01e54857766fcbf7f063792a9953cbd26a979a51 100644
--- a/src/man/po/authselect.8.adoc.ca.po
+++ b/src/man/po/authselect.8.adoc.ca.po
@@ -5,7 +5,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: Automatically generated\n"
"Language-Team: none\n"
diff --git a/src/man/po/authselect.8.adoc.cs.po b/src/man/po/authselect.8.adoc.cs.po
index 84d630218ec7ef3b880a0da7315b2abd30bd3e62..cc98ea8c50ad65a19862b8470938cafafecc3e70 100644
--- a/src/man/po/authselect.8.adoc.cs.po
+++ b/src/man/po/authselect.8.adoc.cs.po
@@ -3,7 +3,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-08-07 20:21+0000\n"
"Last-Translator: Jan Kalabza <jan.kalabza@gmail.com>\n"
"Language-Team: Czech <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.de.po b/src/man/po/authselect.8.adoc.de.po
index c336bc529496cf756c4bbf19740866ebaf42a338..e3182a8baf1652da247c2dc9f773a313f29f79a2 100644
--- a/src/man/po/authselect.8.adoc.de.po
+++ b/src/man/po/authselect.8.adoc.de.po
@@ -7,7 +7,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-08-15 14:21+0000\n"
"Last-Translator: Jens Maucher <jensmaucher@gmail.com>\n"
"Language-Team: German <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.es.po b/src/man/po/authselect.8.adoc.es.po
index 3d4ad340075ba970b2b56768fffb49567d16dcfa..b578e40a436b8ea242c4aba0e5149c09336162e2 100644
--- a/src/man/po/authselect.8.adoc.es.po
+++ b/src/man/po/authselect.8.adoc.es.po
@@ -5,7 +5,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-11-26 20:01+0000\n"
"Last-Translator: Emilio Herrera <ehespinosa57@gmail.com>\n"
"Language-Team: Spanish <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.fa.po b/src/man/po/authselect.8.adoc.fa.po
index ae77afb38249e573ebeedd97b6ebddfc8f681d59..e4b24f2f91ea06ed6e83a50c4e6e35678f65dd80 100644
--- a/src/man/po/authselect.8.adoc.fa.po
+++ b/src/man/po/authselect.8.adoc.fa.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-05-28 19:20+0000\n"
"Last-Translator: Taha Mokhtary <taha490mokh@outlook.com>\n"
"Language-Team: Persian <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.fi.po b/src/man/po/authselect.8.adoc.fi.po
index 8253cfd47b1b4ddb9d57283f887f1de6ad59b473..16aec3e6d69581b8875b5af4e426efc5cbc0ca5e 100644
--- a/src/man/po/authselect.8.adoc.fi.po
+++ b/src/man/po/authselect.8.adoc.fi.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-05-26 06:18+0000\n"
"Last-Translator: Jan Kuparinen <copper_fin@hotmail.com>\n"
"Language-Team: Finnish <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.fr.po b/src/man/po/authselect.8.adoc.fr.po
index d8a23e660ec33a5d59b3647ae4795375451e70a9..ffb86dc6e1f79205213f4c576ddea94858f00088 100644
--- a/src/man/po/authselect.8.adoc.fr.po
+++ b/src/man/po/authselect.8.adoc.fr.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-03-24 15:20+0000\n"
"Last-Translator: grimst <grimaitres@gmail.com>\n"
"Language-Team: French <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.hu.po b/src/man/po/authselect.8.adoc.hu.po
index cc9533c0b0b31a691c636bee3305a0d6dcd05f7b..e9afadedb912b8e1838ab0552e1fce292e5a972f 100644
--- a/src/man/po/authselect.8.adoc.hu.po
+++ b/src/man/po/authselect.8.adoc.hu.po
@@ -4,7 +4,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-05-12 16:21+0000\n"
"Last-Translator: Dankaházi (ifj.) István <dankahazi.istvan@gmail.com>\n"
"Language-Team: Hungarian <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.it.po b/src/man/po/authselect.8.adoc.it.po
index ba4c7f28c8339e051f6ec1a671f5b36a241ed22c..f7be3a8f0316ad6ab3d85e0e844801e8709d4c23 100644
--- a/src/man/po/authselect.8.adoc.it.po
+++ b/src/man/po/authselect.8.adoc.it.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-06-09 21:18+0000\n"
"Last-Translator: Nathan <nathan95@live.it>\n"
"Language-Team: Italian <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.ja.po b/src/man/po/authselect.8.adoc.ja.po
index a51b5e224fabe4481cad474e75428d0ebf3e6b8e..ef82bf20e14d8f34f81709ab5b591a5608577dfe 100644
--- a/src/man/po/authselect.8.adoc.ja.po
+++ b/src/man/po/authselect.8.adoc.ja.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-01-21 09:16+0000\n"
"Last-Translator: simmon <simmon@nplob.com>\n"
"Language-Team: Japanese <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.ko.po b/src/man/po/authselect.8.adoc.ko.po
index 1c5e72b3d83c651e892f957829a8a95f4e8a3de5..27d7ea56ccb60b2623245bb002b2aca1fceafe9c 100644
--- a/src/man/po/authselect.8.adoc.ko.po
+++ b/src/man/po/authselect.8.adoc.ko.po
@@ -9,7 +9,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-12-03 10:19+0000\n"
"Last-Translator: 김인수 <simmon@nplob.com>\n"
"Language-Team: Korean <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.nl.po b/src/man/po/authselect.8.adoc.nl.po
index 63237e8274e347f97bccf9cb10fbf2b9ed6a4d65..b26ffb2185f994f4305b59d59567a787cd2e4bfd 100644
--- a/src/man/po/authselect.8.adoc.nl.po
+++ b/src/man/po/authselect.8.adoc.nl.po
@@ -5,7 +5,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-04-02 20:20+0000\n"
"Last-Translator: Maarten <maarten@posteo.de>\n"
"Language-Team: Dutch <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.pl.po b/src/man/po/authselect.8.adoc.pl.po
index b75ee13e702eef796f650c3a9da3b6c5b4e6fc0c..a7d6b42b39470b34672a543ae84f8cb0f0f0be05 100644
--- a/src/man/po/authselect.8.adoc.pl.po
+++ b/src/man/po/authselect.8.adoc.pl.po
@@ -9,7 +9,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-05-07 11:00+0000\n"
"Last-Translator: Piotr Drąg <piotrdrag@gmail.com>\n"
"Language-Team: Polish <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.pt.po b/src/man/po/authselect.8.adoc.pt.po
index 6b70ebc6b96a6ff6a83c853090939a2c6fb9818c..d38eb472eaabaa1475aba0438e00b0a76eb6eb0c 100644
--- a/src/man/po/authselect.8.adoc.pt.po
+++ b/src/man/po/authselect.8.adoc.pt.po
@@ -7,7 +7,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2020-05-27 14:40+0000\n"
"Last-Translator: Manuela Silva <mmsrs@sky.com>\n"
"Language-Team: Portuguese <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.pt_BR.po b/src/man/po/authselect.8.adoc.pt_BR.po
index b53c0991c3741bda2863f5741279da4f94ad9ac1..6793e2b4bb32ddc268a998de262c4e2ebbbbe60b 100644
--- a/src/man/po/authselect.8.adoc.pt_BR.po
+++ b/src/man/po/authselect.8.adoc.pt_BR.po
@@ -7,7 +7,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2020-08-05 21:29+0000\n"
"Last-Translator: Fábio Rodrigues Ribeiro <farribeiro@gmail.com>\n"
"Language-Team: Portuguese (Brazil) <https://translate.fedoraproject.org/"
diff --git a/src/man/po/authselect.8.adoc.ru.po b/src/man/po/authselect.8.adoc.ru.po
index e3be9c2f74466768d302a7b572c611b66a8ce06c..e09ff934255b8159b96844698191edf49563c3b3 100644
--- a/src/man/po/authselect.8.adoc.ru.po
+++ b/src/man/po/authselect.8.adoc.ru.po
@@ -7,7 +7,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-04-15 19:17+0000\n"
"Last-Translator: Igor Gorbounov <igor.gorbounov@gmail.com>\n"
"Language-Team: Russian <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.si.po b/src/man/po/authselect.8.adoc.si.po
index 680dbc849fffac6aa36f6cd73bfa7e937495c184..73ee855f62defbe3c1b9f7dcbf0d52e64a57f2e3 100644
--- a/src/man/po/authselect.8.adoc.si.po
+++ b/src/man/po/authselect.8.adoc.si.po
@@ -5,7 +5,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2021-08-18 19:04+0000\n"
"Last-Translator: Hela Basa <r45xveza@pm.me>\n"
"Language-Team: Sinhala <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.sv.po b/src/man/po/authselect.8.adoc.sv.po
index 09230620986f5e51d6fb3f448408cd358fa2f405..e02d689dfe45c91a5a9498b80628b179c2900141 100644
--- a/src/man/po/authselect.8.adoc.sv.po
+++ b/src/man/po/authselect.8.adoc.sv.po
@@ -5,7 +5,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-02-04 22:20+0000\n"
"Last-Translator: Göran Uddeborg <goeran@uddeborg.se>\n"
"Language-Team: Swedish <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.tr.po b/src/man/po/authselect.8.adoc.tr.po
index 6e07d847ebe1215f2447409a4a278569ce937665..9ae399bdd4834ff268be140ced000e8940a9bd47 100644
--- a/src/man/po/authselect.8.adoc.tr.po
+++ b/src/man/po/authselect.8.adoc.tr.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-12-03 10:19+0000\n"
"Last-Translator: Oğuz Ersen <oguz@ersen.moe>\n"
"Language-Team: Turkish <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.uk.po b/src/man/po/authselect.8.adoc.uk.po
index 5f29b38d2c6134893285054e8ee53bf57c5afb4e..4ea4a570a0cc1aaa6c705fe29d39aaa2d58fab5f 100644
--- a/src/man/po/authselect.8.adoc.uk.po
+++ b/src/man/po/authselect.8.adoc.uk.po
@@ -5,7 +5,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2022-12-03 10:19+0000\n"
"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
"Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/"
diff --git a/src/man/po/authselect.8.adoc.zh_CN.po b/src/man/po/authselect.8.adoc.zh_CN.po
index 914e9495d27dd96dc8642f2f8fd14cf423ec4b81..eda47df87c59010fe0cc3a970352257604e6b0a9 100644
--- a/src/man/po/authselect.8.adoc.zh_CN.po
+++ b/src/man/po/authselect.8.adoc.zh_CN.po
@@ -8,7 +8,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2023-12-04 03:43+0000\n"
"Last-Translator: Jingge Chen <mariocanfly@hotmail.com>\n"
"Language-Team: Chinese (Simplified) <https://translate.fedoraproject.org/"
@@ -141,9 +141,7 @@ msgstr ""
#: src/man/authselect.8.adoc:51
#, no-wrap
msgid "*select* profile_id [features] [-f, --force] [-q, --quiet] [-b] [--backup=NAME]"
-msgstr ""
-"*select* profile_id [features] [-f, --force] [-q, --quiet] [-b] "
-"[--backup=NAME]"
+msgstr "*select* profile_id [features] [-f, --force] [-q, --quiet] [-b] [--backup=NAME]"
#. type: Plain text
#: src/man/authselect.8.adoc:54
@@ -254,8 +252,8 @@ msgid ""
"otherwise an error is returned."
msgstr ""
"重新应用当前选定的配置文件。如果配置文件模板已更新,该命令可用于重新生成当前"
-"系统配置,以便在系统上应用这些更改。只有当现有配置是有效的 authselect "
-"配置时,此命令才会重新应用更改,否则将返回错误信息。"
+"系统配置,以便在系统上应用这些更改。只有当现有配置是有效的 authselect 配置"
+"时,此命令才会重新应用更改,否则将返回错误信息。"
#. type: Plain text
#: src/man/authselect.8.adoc:91
@@ -308,8 +306,7 @@ msgid ""
"_Note:_ This will only list the features without any description. Please, read the profile documentation with *show* to see what the features do."
msgstr ""
"列出给定配置文件中的所有可用功能。\n"
-"_注意_这仅会列出所有功能但不提供任何描述。请使用 *show* "
-"阅读配置文件,了解这些功能。"
+"_注意_这仅会列出所有功能但不提供任何描述。请使用 *show* 阅读配置文件,了解这些功能。"
#. type: Labeled list
#: src/man/authselect.8.adoc:105
@@ -345,7 +342,8 @@ msgid ""
"Print information about currently selected profiles. If *--raw* option is "
"specified, the command will print raw parameters as they were passed to "
"*select* command instead of formatted output."
-msgstr "打印当前所选配置文件的信息。如果指定了 *--raw* 选项,命令将打印传给 *select* "
+msgstr ""
+"打印当前所选配置文件的信息。如果指定了 *--raw* 选项,命令将打印传给 *select* "
"命令的原始参数,而不是格式化输出。"
#. type: Labeled list
diff --git a/src/man/po/authselect.8.adoc.zh_TW.po b/src/man/po/authselect.8.adoc.zh_TW.po
index eb80dce79f25d5aba2c9806c869fdaf959fd4c93..80c3eed4a6ef2259540ca32335c9e1f4f623a25a 100644
--- a/src/man/po/authselect.8.adoc.zh_TW.po
+++ b/src/man/po/authselect.8.adoc.zh_TW.po
@@ -6,7 +6,7 @@
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2023-09-27 13:03+0200\n"
+"POT-Creation-Date: 2024-01-18 16:34+0100\n"
"PO-Revision-Date: 2020-05-22 17:40+0000\n"
"Last-Translator: Yi-Jyun Pan <pan93412@gmail.com>\n"
"Language-Team: Chinese (Traditional) <https://translate.fedoraproject.org/"
--
2.42.0

View File

@ -0,0 +1,177 @@
From 9321126e20898b23c19e168177d8a383a750fefb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 12:51:37 +0100
Subject: [PATCH 04/11] nis: install nis profile conditionally
NIS profile is installed only if --with-nis-profile configure flag is
given.
---
profiles/Makefile.am | 2 ++
rpm/authselect.spec.in | 37 +++++++++++++++++++----------
scripts/manpages-build.sh.in | 1 +
src/conf_macros.m4 | 10 ++++++++
src/man/authselect-migration.7.adoc | 7 ++++++
5 files changed, 45 insertions(+), 12 deletions(-)
diff --git a/profiles/Makefile.am b/profiles/Makefile.am
index bc437c158f6922afdba4ab261c73f31c93846118..61728cab77022ddc0bb35a3649a38123dc4987cf 100644
--- a/profiles/Makefile.am
+++ b/profiles/Makefile.am
@@ -15,6 +15,7 @@ dist_profile_local_DATA = \
$(top_srcdir)/profiles/local/dconf-locks \
$(NULL)
+if WITH_NIS_PROFILE
profile_nisdir = $(authselect_profile_dir)/nis
dist_profile_nis_DATA = \
$(top_srcdir)/profiles/nis/nsswitch.conf \
@@ -28,6 +29,7 @@ dist_profile_nis_DATA = \
$(top_srcdir)/profiles/nis/dconf-db \
$(top_srcdir)/profiles/nis/dconf-locks \
$(NULL)
+endif
profile_sssddir = $(authselect_profile_dir)/sssd
dist_profile_sssd_DATA = \
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
index e2c0482f1e7cfceac4aed3a3a4375bca031ac8c1..350ca953632f21be861c1ee75f25f71d107ca1ee 100644
--- a/rpm/authselect.spec.in
+++ b/rpm/authselect.spec.in
@@ -12,6 +12,13 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%global makedir %{_builddir}/%{name}-%{version}
+# Disable NIS profile on RHEL
+%if 0%{?rhel}
+%global with_nis_profile 0
+%else
+%global with_nis_profile 1
+%endif
+
# Set the default profile
%{?fedora:%global default_profile local with-silent-lastlog}
%{?rhel:%global default_profile local}
@@ -75,7 +82,11 @@ done
%build
autoreconf -if
-%configure
+%configure \
+%if %{with_nis_profile}
+ --with-nis-profile \
+%endif
+ %{nil}
%make_build
%check
@@ -123,7 +134,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/local/
-%dir %{_datadir}/authselect/default/nis/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/local/dconf-db
@@ -136,16 +146,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/local/REQUIREMENTS
%{_datadir}/authselect/default/local/smartcard-auth
%{_datadir}/authselect/default/local/system-auth
-%{_datadir}/authselect/default/nis/dconf-db
-%{_datadir}/authselect/default/nis/dconf-locks
-%{_datadir}/authselect/default/nis/fingerprint-auth
-%{_datadir}/authselect/default/nis/nsswitch.conf
-%{_datadir}/authselect/default/nis/password-auth
-%{_datadir}/authselect/default/nis/postlogin
-%{_datadir}/authselect/default/nis/README
-%{_datadir}/authselect/default/nis/REQUIREMENTS
-%{_datadir}/authselect/default/nis/smartcard-auth
-%{_datadir}/authselect/default/nis/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
@@ -166,6 +166,19 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/smartcard-auth
%{_datadir}/authselect/default/winbind/system-auth
+%if %{with_nis_profile}
+%dir %{_datadir}/authselect/default/nis/
+%{_datadir}/authselect/default/nis/dconf-db
+%{_datadir}/authselect/default/nis/dconf-locks
+%{_datadir}/authselect/default/nis/fingerprint-auth
+%{_datadir}/authselect/default/nis/nsswitch.conf
+%{_datadir}/authselect/default/nis/password-auth
+%{_datadir}/authselect/default/nis/postlogin
+%{_datadir}/authselect/default/nis/README
+%{_datadir}/authselect/default/nis/REQUIREMENTS
+%{_datadir}/authselect/default/nis/smartcard-auth
+%{_datadir}/authselect/default/nis/system-auth
+%endif
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
%{_datadir}/doc/authselect/COPYING
diff --git a/scripts/manpages-build.sh.in b/scripts/manpages-build.sh.in
index 314bb2b2a0e4432632478230ab5ff5b3dce2943f..9e553f755a64717f854f3aba33c62140130ce18f 100755
--- a/scripts/manpages-build.sh.in
+++ b/scripts/manpages-build.sh.in
@@ -233,6 +233,7 @@ ATTR+=" -a AUTHSELECT_PROFILE_DIR=\"@AUTHSELECT_PROFILE_DIR@\""
ATTR+=" -a AUTHSELECT_VENDOR_DIR=\"@AUTHSELECT_VENDOR_DIR@\""
ATTR+=" -a AUTHSELECT_BACKUP_DIR=\"@AUTHSELECT_BACKUP_DIR@\""
ATTR+=" -a BUILD_USER_NSSWITCH=\"@BUILD_USER_NSSWITCH@\""
+ATTR+=" -a WITH_NIS_PROFILE=\"@WITH_NIS_PROFILE@\""
manpages-translate
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 17c1629723066b0c4e354051366ce209428af6c1..9a81a6e194d16ecc0408e8631530cf7048fd9241 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -99,3 +99,13 @@ if test x"$with_user_nsswitch" = xyes; then
AC_DEFINE(BUILD_USER_NSSWITCH, 1, [whether to build with user nsswitch support])
AC_SUBST(BUILD_USER_NSSWITCH, 1)
fi
+
+AC_ARG_WITH([nis-profile],
+ [AC_HELP_STRING([--with-nis-profile], [Install NIS profile [no]])],
+ [], with_nis_profile=no
+)
+AM_CONDITIONAL([WITH_NIS_PROFILE], [test x$with_nis_profile = xyes])
+AC_SUBST(WITH_NIS_PROFILE, 0)
+if test x"$with_nis_profile" = xyes; then
+ AC_SUBST(WITH_NIS_PROFILE, 1)
+fi
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..8cc58e60301925974fdb738c5b9a746749981df8 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -72,7 +72,12 @@ configuration file for required services.
|--enablesssd --enablesssdauth |sssd
|--enablekrb5 |sssd
|--enablewinbind --enablewinbindauth |winbind
+ifeval::[{WITH_NIS_PROFILE} == 1]
|--enablenis |nis
+endif::[]
+ifeval::[{WITH_NIS_PROFILE} != 1]
+|--enablenis |none
+endif::[]
|=========================================================
.Relation of authconfig options to authselect profile features
@@ -199,6 +204,7 @@ will perform an initial setup which involves creating a Kerberos keytab and
running `adcli` to join the domain. It also makes changes to `smb.conf`. You
can then tune it up by modifying {sysconfdir}/samba/smb.conf.
+ifeval::[{WITH_NIS_PROFILE} == 1]
NIS
~~~
There are several places that needs to be configured in order to make
@@ -227,6 +233,7 @@ $ domainname mydomain
$ setsebool -P allow_ypbind 1
----
+endif::[]
PASSWORD QUALITY
~~~~~~~~~~~~~~~~
Authselect enables `pam_pwquality` module to enforce password quality
--
2.42.0

View File

@ -0,0 +1,349 @@
From 923fd37712eae8d99d514708e35894b6ea056628 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 13:24:25 +0100
Subject: [PATCH 05/11] configure: drop user-nsswitch.conf support
user-nsswitch.conf support is now completely dropped, it can no
longer be enabled via configure flag
---
scripts/manpages-build.sh.in | 1 -
src/cli/main.c | 9 --
src/conf_macros.m4 | 10 --
src/lib/files/nsswitch.c | 156 -----------------------------
src/lib/paths.h | 3 -
src/man/authselect-profiles.5.adoc | 7 --
src/man/authselect.8.adoc | 61 -----------
7 files changed, 247 deletions(-)
diff --git a/scripts/manpages-build.sh.in b/scripts/manpages-build.sh.in
index 9e553f755a64717f854f3aba33c62140130ce18f..f4ac71e3a22723a52101bb9cbbadd79740515070 100755
--- a/scripts/manpages-build.sh.in
+++ b/scripts/manpages-build.sh.in
@@ -232,7 +232,6 @@ ATTR+=" -a AUTHSELECT_PAM_DIR=\"@AUTHSELECT_PAM_DIR@\""
ATTR+=" -a AUTHSELECT_PROFILE_DIR=\"@AUTHSELECT_PROFILE_DIR@\""
ATTR+=" -a AUTHSELECT_VENDOR_DIR=\"@AUTHSELECT_VENDOR_DIR@\""
ATTR+=" -a AUTHSELECT_BACKUP_DIR=\"@AUTHSELECT_BACKUP_DIR@\""
-ATTR+=" -a BUILD_USER_NSSWITCH=\"@BUILD_USER_NSSWITCH@\""
ATTR+=" -a WITH_NIS_PROFILE=\"@WITH_NIS_PROFILE@\""
manpages-translate
diff --git a/src/cli/main.c b/src/cli/main.c
index 18486b50bc42f9937cc7294c3e5e2b32cafab5e0..fe06a5d8ababa58209690a97e84ae254b859cdc6 100644
--- a/src/cli/main.c
+++ b/src/cli/main.c
@@ -186,15 +186,6 @@ static errno_t activate(struct cli_cmdline *cmdline)
goto done;
}
-#ifdef BUILD_USER_NSSWITCH
- maps = authselect_profile_nsswitch_maps(profile, features);
- if (maps == NULL) {
- ERROR("Unable to obtain nsswitch maps!");
- ret = EFAULT;
- goto done;
- }
-#endif
-
if (backup || backup_name != NULL || (enforce && !nobackup)) {
ret = perform_backup(quiet, 1, backup_name);
if (ret != EOK) {
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 9a81a6e194d16ecc0408e8631530cf7048fd9241..ae8fa0274e038e98115d000717487dbdbc04df4c 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -90,16 +90,6 @@ if test x"$with_compat" = xyes; then
fi
AM_CONDITIONAL([BUILD_COMPAT], [test x$with_compat = xyes])
-AC_ARG_WITH([user-nsswitch],
- [AC_HELP_STRING([--with-user-nsswitch], [Build with user nsswitch support [no]])],
- [], with_user_nsswitch=no
-)
-AC_SUBST(BUILD_USER_NSSWITCH, 0)
-if test x"$with_user_nsswitch" = xyes; then
- AC_DEFINE(BUILD_USER_NSSWITCH, 1, [whether to build with user nsswitch support])
- AC_SUBST(BUILD_USER_NSSWITCH, 1)
-fi
-
AC_ARG_WITH([nis-profile],
[AC_HELP_STRING([--with-nis-profile], [Install NIS profile [no]])],
[], with_nis_profile=no
diff --git a/src/lib/files/nsswitch.c b/src/lib/files/nsswitch.c
index 9598ea5cc5d5e30678acd91354629a87fc727be9..0e35380a2603316483cd6bcfdc58742c25b6a2b1 100644
--- a/src/lib/files/nsswitch.c
+++ b/src/lib/files/nsswitch.c
@@ -87,160 +87,6 @@ done:
return ret;
}
-#ifdef BUILD_USER_NSSWITCH
-
-static errno_t
-authselect_nsswitch_delete_maps(char **maps,
- char *content)
-{
- char *match_string;
- const char *map_name;
- size_t map_len;
- size_t orig_len;
- regmatch_t m[RE_NSS_MATCHES];
- regex_t regex;
- errno_t ret;
- int reret;
- int i;
-
- if (string_is_empty(content)) {
- return EOK;
- }
-
- orig_len = strlen(content);
-
- reret = regcomp(&regex, RE_NSS, REG_EXTENDED | REG_NEWLINE);
- if (reret != REG_NOERROR) {
- ERROR("Unable to compile regular expression: regex error %d", reret);
- ret = EFAULT;
- goto done;
- }
-
- match_string = content;
- while ((reret = regexec(&regex, match_string, 2, m, 0)) == REG_NOERROR) {
- map_name = match_string + m[1].rm_so;
- map_len = m[1].rm_eo - m[1].rm_so;
- for (i = 0; maps[i] != NULL; i++) {
- if (strncmp(map_name, maps[i], map_len) == 0) {
- string_remove_line(content, match_string, m[1].rm_so);
- break;
- }
- }
-
- /* Since the whole line could have been removed, we have to find first
- * non-zero position. */
- match_string += m[0].rm_eo;
- while (*match_string == '\0' && match_string - content < orig_len) {
- match_string++;
- }
- }
-
- if (reret != REG_NOMATCH) {
- ERROR("Unable to search string: regex error %d", reret);
- ret = EFAULT;
- goto done;
- }
-
- string_replace_shake(content, orig_len);
-
- ret = EOK;
-
-done:
- regfree(&regex);
-
- return ret;
-}
-
-errno_t
-authselect_nsswitch_generate(const char *template,
- const char **features,
- char **_content)
-{
- static const char *preambule = \
- "# If you want to make changes to nsswitch.conf please modify\n"
- "# " PATH_USER_NSSWITCH " and run 'authselect apply-changes'.\n"
- "#\n"
- "# Note that your changes may not be applied as they may be\n"
- "# overwritten by selected profile. Maps set in the authselect\n"
- "# profile takes always precedence and overwrites the same maps\n"
- "# set in the user file. Only maps that are not set by the profile\n"
- "# are applied from the user file.\n"
- "#\n"
- "# For example, if the profile sets:\n"
- "# passwd: sss files\n"
- "# and " PATH_USER_NSSWITCH " contains:\n"
- "# passwd: files\n"
- "# hosts: files dns\n"
- "# the resulting generated nsswitch.conf will be:\n"
- "# passwd: sss files # from profile\n"
- "# hosts: files dns # from user file\n\n";
- char *user_content = NULL;
- char *generated = NULL;
- char *content = NULL;
- char **maps = NULL;
- errno_t ret;
-
- generated = template_generate(template, features);
- if (generated == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = textfile_read(PATH_USER_NSSWITCH, AUTHSELECT_FILE_SIZE_LIMIT,
- &user_content);
- switch (ret) {
- case EOK:
- ret = authselect_nsswitch_find_maps(generated, &maps);
- if (ret != EOK) {
- goto done;
- }
-
- ret = authselect_nsswitch_delete_maps(maps, user_content);
- if (ret != EOK) {
- goto done;
- }
-
- if (string_is_empty(user_content)) {
- content = format("%s%s", preambule, generated);
- break;
- }
-
- content = format("%s%s\n# Included from %s\n\n%s",
- preambule, generated, PATH_USER_NSSWITCH,
- user_content);
- break;
- case ENOENT:
- content = format("%s%s", preambule, generated);
- break;
- default:
- ERROR("Unable to read [%s] [%d]: %s", PATH_USER_NSSWITCH,
- ret, strerror(ret));
- goto done;
- }
-
- if (content == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- *_content = content;
-
- ret = EOK;
-
-done:
- if (ret != EOK) {
- ERROR("Unable to generate nsswitch.conf [%d]: %s", ret, strerror(ret));
- }
-
- free(user_content);
- free(generated);
- string_array_free(maps);
-
- return ret;
-}
-
-#else /* BUILD_USER_NSSWITCH */
-
errno_t
authselect_nsswitch_generate(const char *template,
const char **features,
@@ -257,5 +103,3 @@ authselect_nsswitch_generate(const char *template,
return EOK;
}
-
-#endif /* BUILD_USER_NSSWITCH */
diff --git a/src/lib/paths.h b/src/lib/paths.h
index ca30b784f8bc63150f46ef08a26ec2bc5bcb3d67..41e4534b2efd421be8b9fea3b1fa9ebc3a699749 100644
--- a/src/lib/paths.h
+++ b/src/lib/paths.h
@@ -53,9 +53,6 @@
#define PATH_DCONF_DB AUTHSELECT_CONFIG_DIR "/" FILE_DCONF_DB
#define PATH_DCONF_LOCK AUTHSELECT_CONFIG_DIR "/" FILE_DCONF_LOCK
-/* Path to files that can be modified by user. */
-#define PATH_USER_NSSWITCH AUTHSELECT_CONFIG_DIR "/user-nsswitch.conf"
-
/* Names of symbolic links that points to generated files. */
#define PATH_SYMLINK_SYSTEM AUTHSELECT_PAM_DIR "/" FILE_SYSTEM
#define PATH_SYMLINK_PASSWORD AUTHSELECT_PAM_DIR "/" FILE_PASSWORD
diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc
index 76a48fa25a13a7052eeac662d7f5f1b11f1f9493..648b7980cfaabeb02913650a35dfffa8e17b0aaa 100644
--- a/src/man/authselect-profiles.5.adoc
+++ b/src/man/authselect-profiles.5.adoc
@@ -53,14 +53,7 @@ done to the system.
the modules in the system-auth configuration file._
*nsswitch.conf*::
-ifeval::[{BUILD_USER_NSSWITCH} == 0]
Name Service Switch configuration file.
-endif::[]
-ifeval::[{BUILD_USER_NSSWITCH} == 1]
- Name Service Switch configuration file. Only maps relevant to the profile
- must be set. Maps that are not specified by the profile are included from
- {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf.
-endif::[]
*dconf-db*::
Changes to dconf database. The main uses case of this file is to set
diff --git a/src/man/authselect.8.adoc b/src/man/authselect.8.adoc
index 39758a6ca71e962ae942ce3608ac3bd0ffd3fabf..5d695cced0fbdc2cda78d61eb3f7b8d929cae692 100644
--- a/src/man/authselect.8.adoc
+++ b/src/man/authselect.8.adoc
@@ -261,67 +261,6 @@ These options are available with all commands.
the program execution but may indicate some undesired situations
(e.g. unexpected file in a profile directory).
-ifeval::[{BUILD_USER_NSSWITCH} == 1]
-NSSWITCH.CONF MANAGEMENT
-------------------------
-Authselect generates {AUTHSELECT_NSSWITCH_CONF} and does not allow any user
-changes to this file. Such changes are detected and authselect will refuse to
-write any system configuration unless a *--force* option is provided to
-the *select* command. This mechanism prevents authselect from overwriting
-anything that does not match any available profile.
-
-Any user changes to nsswitch maps must be done in file
-{AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf. When authselect generates
-new _nsswitch.conf_ it reads this file and combines it with configuration
-from selected profile. The profile configuration takes always precedence.
-In other words, profiles do not have to set all nsswitch maps but can set only
-those that are relevant to the profile. If a map is set within a profile,
-it always overwrites the same map from _user-nsswitch.conf_.
-
-.Example 1
-[subs="attributes"]
-----
-# "sssd" profile
-$ cat {AUTHSELECT_PROFILE_DIR}/sssd/nsswitch.conf
-passwd: sss files systemd
-group: sss files systemd
-netgroup: sss files
-automount: sss files
-services: sss files
-sudoers: files sss {include if "with-sudo"}
-
-$ cat {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf
-passwd: files sss
-group: files sss
-hosts: files dns myhostname
-sudoers: files
-
-$ authselect select sssd
-
-# passwd and group maps from user-nsswitch.conf are ignored
-$ cat {AUTHSELECT_NSSWITCH_CONF}
-passwd: sss files systemd
-group: sss files systemd
-netgroup: sss files
-automount: sss files
-services: sss files
-hosts: files dns myhostname
-sudoers: files
-
-$ authselect select sssd with-sudo
-
-# passwd, group and sudoers maps from user-nsswitch.conf are ignored
-$ cat {AUTHSELECT_NSSWITCH_CONF}
-passwd: sss files systemd
-group: sss files systemd
-netgroup: sss files
-automount: sss files
-services: sss files
-sudoers: files sss
-hosts: files dns myhostname
-----
-endif::[]
-
TROUBLESHOOTING
---------------
--
2.42.0

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,46 @@
From 23936036c5b6cd51843a7f964998f5345877fa8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 13:34:31 +0100
Subject: [PATCH 07/11] ci: remove python checks
With the compat tool gone, there is no other python script.
---
.github/workflows/analyze.yml | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml
index 37682f068b586dc0e7ba34f1098f4009b88e7254..16b48b031519b81221de9248d65f076b2616b2f7 100644
--- a/.github/workflows/analyze.yml
+++ b/.github/workflows/analyze.yml
@@ -25,7 +25,7 @@ jobs:
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
- languages: cpp, python
+ languages: cpp
queries: +security-and-quality
- name: Autobuild
@@ -33,19 +33,3 @@ jobs:
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
-
- flake8:
- runs-on: ubuntu-latest
- permissions:
- contents: read
- steps:
- - name: Checkout repository
- uses: actions/checkout@v2
-
- - name: Install flake8
- run: |
- sudo apt update
- sudo apt install -y flake8
-
- - name: Execute flake8 on the repository
- run: flake8 --ignore=W503,E501 src/compat/authcompat.py.in.in .
--
2.42.0

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,78 @@
From 8d8adbd35c741d9038588386414ccbddb99bd31d Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 14 Dec 2023 14:16:11 +0100
Subject: [PATCH 09/11] profiles: merge groups records with [SUCCESS=merge]
Services such as systemd-homed would like to advertise users which are
part of system groups, such as "wheel". That only works if glibc's
[SUCCESS=merge] feature is used in nsswitch.conf, so that group records
from multiple sources are merged.
This is documented here:
https://www.freedesktop.org/software/systemd/man/latest/nss-systemd.html#Configuration%20in%20/etc/nsswitch.conf
This hence adds [SUCCESS=merge] expressions to all NSS modules listed in
the "groups" lines.
---
profiles/local/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
profiles/sssd/nsswitch.conf | 2 +-
profiles/winbind/nsswitch.conf | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
index c63692fc00c0815c5ba303ec5b48b6c9d7577df2..8582a955c8d03ea1d122a34cd273326d985bdcfb 100644
--- a/profiles/local/nsswitch.conf
+++ b/profiles/local/nsswitch.conf
@@ -1,7 +1,7 @@
# In order of likelihood of use to accelerate lookup.
passwd: files {if "with-altfiles":altfiles }systemd
shadow: files
-group: files {if "with-altfiles":altfiles }systemd
+group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
services: files
netgroup: files
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 685f92c326bc7767ee167a77b7ba782672bf801f..c033812facee9159c76e2d514ac652e4de2e0b6b 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -1,7 +1,7 @@
# In order of likelihood of use to accelerate lookup.
passwd: files {if "with-altfiles":altfiles }nis systemd
shadow: files nis
-group: files {if "with-altfiles":altfiles }nis systemd
+group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis dns
services: files nis
netgroup: files nis
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 58844a62c8f52f8f25477a811b02a5e401120f30..9f194bc82cee52d4e12779def95afa2f794f66bf 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -1,7 +1,7 @@
# In order of likelihood of use to accelerate lookup.
passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
shadow: files
-group: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
+group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
services: files sss
netgroup: files sss
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
index f0a97e42e084f94fddd329d4cb93d5b5d1da3360..1591ccb3ffa8bd10b8ff06a0620328e275d09241 100644
--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
@@ -1,7 +1,7 @@
# In order of likelihood of use to accelerate lookup.
passwd: files {if "with-altfiles":altfiles }winbind systemd
shadow: files
-group: files {if "with-altfiles":altfiles }winbind systemd
+group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
services: files
netgroup: files
--
2.42.0

View File

@ -0,0 +1,26 @@
From 565d8a76f1d6ec6c23cd38f7aa4812426e8cb460 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 14:18:00 +0100
Subject: [PATCH 10/11] spec: use altfiles with success=merge on ostree systems
as well
---
rpm/authselect.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
index 350ca953632f21be861c1ee75f25f71d107ca1ee..39c4ca66058e0749e6d3aea6e7ff76a7a06c4ecc 100644
--- a/rpm/authselect.spec.in
+++ b/rpm/authselect.spec.in
@@ -223,7 +223,7 @@ exit 0
if test -e /run/ostree-booted; then
for PROFILE in `ls %{_datadir}/authselect/default`; do
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
- %__sed -ie 's/{if "with-altfiles":altfiles }/altfiles /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
+ %__sed -ie 's/{if "with-altfiles":altfiles \[SUCCESS=merge\] }/altfiles [SUCCESS=merge] /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
done
fi
--
2.42.0

View File

@ -0,0 +1,72 @@
From 7b7889507928610b37b73641d28d5bbe3f763a4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 17:22:45 +0100
Subject: [PATCH 11/11] profiles: put myhostname before dns
To allow `hostname --fqdn` to work correctly. Putting myhostname early
prevents lookup of canonical hostname if only shortname is provided.
myhostname has been moved back and forth several times, it looks
like this place is now functional and works as expected.
---
profiles/local/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
profiles/sssd/nsswitch.conf | 2 +-
profiles/winbind/nsswitch.conf | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
index 8582a955c8d03ea1d122a34cd273326d985bdcfb..538926e4d5cc8c190a7b2d10fd3756ad3269a720 100644
--- a/profiles/local/nsswitch.conf
+++ b/profiles/local/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
services: files
netgroup: files
automount: files
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index c033812facee9159c76e2d514ac652e4de2e0b6b..488476e91879b549fe605008d500b1810360f3be 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }nis systemd
shadow: files nis
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis myhostname dns
services: files nis
netgroup: files nis
automount: files nis
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 9f194bc82cee52d4e12779def95afa2f794f66bf..b98094d9e0eaeb1559347b81a9505822ff713034 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
shadow: files
group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
services: files sss
netgroup: files sss
sudoers: files sss {include if "with-sudo"}
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
index 1591ccb3ffa8bd10b8ff06a0620328e275d09241..cc966b34464bb28776b903d61fff1f6a94a1eb6f 100644
--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }winbind systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
services: files
netgroup: files
automount: files
--
2.42.0

View File

@ -0,0 +1,376 @@
From 054c83d1a40d5e0f98230d0f6ac34bd7ecdf383e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 15:49:09 +0100
Subject: [PATCH 1/3] rhel10: remove systemd-homed
systemd-homed is not present in rhel.
---
profiles/local/README | 3 ---
profiles/local/password-auth | 4 ----
profiles/local/system-auth | 4 ----
profiles/nis/README | 3 ---
profiles/nis/REQUIREMENTS | 3 ---
profiles/nis/password-auth | 4 ----
profiles/nis/system-auth | 4 ----
profiles/sssd/README | 3 ---
profiles/sssd/REQUIREMENTS | 3 ---
profiles/sssd/password-auth | 4 ----
profiles/sssd/system-auth | 4 ----
profiles/winbind/README | 3 ---
profiles/winbind/REQUIREMENTS | 3 ---
profiles/winbind/password-auth | 4 ----
profiles/winbind/system-auth | 4 ----
15 files changed, 53 deletions(-)
diff --git a/profiles/local/README b/profiles/local/README
index 03f602441fe95ee280b575508f20d1f1de949b25..eedb298090b5b7c068ee1dfec0ee36c8b3086af4 100644
--- a/profiles/local/README
+++ b/profiles/local/README
@@ -54,9 +54,6 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
with-libvirt::
Enable connecting to libvirt VMs using the hostname configured in the
guest OS or, as a fallback, their name.
diff --git a/profiles/local/password-auth b/profiles/local/password-auth
index 13e10d93b1d43ade8c45c32c50c613f6cf2abcca..d50d7e1fefaf257b8ddcdd1610004ffca9d93634 100644
--- a/profiles/local/password-auth
+++ b/profiles/local/password-auth
@@ -4,17 +4,14 @@ auth required pam_faillock.so preauth
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -24,7 +21,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/local/system-auth b/profiles/local/system-auth
index 7f3c56adb2329dd4a08b1cb08b63e8d0d9b13c86..290cd24eb9c50f196d6fc68a3688f097f49159fe 100644
--- a/profiles/local/system-auth
+++ b/profiles/local/system-auth
@@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -25,7 +22,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/README b/profiles/nis/README
index e3a1a0b986689bfd43d9531464bcd8fa7a0f5237..745138bbdb1e045db41990dcb8864477d3408e36 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -65,9 +65,6 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
without-nullok::
Do not add nullok parameter to pam_unix.
diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS
index 3e32879eba37e1bd2692aa2852c87036bfa78ed5..d8fe0456ee2b351e98af374fc0206717e6994031 100644
--- a/profiles/nis/REQUIREMENTS
+++ b/profiles/nis/REQUIREMENTS
@@ -16,6 +16,3 @@ Make sure that NIS service is configured and enabled. See NIS documentation for
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
{include if "with-libvirt"}
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
- {include if "with-systemd-homed"}
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 45af4792df9f661fe04e1060e32cc6c0aa38c7c4..927fbcbda8fa4e910e29c88a3806fb5265bbc7bc 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -4,17 +4,14 @@ auth required pam_faillock.so preauth
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -24,7 +21,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 0bd022ee2286f37a5becb0daba2a5813693300a9..40a1bf74aaf3d721c4d720938e57766bfe651e47 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -25,7 +22,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/README b/profiles/sssd/README
index f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d..a497da5dcffd0a03a122677c49ee2f8021927b04 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -106,9 +106,6 @@ with-gssapi::
with-subid::
Enable SSSD as a source of subid database in /etc/nsswitch.conf.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
without-nullok::
Do not add nullok parameter to pam_unix.
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
index 6aaf7c771f7c1bcbf2aee7152422acc9d53c71f5..b36f6069a54a5f711a10aa0700f33e1a8e37794e 100644
--- a/profiles/sssd/REQUIREMENTS
+++ b/profiles/sssd/REQUIREMENTS
@@ -25,6 +25,3 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
- with-tlog is selected, make sure that session recording is enabled in SSSD {include if "with-tlog"}
{include if "with-libvirt"}
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
- {include if "with-systemd-homed"}
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 97c33b678706e7eeb86bf45251baa41739f2940f..f468507b938ea2a7ac305a65f5fdea14a1ae10f1 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -7,7 +7,6 @@ auth required pam_u2f.so cue {if not
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -16,14 +15,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -35,7 +32,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 90c3504a414f0a151475cc207285b230fec381b1..870e4d7024066e3e40786bde6c3c39c7ba8d62c0 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -12,7 +12,6 @@ auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"}
auth sufficient pam_sss_gss.so {include if "with-gssapi"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
@@ -23,14 +22,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -42,7 +39,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/README b/profiles/winbind/README
index f65870d1d03da6465ad446dac87ed141d7115d8b..8844e1da2003a0266dfe8937774d6d6f7dad0210 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -75,9 +75,6 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
without-nullok::
Do not add nullok parameter to pam_unix.
diff --git a/profiles/winbind/REQUIREMENTS b/profiles/winbind/REQUIREMENTS
index 232f6ee986ac66c5fed972c91c17080e0740e5c7..31a37d74ca5a4c46415545b8f6e0f61e8ad3b433 100644
--- a/profiles/winbind/REQUIREMENTS
+++ b/profiles/winbind/REQUIREMENTS
@@ -16,6 +16,3 @@ Make sure that winbind service is configured and enabled. See winbind documentat
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
{include if "with-libvirt"}
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
- {include if "with-systemd-homed"}
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index 8d74149dd48643dbb4b80d62600d3ece0868ec30..8d1682b9301c2b9c92292a41120f69611f148108 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -4,7 +4,6 @@ auth required pam_faillock.so preauth
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -13,14 +12,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -31,7 +28,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 2326c859284c5823c5a6d34390d794dbf33110d2..612143d10fe502d7f6ed636b4fba6cc639aa66b0 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -5,7 +5,6 @@ auth sufficient pam_fprintd.so
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -14,14 +13,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -32,7 +29,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
--
2.42.0

View File

@ -1,8 +1,9 @@
From bfa639947df40c7d601a459af5f0995c89a67200 Mon Sep 17 00:00:00 2001
From 3167eaadde7a3f997925172b8d77cb380bf0d9d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 10 Jun 2019 10:53:15 +0200
Subject: [PATCH 2/3] rhel8: remove ecryptfs support
Subject: [PATCH 2/3] rhel10: remove ecryptfs support
ecryptfs-utils is not present in rhel.
---
profiles/nis/README | 3 ---
profiles/nis/fingerprint-auth | 1 -
@ -20,13 +21,11 @@ Subject: [PATCH 2/3] rhel8: remove ecryptfs support
profiles/winbind/password-auth | 1 -
profiles/winbind/postlogin | 4 ----
profiles/winbind/system-auth | 1 -
src/compat/authcompat.py.in.in | 1 -
src/compat/authcompat_Options.py | 2 +-
src/man/authselect-migration.7.adoc | 5 ++---
19 files changed, 3 insertions(+), 36 deletions(-)
17 files changed, 2 insertions(+), 34 deletions(-)
diff --git a/profiles/nis/README b/profiles/nis/README
index 895e8fa8650c04d41bf8bc8d6e3cda18db9bf814..71e23d61a8c1ea773c98524256a5eaad5a75d197 100644
index 745138bbdb1e045db41990dcb8864477d3408e36..3e2f8b01fa37f8c7060a9c263f66c3df9782061d 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -21,9 +21,6 @@ with-mkhomedir::
@ -52,10 +51,10 @@ index 3a2609df4ca29cdfcbff84b37576bb7b840d72b2..0b2f583a2fcf164647f7de387e9be298
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index f181a58ab7792c7e1a4234e677cbb7e3d0a6548d..79fb521eb5dff4978203166491b185887d1ec744 100644
index 927fbcbda8fa4e910e29c88a3806fb5265bbc7bc..56a51d9eebb2987da340805ddb4e4a6752ebdeb2 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -18,7 +18,6 @@ password required pam_deny.so
@@ -20,7 +20,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -76,10 +75,10 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index bc3f402435aafb5294dbae94096b184af51cf914..38c10c1afcf936c1d24d8edef941ae849d1186fc 100644
index 40a1bf74aaf3d721c4d720938e57766bfe651e47..74cf6ece9ce0b1b64b122fd2309ebf5d496c4787 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -19,7 +19,6 @@ password required pam_deny.so
@@ -21,7 +21,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -88,10 +87,10 @@ index bc3f402435aafb5294dbae94096b184af51cf914..38c10c1afcf936c1d24d8edef941ae84
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/README b/profiles/sssd/README
index 61d5aedf65b2351cf23cea0a6b6b0932e32f0e48..ab9af237442089ded86b63942dd856397108ccf0 100644
index a497da5dcffd0a03a122677c49ee2f8021927b04..2038a32b682f36d9eef51fda138730abc9666279 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -40,9 +40,6 @@ with-mkhomedir::
@@ -35,9 +35,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
@ -114,16 +113,16 @@ index 20ad3613e66ec85c7d2462d0449854e522383b3a..dc7befe7a4839a1ae5a4d21f4e523212
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 3e33dcc09f68055f2f87709e638005929bd577b3..858c6db357d07dc554806f4807f9b0858a649f44 100644
index f468507b938ea2a7ac305a65f5fdea14a1ae10f1..c15121ad00ff00dfcd1743341594c853ba734d9c 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -28,7 +28,6 @@ password required pam_deny.so
@@ -31,7 +31,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
@ -138,7 +137,7 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index 0d8bcab250633b09bce0232a5747f3a7e740d5d7..754847f2d8885ff35cbc57ec2364d82b963caa3b 100644
index 78cb329bf332f4d629740a0fff7d2dfe43f7d78d..13d3ee71f4d02c4ede777be6337031fc67baaa63 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -18,7 +18,6 @@ account required pam_permit.so
@ -146,23 +145,23 @@ index 0d8bcab250633b09bce0232a5747f3a7e740d5d7..754847f2d8885ff35cbc57ec2364d82b
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index a43341120f55bad3fb07dfea1c04453d0a278329..88c49e2dd5b60847d1d19154622a8614a21e5e1f 100644
index 870e4d7024066e3e40786bde6c3c39c7ba8d62c0..4ea19acebe2208f9e21676bf0ae0a92e9a92b1f4 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -35,7 +35,6 @@ password required pam_deny.so
@@ -38,7 +38,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/README b/profiles/winbind/README
index 0048c29256f5d4064edfb84a2f4b761fd09e90f6..6f7a7cab1efc768c4c82791d6a8f00def1771d37 100644
index 8844e1da2003a0266dfe8937774d6d6f7dad0210..7397bb9a6c8086b9720cc355d98de70b8107e79b 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -33,9 +33,6 @@ with-mkhomedir::
@ -188,10 +187,10 @@ index e8997c6c78ce7305fa7068fb169c05c68167880d..c5485ab848989a252e4ff4b1376a4120
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index 58705f3b15165c8d8bd4938889e3fb4d89c1a528..e84e2fcbb2bad9af6156e6e6db23f089f2b5d210 100644
index 8d1682b9301c2b9c92292a41120f69611f148108..8b260fa06f5ed8494d1f6fac74517d3a54622693 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -25,7 +25,6 @@ password required pam_deny.so
@@ -27,7 +27,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -212,10 +211,10 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 994c342441a0ed2738765a9fa7f6cc84f692d1d8..b5c5cfaa964a31b1cd8ac4cb62998c0a0a53a03e 100644
index 612143d10fe502d7f6ed636b4fba6cc639aa66b0..33aa13efb92405393236c3511ebb351facd916f0 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -26,7 +26,6 @@ password required pam_deny.so
@@ -28,7 +28,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -223,43 +222,11 @@ index 994c342441a0ed2738765a9fa7f6cc84f692d1d8..b5c5cfaa964a31b1cd8ac4cb62998c0a
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 8334293911d1d4c2d98a6d233b91fc348cf06575..55e205bae2c0b1f7892f8b286c288dfeaa26a60d 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -523,7 +523,6 @@ class AuthCompat:
'smartcard': 'with-smartcard',
'requiresmartcard': 'with-smartcard-required',
'fingerprint': 'with-fingerprint',
- 'ecryptfs': 'with-ecryptfs',
'mkhomedir': 'with-mkhomedir',
'faillock': 'with-faillock',
'pamaccess': 'with-pamaccess',
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
index d26dedabdfb9519861076b58cddd0dd0eb04b7cb..5c8b21b55014198d6d9dfc98bd807c3c922b06f4 100644
--- a/src/compat/authcompat_Options.py
+++ b/src/compat/authcompat_Options.py
@@ -93,7 +93,6 @@ class Options:
Option.Valued("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")),
Option.Feature("requiresmartcard", _("require smart card for authentication by default")),
Option.Feature("fingerprint", _("authentication with fingerprint readers by default")),
- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")),
Option.Feature("krb5", _("Kerberos authentication by default")),
Option.Valued("krb5kdc", _("<server>"), _("default Kerberos KDC")),
Option.Valued("krb5adminserver", _("<server>"), _("default Kerberos admin server")),
@@ -141,6 +140,7 @@ class Options:
# layers and will produce warning when used. They will not affect
# the system.
Option.UnsupportedFeature("cache"),
+ Option.UnsupportedFeature("ecryptfs"),
Option.UnsupportedFeature("shadow"),
Option.UnsupportedSwitch("useshadow"),
Option.UnsupportedFeature("md5"),
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..888cd4e5a0750d4e1aa5898887f5f7fd42472741 100644
index 8cc58e60301925974fdb738c5b9a746749981df8..9056913dee9eef1590c8590d3cc0b51005a98af3 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -80,7 +80,6 @@ configuration file for required services.
@@ -85,7 +85,6 @@ endif::[]
|*Authconfig options* |*Authselect profile feature*
|--enablesmartcard |with-smartcard
|--enablefingerprint |with-fingerprint
@ -267,7 +234,7 @@ index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..888cd4e5a0750d4e1aa5898887f5f7fd
|--enablemkhomedir |with-mkhomedir
|--enablefaillock |with-faillock
|--enablepamaccess |with-pamaccess
@@ -103,8 +102,8 @@ authselect select sssd with-faillock
@@ -108,8 +107,8 @@ authselect select sssd with-faillock
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
authselect select sssd with-smartcard
@ -279,5 +246,5 @@ index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..888cd4e5a0750d4e1aa5898887f5f7fd
authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
realm join -U Administrator --client-software=winbind WINBINDDOMAIN
--
2.34.1
2.42.0

View File

@ -0,0 +1,68 @@
From b259ca399de497e0fc5e0763257e89bcc2e5a902 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 16:01:58 +0100
Subject: [PATCH 3/3] rhel10: remove systemd-resolved
systemd-resolved should not be enabled by default in rhel.
---
profiles/local/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
profiles/sssd/nsswitch.conf | 2 +-
profiles/winbind/nsswitch.conf | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
index 538926e4d5cc8c190a7b2d10fd3756ad3269a720..1ad4276566f775086fc091d8e1c35d4ac94a9786 100644
--- a/profiles/local/nsswitch.conf
+++ b/profiles/local/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
services: files
netgroup: files
automount: files
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 488476e91879b549fe605008d500b1810360f3be..88110258a69e7366980944ec3ccd9c79c0a1b323 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }nis systemd
shadow: files nis
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }nis myhostname dns
services: files nis
netgroup: files nis
automount: files nis
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index b98094d9e0eaeb1559347b81a9505822ff713034..89a1f230487a18d12ff9c3862e3394035bf17cff 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
shadow: files
group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
services: files sss
netgroup: files sss
sudoers: files sss {include if "with-sudo"}
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
index cc966b34464bb28776b903d61fff1f6a94a1eb6f..5315640e39f7c84b4c138f393fa3b5c970e4afa5 100644
--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }winbind systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
services: files
netgroup: files
automount: files
--
2.42.0

View File

@ -0,0 +1,74 @@
From 1a19a17f08cc65ff0d701e107155cb61344bed5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 2 Aug 2024 12:26:38 +0200
Subject: [PATCH] rhel10: move myhostname after dns to fix hostname --fqdn
behavior
Since rhel10 does not have systemd-resolved support in authselect,
we need to place myhostname after dns module to make
` hostname --fqdn` work. This was the default order
in rhel8 and rhel9.
Resolves: https://issues.redhat.com/browse/RHEL-39537
---
profiles/local/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
profiles/sssd/nsswitch.conf | 2 +-
profiles/winbind/nsswitch.conf | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
index 1ad4276566f775086fc091d8e1c35d4ac94a9786..48c7f0420030069048d41a99ec3cfad1d15da2cc 100644
--- a/profiles/local/nsswitch.conf
+++ b/profiles/local/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] } dns myhostname
services: files
netgroup: files
automount: files
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 88110258a69e7366980944ec3ccd9c79c0a1b323..24c7499ecbfd9c034f480b7b155e6d3ae4bfd38a 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }nis systemd
shadow: files nis
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }nis myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }nis dns myhostname
services: files nis
netgroup: files nis
automount: files nis
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 89a1f230487a18d12ff9c3862e3394035bf17cff..40ea3aecbf0adb71bc8cc33b7dd2241c7596bcfd 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
shadow: files
group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] } dns myhostname
services: files sss
netgroup: files sss
sudoers: files sss {include if "with-sudo"}
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
index 5315640e39f7c84b4c138f393fa3b5c970e4afa5..8b6c494dcf8bff14694e61ea044eb29e23ac3e47 100644
--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }winbind systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] } dns myhostname
services: files
netgroup: files
automount: files
--
2.42.0

File diff suppressed because it is too large Load Diff

View File

@ -1,48 +0,0 @@
From c7fbbc569d150b09878ccf6e8e0e031d0f41224d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 29 Jun 2023 14:07:25 +0200
Subject: [PATCH 2/7] profiles: do not try to change password via sssd for
local users
Steps to reproduce:
1. Create local user and set passsword
2. Log in as the local user
3. Run passwd and provide wrong password as "Current password"
"Current password" prompt should be printed only once.
Resolves: https://github.com/authselect/authselect/issues/338
(cherry picked from commit c9cc4b23badeb5e2fe3a38fa5b0649b3d7b0a718)
(cherry picked from commit 7fbb0454f2adfd8de44e17e1784eab79fce2232f)
---
profiles/sssd/password-auth | 1 +
profiles/sssd/system-auth | 1 +
2 files changed, 2 insertions(+)
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 5ea280a..7fe23f2 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -25,6 +25,7 @@ password requisite pam_pwquality.so local_
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index fd1e31c..ce2e266 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -32,6 +32,7 @@ password requisite pam_pwquality.so local_
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so
--
2.40.1

File diff suppressed because it is too large Load Diff

View File

@ -1,25 +0,0 @@
From 2f1fea5ec3132f2ced05887ba24d03e134934930 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 30 Oct 2018 14:08:12 +0100
Subject: [PATCH 1/3] rhel8: remove mention of Fedora Change page in compat
tool
---
src/compat/authcompat.py.in.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 1a68d95c71b51beabe80e9b07c084ea9c2f3580d..8334293911d1d4c2d98a6d233b91fc348cf06575 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -471,7 +471,6 @@ class AuthCompat:
"It does not provide all capabilities of authconfig.\n"))
print(_("IMPORTANT: authconfig is replaced by authselect, "
"please update your scripts."))
- print(_("See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault"))
print(_("See man authselect-migration(7) to help you with migration to authselect"))
options = self.options.getSetButUnsupported()
--
2.34.1

View File

@ -1,42 +0,0 @@
From 9009c94f3abf85954ffc04c354c6eaff715b4512 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 25 Nov 2020 14:05:00 +0100
Subject: [PATCH 3/3] rhel8: Revert "profiles: add support for resolved"
systemd-resolved should not be enabled by default on rhel8.
This reverts commit c5294c508a940291440eb32d5d750f33baf1ae54.
---
profiles/minimal/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf
index a9e4bc79a1090304542ccd8b43d1107eeb5304df..a39e4d32ebf79e8bf05f2db5753b01596222dc35 100644
--- a/profiles/minimal/nsswitch.conf
+++ b/profiles/minimal/nsswitch.conf
@@ -2,7 +2,7 @@ aliases: files {exclude if "with-custom
automount: files {exclude if "with-custom-automount"}
ethers: files {exclude if "with-custom-ethers"}
group: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"}
-hosts: resolve [!UNAVAIL=return] files myhostname dns {exclude if "with-custom-hosts"}
+hosts: files dns myhostname {exclude if "with-custom-hosts"}
initgroups: files {exclude if "with-custom-initgroups"}
netgroup: files {exclude if "with-custom-netgroup"}
networks: files {exclude if "with-custom-networks"}
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 50a3ffb7431a91b88b4bfef4c09df19310fac7e7..9bee7d839f84ff39d54cb6ead9dea38e51736b4d 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -2,7 +2,7 @@ aliases: files nis {exclude if "with-custom-aliases"}
automount: files nis {exclude if "with-custom-automount"}
ethers: files nis {exclude if "with-custom-ethers"}
group: files nis systemd {exclude if "with-custom-group"}
-hosts: resolve [!UNAVAIL=return] files nis myhostname dns {exclude if "with-custom-hosts"}
+hosts: files nis dns myhostname {exclude if "with-custom-hosts"}
initgroups: files nis {exclude if "with-custom-initgroups"}
netgroup: files nis {exclude if "with-custom-netgroup"}
networks: files nis {exclude if "with-custom-networks"}
--
2.34.1

View File

@ -1,946 +0,0 @@
From c40bbcc77373120915033ab24d5ab149920666a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 5 Dec 2022 19:03:00 +0100
Subject: [PATCH 7/7] rhel8: Revert yescrypt
Patch-name: 0904-rhel8-Revert-yescrypt.patch
Patch-id: 904
From-dist-git-commit: 4793c5170d11c5d4ce4c6c7b0e8902429e1011fc
---
po/af.po | 2 +-
po/authselect.pot | 2 +-
po/ca.po | 2 +-
po/cs.po | 4 ++--
po/de.po | 4 ++--
po/es.po | 4 ++--
po/fa.po | 2 +-
po/fi.po | 4 ++--
po/fr.po | 4 ++--
po/hu.po | 4 ++--
po/id.po | 2 +-
po/it.po | 4 ++--
po/ja.po | 4 ++--
po/ka.po | 4 ++--
po/ko.po | 4 ++--
po/nl.po | 4 ++--
po/pl.po | 4 ++--
po/pt.po | 2 +-
po/pt_BR.po | 4 ++--
po/ru.po | 4 ++--
po/si.po | 2 +-
po/sv.po | 4 ++--
po/tr.po | 4 ++--
po/uk.po | 4 ++--
po/zh_CN.po | 4 ++--
po/zh_TW.po | 4 ++--
profiles/minimal/password-auth | 2 +-
profiles/minimal/system-auth | 2 +-
profiles/nis/password-auth | 2 +-
profiles/nis/system-auth | 2 +-
profiles/sssd/password-auth | 2 +-
profiles/sssd/system-auth | 2 +-
profiles/winbind/password-auth | 2 +-
profiles/winbind/system-auth | 2 +-
src/compat/authcompat_Options.py | 2 +-
src/man/authselect-migration.7.adoc | 2 +-
src/man/po/authselect-migration.7.adoc.ca.po | 2 +-
src/man/po/authselect-migration.7.adoc.cs.po | 2 +-
src/man/po/authselect-migration.7.adoc.de.po | 2 +-
src/man/po/authselect-migration.7.adoc.es.po | 2 +-
src/man/po/authselect-migration.7.adoc.fa.po | 2 +-
src/man/po/authselect-migration.7.adoc.fi.po | 4 ++--
src/man/po/authselect-migration.7.adoc.fr.po | 4 ++--
src/man/po/authselect-migration.7.adoc.hu.po | 2 +-
src/man/po/authselect-migration.7.adoc.it.po | 2 +-
src/man/po/authselect-migration.7.adoc.ja.po | 4 ++--
src/man/po/authselect-migration.7.adoc.ko.po | 4 ++--
src/man/po/authselect-migration.7.adoc.nl.po | 4 ++--
src/man/po/authselect-migration.7.adoc.pl.po | 2 +-
src/man/po/authselect-migration.7.adoc.pot | 2 +-
src/man/po/authselect-migration.7.adoc.pt.po | 2 +-
src/man/po/authselect-migration.7.adoc.pt_BR.po | 2 +-
src/man/po/authselect-migration.7.adoc.ru.po | 4 ++--
src/man/po/authselect-migration.7.adoc.si.po | 2 +-
src/man/po/authselect-migration.7.adoc.sv.po | 4 ++--
src/man/po/authselect-migration.7.adoc.tr.po | 4 ++--
src/man/po/authselect-migration.7.adoc.uk.po | 4 ++--
src/man/po/authselect-migration.7.adoc.zh_CN.po | 2 +-
src/man/po/authselect-migration.7.adoc.zh_TW.po | 2 +-
59 files changed, 87 insertions(+), 87 deletions(-)
diff --git a/po/af.po b/po/af.po
index e305029..b4f0418 100644
--- a/po/af.po
+++ b/po/af.po
@@ -1575,7 +1575,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/authselect.pot b/po/authselect.pot
index ebb39b0..c308071 100644
--- a/po/authselect.pot
+++ b/po/authselect.pot
@@ -1535,7 +1535,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/ca.po b/po/ca.po
index 3373e10..75d91ec 100644
--- a/po/ca.po
+++ b/po/ca.po
@@ -1569,7 +1569,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/cs.po b/po/cs.po
index 48929b6..b9150b7 100644
--- a/po/cs.po
+++ b/po/cs.po
@@ -1600,8 +1600,8 @@ msgid "<name>"
msgstr "<jméno>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
# auto translated by TM merge from project: authconfig, version: master, DocId: po/authconfig
#: src/compat/authcompat_Options.py:149
diff --git a/po/de.po b/po/de.po
index 07eab1e..746d167 100644
--- a/po/de.po
+++ b/po/de.po
@@ -1600,8 +1600,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/es.po b/po/es.po
index 3868023..af5cde8 100644
--- a/po/es.po
+++ b/po/es.po
@@ -1598,8 +1598,8 @@ msgid "<name>"
msgstr "<nombre>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/fa.po b/po/fa.po
index 7776891..d74c1cd 100644
--- a/po/fa.po
+++ b/po/fa.po
@@ -1537,7 +1537,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/fi.po b/po/fi.po
index 2ae32ff..7390590 100644
--- a/po/fi.po
+++ b/po/fi.po
@@ -1583,8 +1583,8 @@ msgid "<name>"
msgstr "<nimi>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/fr.po b/po/fr.po
index a40cf4c..d526c5d 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -1605,8 +1605,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/hu.po b/po/hu.po
index 758be29..e18d6bf 100644
--- a/po/hu.po
+++ b/po/hu.po
@@ -1590,8 +1590,8 @@ msgid "<name>"
msgstr "<név>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/id.po b/po/id.po
index a83e1e2..6a7e2a7 100644
--- a/po/id.po
+++ b/po/id.po
@@ -1538,7 +1538,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/it.po b/po/it.po
index 9427893..4b27ef2 100644
--- a/po/it.po
+++ b/po/it.po
@@ -1585,8 +1585,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/ja.po b/po/ja.po
index fe83406..7ea9ae8 100644
--- a/po/ja.po
+++ b/po/ja.po
@@ -1598,8 +1598,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
# auto translated by TM merge from translation memory: authconfig, unique id: authconfig:6.2.8:authconfig:0bbce02e304562c295a1d57d66c296d3
#: src/compat/authcompat_Options.py:149
diff --git a/po/ka.po b/po/ka.po
index ef2e7c6..e19c0ab 100644
--- a/po/ka.po
+++ b/po/ka.po
@@ -1573,8 +1573,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/ko.po b/po/ko.po
index 52d2cac..eb768fe 100644
--- a/po/ko.po
+++ b/po/ko.po
@@ -1570,8 +1570,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/nl.po b/po/nl.po
index 1bd2a9b..ba50b52 100644
--- a/po/nl.po
+++ b/po/nl.po
@@ -1602,8 +1602,8 @@ msgid "<name>"
msgstr "<naam>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/pl.po b/po/pl.po
index 9b6627c..13553c8 100644
--- a/po/pl.po
+++ b/po/pl.po
@@ -1609,8 +1609,8 @@ msgid "<name>"
msgstr "<nazwa>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/pt.po b/po/pt.po
index ad02a0b..90d2aa3 100644
--- a/po/pt.po
+++ b/po/pt.po
@@ -1536,7 +1536,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/pt_BR.po b/po/pt_BR.po
index a1215bb..544b8e9 100644
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
@@ -1592,8 +1592,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/ru.po b/po/ru.po
index 4919002..d23284d 100644
--- a/po/ru.po
+++ b/po/ru.po
@@ -1590,8 +1590,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/si.po b/po/si.po
index 39f5a79..eaf4b3c 100644
--- a/po/si.po
+++ b/po/si.po
@@ -1536,7 +1536,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/sv.po b/po/sv.po
index 9292b1f..cc70f2d 100644
--- a/po/sv.po
+++ b/po/sv.po
@@ -1580,8 +1580,8 @@ msgid "<name>"
msgstr "<namn>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/tr.po b/po/tr.po
index 9be388f..0aaa543 100644
--- a/po/tr.po
+++ b/po/tr.po
@@ -1589,8 +1589,8 @@ msgid "<name>"
msgstr "<ad>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/uk.po b/po/uk.po
index c66594f..bc4c93b 100644
--- a/po/uk.po
+++ b/po/uk.po
@@ -1591,8 +1591,8 @@ msgid "<name>"
msgstr "<назва>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/zh_CN.po b/po/zh_CN.po
index 75ec7d8..6c109a0 100644
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@@ -1559,8 +1559,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/zh_TW.po b/po/zh_TW.po
index 89fefed..0562435 100644
--- a/po/zh_TW.po
+++ b/po/zh_TW.po
@@ -1562,8 +1562,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/profiles/minimal/password-auth b/profiles/minimal/password-auth
index 858c21f..8c4cb37 100644
--- a/profiles/minimal/password-auth
+++ b/profiles/minimal/password-auth
@@ -12,7 +12,7 @@ account required pam_unix.so
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/minimal/system-auth b/profiles/minimal/system-auth
index 858c21f..8c4cb37 100644
--- a/profiles/minimal/system-auth
+++ b/profiles/minimal/system-auth
@@ -12,7 +12,7 @@ account required pam_unix.so
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 56a51d9..56b19a6 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -15,7 +15,7 @@ account required pam_unix.so broken_shad
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok nis
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 74cf6ec..5d5010a 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -16,7 +16,7 @@ account required pam_unix.so broken_shad
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok nis
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 5b235de..b64f048 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -24,7 +24,7 @@ account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 22e87d8..d338719 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -31,7 +31,7 @@ account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index 8b260fa..4944b42 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -21,7 +21,7 @@ account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 33aa13e..afe27d7 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -22,7 +22,7 @@ account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
index 5c8b21b..5c97fee 100644
--- a/src/compat/authcompat_Options.py
+++ b/src/compat/authcompat_Options.py
@@ -145,7 +145,7 @@ class Options:
Option.UnsupportedSwitch("useshadow"),
Option.UnsupportedFeature("md5"),
Option.UnsupportedSwitch("usemd5"),
- Option.UnsupportedValued("passalgo", _("<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>")),
+ Option.UnsupportedValued("passalgo", _("<descrypt|bigcrypt|md5|sha256|sha512>")),
Option.UnsupportedValued("ldaploadcacert", _("<URL>")),
Option.UnsupportedValued("smartcardmodule", _("<module>")),
Option.UnsupportedValued("smbsecurity", _("<user|server|domain|ads>")),
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 888cd4e..ee493ee 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -90,7 +90,7 @@ configuration file for required services.
NOTE: Authconfig options `--enableshadow` and `--passalgo=sha512` were often
used to make sure that passwords are stored in `/etc/shadow` using `sha512`
-algorithm. *The authselect profiles now use the yescrypt hashing method* and
+algorithm. *The authselect profiles now use the sha512 hashing method* and
it cannot be changed through an option (only by creating a custom profile).
You can just omit these options.
diff --git a/src/man/po/authselect-migration.7.adoc.ca.po b/src/man/po/authselect-migration.7.adoc.ca.po
index 08b11b7..12f14d6 100644
--- a/src/man/po/authselect-migration.7.adoc.ca.po
+++ b/src/man/po/authselect-migration.7.adoc.ca.po
@@ -185,7 +185,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.cs.po b/src/man/po/authselect-migration.7.adoc.cs.po
index d11809b..caf570b 100644
--- a/src/man/po/authselect-migration.7.adoc.cs.po
+++ b/src/man/po/authselect-migration.7.adoc.cs.po
@@ -242,7 +242,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.de.po b/src/man/po/authselect-migration.7.adoc.de.po
index c166a0f..fff88c8 100644
--- a/src/man/po/authselect-migration.7.adoc.de.po
+++ b/src/man/po/authselect-migration.7.adoc.de.po
@@ -193,7 +193,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.es.po b/src/man/po/authselect-migration.7.adoc.es.po
index 8cb3584..5403cde 100644
--- a/src/man/po/authselect-migration.7.adoc.es.po
+++ b/src/man/po/authselect-migration.7.adoc.es.po
@@ -241,7 +241,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.fa.po b/src/man/po/authselect-migration.7.adoc.fa.po
index b902c0c..db37728 100644
--- a/src/man/po/authselect-migration.7.adoc.fa.po
+++ b/src/man/po/authselect-migration.7.adoc.fa.po
@@ -189,7 +189,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.fi.po b/src/man/po/authselect-migration.7.adoc.fi.po
index 14c6894..79ff561 100644
--- a/src/man/po/authselect-migration.7.adoc.fi.po
+++ b/src/man/po/authselect-migration.7.adoc.fi.po
@@ -252,14 +252,14 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Authconfig-asetuksia `--enableshadow` ja `--passalgo=sha512` käytettiin "
"usein varmistamaan, että salasanat on tallennettu hakemistoon `/etc/shadow` "
"käyttämällä `sha512`-algoritmia. *Authselect-profiilit käyttävät nyt "
-"yescrypt-hajautusmenetelmää*, eikä sitä voi muuttaa valinnalla (onnistuu "
+"sha512-hajautusmenetelmää*, eikä sitä voi muuttaa valinnalla (onnistuu "
"vain luomalla mukautettu profiili). Voit jättää nämä vaihtoehdot pois."
#. type: Block title
diff --git a/src/man/po/authselect-migration.7.adoc.fr.po b/src/man/po/authselect-migration.7.adoc.fr.po
index cf3fcf9..55a7386 100644
--- a/src/man/po/authselect-migration.7.adoc.fr.po
+++ b/src/man/po/authselect-migration.7.adoc.fr.po
@@ -259,14 +259,14 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Les options dAuthconfig '--enableshadow' et '--passalgo=sha512' ont souvent "
"été utilisées pour sassurer que les mots de passe sont stockés dans '/etc/"
"shadow' en utilisant lalgorithme 'sha512'. *Les profils authselect "
-"utilisent maintenant la méthode de hachage yescrypt* et elle ne peut pas "
+"utilisent maintenant la méthode de hachage sha512* et elle ne peut pas "
"être modifiée via une option (uniquement en créant un profil personnalisé). "
"Vous pouvez simplement omettre ces options."
diff --git a/src/man/po/authselect-migration.7.adoc.hu.po b/src/man/po/authselect-migration.7.adoc.hu.po
index a058b22..368476a 100644
--- a/src/man/po/authselect-migration.7.adoc.hu.po
+++ b/src/man/po/authselect-migration.7.adoc.hu.po
@@ -189,7 +189,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.it.po b/src/man/po/authselect-migration.7.adoc.it.po
index f28d362..d09af60 100644
--- a/src/man/po/authselect-migration.7.adoc.it.po
+++ b/src/man/po/authselect-migration.7.adoc.it.po
@@ -189,7 +189,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.ja.po b/src/man/po/authselect-migration.7.adoc.ja.po
index 782e094..a8da7e2 100644
--- a/src/man/po/authselect-migration.7.adoc.ja.po
+++ b/src/man/po/authselect-migration.7.adoc.ja.po
@@ -246,13 +246,13 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Authconfig オプション `--enableshadow`と` --passalgo = sha512`は、パスワード"
"が `sha512`アルゴリズムを使用して` / etc / shadow`に確実に保存されるようにす"
-"るためによく使用されていました。 * authselect プロファイルはyescryptハッシュ"
+"るためによく使用されていました。 * authselect プロファイルはsha512ハッシュ"
"メソッドを使用するようになりました*。オプションを使用して変更することはできま"
"せん(カスタムプロファイルを作成する場合のみ)。 これらのオプションは省略でき"
"ます。"
diff --git a/src/man/po/authselect-migration.7.adoc.ko.po b/src/man/po/authselect-migration.7.adoc.ko.po
index 9704e0b..338bc33 100644
--- a/src/man/po/authselect-migration.7.adoc.ko.po
+++ b/src/man/po/authselect-migration.7.adoc.ko.po
@@ -249,13 +249,13 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Authconfig 선택 `--enableshadow`와 `--passalgo=sah512`는 비밀번호는 `sha512` "
"알고리즘을 사용하여 `/etc/shadow`에서 저장되어지도록 자주 사용되곤 합니다. "
-"*authselect 프로파일은 이제 yescrypt 해쉬 방법을 사용합니다* 그리고 이는 선택"
+"*authselect 프로파일은 이제 sha512 해쉬 방법을 사용합니다* 그리고 이는 선택"
"(사용자 정의 프로파일 생성에서만)을 통해 변경 될 수 없습니다. 당신은 다만 이"
"들 옵션을 생략 할 수 있습니다."
diff --git a/src/man/po/authselect-migration.7.adoc.nl.po b/src/man/po/authselect-migration.7.adoc.nl.po
index 15573ef..b587fa4 100644
--- a/src/man/po/authselect-migration.7.adoc.nl.po
+++ b/src/man/po/authselect-migration.7.adoc.nl.po
@@ -257,14 +257,14 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"De authconfig-opties '--enableshadow' and '--passalgo=sha512' werden vaak "
"gebruikt om te verzekeren dat wachtwoorden worden opgeslagen in /etc/shadow "
"met gebruik van het sha512-algoritme. *De authselect-profielen gebruiken "
-"thans hashing met yescrypt.* Dit kan niet met een optie worden gewijzigd, "
+"thans hashing met sha512.* Dit kan niet met een optie worden gewijzigd, "
"maar alleen door een eigen profiel aan te maken. U kunt de voornoemde opties "
"gewoon weglaten."
diff --git a/src/man/po/authselect-migration.7.adoc.pl.po b/src/man/po/authselect-migration.7.adoc.pl.po
index e0e629a..d229fb7 100644
--- a/src/man/po/authselect-migration.7.adoc.pl.po
+++ b/src/man/po/authselect-migration.7.adoc.pl.po
@@ -191,7 +191,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.pot b/src/man/po/authselect-migration.7.adoc.pot
index c35b730..bed9498 100644
--- a/src/man/po/authselect-migration.7.adoc.pot
+++ b/src/man/po/authselect-migration.7.adoc.pot
@@ -188,7 +188,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.pt.po b/src/man/po/authselect-migration.7.adoc.pt.po
index 982c629..e67478b 100644
--- a/src/man/po/authselect-migration.7.adoc.pt.po
+++ b/src/man/po/authselect-migration.7.adoc.pt.po
@@ -192,7 +192,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.pt_BR.po b/src/man/po/authselect-migration.7.adoc.pt_BR.po
index 51584e7..a63b8fb 100644
--- a/src/man/po/authselect-migration.7.adoc.pt_BR.po
+++ b/src/man/po/authselect-migration.7.adoc.pt_BR.po
@@ -198,7 +198,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.ru.po b/src/man/po/authselect-migration.7.adoc.ru.po
index 469f463..fd0eb1a 100644
--- a/src/man/po/authselect-migration.7.adoc.ru.po
+++ b/src/man/po/authselect-migration.7.adoc.ru.po
@@ -256,14 +256,14 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Параметры Authconfig `--enableshadow` и`--passalgo=sha512` часто "
"использовались, чтобы гарантировать хранение паролей в `/ etc / shadow` с "
"использованием алгоритма`sha512`. *Профили authselect теперь используют "
-"метод хеширования yescrypt*, и его нельзя изменить с помощью параметра "
+"метод хеширования sha512*, и его нельзя изменить с помощью параметра "
"(только путем создания пользовательского профиля). Вы можете просто опустить "
"эти параметры."
diff --git a/src/man/po/authselect-migration.7.adoc.si.po b/src/man/po/authselect-migration.7.adoc.si.po
index 0dbdb2c..5f88382 100644
--- a/src/man/po/authselect-migration.7.adoc.si.po
+++ b/src/man/po/authselect-migration.7.adoc.si.po
@@ -188,7 +188,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.sv.po b/src/man/po/authselect-migration.7.adoc.sv.po
index b3087ea..397e901 100644
--- a/src/man/po/authselect-migration.7.adoc.sv.po
+++ b/src/man/po/authselect-migration.7.adoc.sv.po
@@ -253,13 +253,13 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Authconfig-flaggorna ”--enableshadow” och ”--passalgo=sha512” användes ofta "
"för att säkerställa att lösenord lagras i ”/etc/shadow” med algoritmen "
-"”sha512”. *Authselect-profilerna använder nu hashningsmetoden yescrypt* och "
+"”sha512”. *Authselect-profilerna använder nu hashningsmetoden sha512* och "
"det kan inte ändras genom någon flagga (endast genom att skapa en anpassad "
"profil). Du kan helt enkelt utelämna dessa flaggor."
diff --git a/src/man/po/authselect-migration.7.adoc.tr.po b/src/man/po/authselect-migration.7.adoc.tr.po
index 35e5d5c..157f7d2 100644
--- a/src/man/po/authselect-migration.7.adoc.tr.po
+++ b/src/man/po/authselect-migration.7.adoc.tr.po
@@ -258,13 +258,13 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"`--enableshadow` ve `--passalgo=sha512` authconfig seçenekleri, parolaların "
"`/etc/shadow` dosyasında `sha512` algoritması kullanılarak saklandığından "
-"emin olmak için sıklıkla kullanılırdı. *Authselect profilleri artık yescrypt "
+"emin olmak için sıklıkla kullanılırdı. *Authselect profilleri artık sha512 "
"şifreleme yöntemini kullanıyor* ve bir seçenek aracılığıyla değiştirilemez "
"(yalnızca özel bir profil oluşturarak değiştirilebilir). Bu seçenekleri "
"yalnızca atlayabilirsiniz."
diff --git a/src/man/po/authselect-migration.7.adoc.uk.po b/src/man/po/authselect-migration.7.adoc.uk.po
index 5a1b8a3..98d9841 100644
--- a/src/man/po/authselect-migration.7.adoc.uk.po
+++ b/src/man/po/authselect-migration.7.adoc.uk.po
@@ -257,14 +257,14 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Параметри authconfig `--enableshadow` і `--passalgo=sha512`часто "
"використовували для забезпечення зберігання паролів у `/etc/shadow` з "
"використанням алгоритму `sha512`. *У поточних версіях профілів authselect "
-"використано метод хешування yescrypt*, його не можна змінити якимось "
+"використано метод хешування sha512*, його не можна змінити якимось "
"параметром (лише за допомогою нетипового профілю). Ви можете просто не "
"використовувати ці параметри."
diff --git a/src/man/po/authselect-migration.7.adoc.zh_CN.po b/src/man/po/authselect-migration.7.adoc.zh_CN.po
index 6f5e562..2b95ca4 100644
--- a/src/man/po/authselect-migration.7.adoc.zh_CN.po
+++ b/src/man/po/authselect-migration.7.adoc.zh_CN.po
@@ -190,7 +190,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.zh_TW.po b/src/man/po/authselect-migration.7.adoc.zh_TW.po
index 43ab062..e7112be 100644
--- a/src/man/po/authselect-migration.7.adoc.zh_TW.po
+++ b/src/man/po/authselect-migration.7.adoc.zh_TW.po
@@ -189,7 +189,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
--
2.40.1

View File

@ -1,442 +0,0 @@
# Do not terminate build if language files are empty.
%define _empty_manifest_terminate_build 0
Name: authselect
Version: 1.2.6
Release: 2%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/authselect/authselect
License: GPLv3+
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%global makedir %{_builddir}/%{name}-%{version}
Patch0001: 0001-po-update-translations.patch
Patch0002: 0002-profiles-do-not-try-to-change-password-via-sssd-for-.patch
Patch0003: 0003-po-update-translations.patch
# Downstream only
Patch0901: 0901-rhel8-remove-mention-of-Fedora-Change-page-in-compat.patch
Patch0902: 0902-rhel8-remove-ecryptfs-support.patch
Patch0903: 0903-rhel8-Revert-profiles-add-support-for-resolved.patch
Patch0904: 0904-rhel8-Revert-yescrypt.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: findutils
BuildRequires: libtool
BuildRequires: m4
BuildRequires: gcc
BuildRequires: pkgconfig
BuildRequires: pkgconfig(popt)
BuildRequires: gettext-devel
BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libselinux-devel
BuildRequires: python3-devel
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
Suggests: fprintd-pam
Suggests: oddjob-mkhomedir
%description
Authselect is designed to be a replacement for authconfig but it takes
a different approach to configure the system. Instead of letting
the administrator build the PAM stack with a tool (which may potentially
end up with a broken configuration), it would ship several tested stacks
(profiles) that solve a use-case and are well tested and supported.
At the same time, some obsolete features of authconfig are not
supported by authselect.
%package libs
Summary: Utility library used by the authselect tool
# Required by scriptlets
Requires: coreutils
Requires: findutils
Requires: gawk
Requires: grep
Requires: sed
Requires: systemd
Requires: pam >= 1.3.1-9
%description libs
Common library files for authselect. This package is used by the authselect
command line tool and any other potential front-ends.
%package compat
Summary: Tool to provide minimum backwards compatibility with authconfig
Obsoletes: authconfig < 7.0.1-6
Provides: authconfig
Requires: authselect%{?_isa} = %{version}-%{release}
Recommends: oddjob-mkhomedir
Suggests: sssd
Suggests: realmd
Suggests: samba-winbind
# Required by scriptlets
Requires: sed
%description compat
This package will replace %{_sbindir}/authconfig with a tool that will
translate some of the authconfig calls into authselect calls. It provides
only minimum backward compatibility and users are encouraged to migrate
to authselect completely.
%package devel
Summary: Development libraries and headers for authselect
Requires: authselect-libs%{?_isa} = %{version}-%{release}
%description devel
System header files and development libraries for authselect. Useful if
you develop a front-end for the authselect library.
%prep
%autosetup -p1
%build
autoreconf -if
%configure --with-pythonbin="%{__python3}" --with-compat
%make_build
%check
%make_build check
%install
%make_install
# Find translations
%find_lang %{name}
%find_lang %{name} %{name}.8.lang --with-man
%find_lang %{name}-migration %{name}-migration.7.lang --with-man
%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man
# We want this file to contain only manual page translations
%__sed -i '/LC_MESSAGES/d' %{name}.8.lang
# Remove .la and .a files created by libtool
find $RPM_BUILD_ROOT -name "*.la" -exec %__rm -f {} \;
find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%ldconfig_scriptlets libs
%files libs -f %{name}.lang -f %{name}-profiles.5.lang
%dir %{_sysconfdir}/authselect
%dir %{_sysconfdir}/authselect/custom
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/authselect.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-db
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-locks
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/fingerprint-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/nsswitch.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/password-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf
%dir %{_localstatedir}/lib/authselect
%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-db
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-locks
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/fingerprint-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/nsswitch.conf
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/password-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/postlogin
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/smartcard-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/system-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created
%dir %{_datadir}/authselect
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/minimal/
%dir %{_datadir}/authselect/default/nis/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/minimal/dconf-db
%{_datadir}/authselect/default/minimal/dconf-locks
%{_datadir}/authselect/default/minimal/fingerprint-auth
%{_datadir}/authselect/default/minimal/nsswitch.conf
%{_datadir}/authselect/default/minimal/password-auth
%{_datadir}/authselect/default/minimal/postlogin
%{_datadir}/authselect/default/minimal/README
%{_datadir}/authselect/default/minimal/REQUIREMENTS
%{_datadir}/authselect/default/minimal/smartcard-auth
%{_datadir}/authselect/default/minimal/system-auth
%{_datadir}/authselect/default/nis/dconf-db
%{_datadir}/authselect/default/nis/dconf-locks
%{_datadir}/authselect/default/nis/fingerprint-auth
%{_datadir}/authselect/default/nis/nsswitch.conf
%{_datadir}/authselect/default/nis/password-auth
%{_datadir}/authselect/default/nis/postlogin
%{_datadir}/authselect/default/nis/README
%{_datadir}/authselect/default/nis/REQUIREMENTS
%{_datadir}/authselect/default/nis/smartcard-auth
%{_datadir}/authselect/default/nis/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
%{_datadir}/authselect/default/sssd/nsswitch.conf
%{_datadir}/authselect/default/sssd/password-auth
%{_datadir}/authselect/default/sssd/postlogin
%{_datadir}/authselect/default/sssd/README
%{_datadir}/authselect/default/sssd/REQUIREMENTS
%{_datadir}/authselect/default/sssd/smartcard-auth
%{_datadir}/authselect/default/sssd/system-auth
%{_datadir}/authselect/default/winbind/dconf-db
%{_datadir}/authselect/default/winbind/dconf-locks
%{_datadir}/authselect/default/winbind/fingerprint-auth
%{_datadir}/authselect/default/winbind/nsswitch.conf
%{_datadir}/authselect/default/winbind/password-auth
%{_datadir}/authselect/default/winbind/postlogin
%{_datadir}/authselect/default/winbind/README
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/smartcard-auth
%{_datadir}/authselect/default/winbind/system-auth
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
%{_datadir}/doc/authselect/COPYING
%{_datadir}/doc/authselect/README.md
%license COPYING
%doc README.md
%files compat
%{_sbindir}/authconfig
%{python3_sitelib}/authselect/
%files devel
%{_includedir}/authselect.h
%{_libdir}/libauthselect.so
%{_libdir}/pkgconfig/authselect.pc
%files -f %{name}.8.lang -f %{name}-migration.7.lang
%{_bindir}/authselect
%{_mandir}/man8/authselect.8*
%{_mandir}/man7/authselect-migration.7*
%{_sysconfdir}/bash_completion.d/authselect-completion.sh
%global validfile %{_localstatedir}/lib/rpm-state/%{name}.config-valid
%preun
if [ $1 == 0 ] ; then
# Remove authselect symbolic links so all authselect files can be
# deleted safely. If this fail, the uninstallation must fail to avoid
# breaking the system by removing PAM files. However, the command can
# only fail if it can not write to the file system.
%{_bindir}/authselect uninstall
fi
%pre libs
%__rm -f %{validfile}
if [ $1 -gt 1 ] ; then
# Remember if the current configuration is valid
%{_bindir}/authselect check &> /dev/null
if [ $? -eq 0 ]; then
touch %{validfile}
fi
fi
exit 0
%posttrans libs
# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then
%__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null
# If we are upgrading from older version, we want to remove these comments.
%__sed -i '/^# Generated by authselect on .*$/{$!{
N;N # Read also next two lines
/# Generated by authselect on .*\n# Do not modify this file manually.\n/d
}}' %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
fi
# If the configuration is valid and we are upgrading from older version
# we need to create these files since they were added in 1.0.
if [ -f %{validfile} ]; then
FILES="nsswitch.conf system-auth password-auth fingerprint-auth \
smartcard-auth postlogin dconf-db dconf-locks"
for FILE in $FILES ; do
%__cp -n %{_sysconfdir}/authselect/$FILE \
%{_localstatedir}/lib/authselect/$FILE &> /dev/null
done
%__rm -f %{validfile}
fi
# Keep nss-altfiles for all rpm-ostree based systems.
# See https://github.com/authselect/authselect/issues/48
if test -e /run/ostree-booted; then
for PROFILE in `ls %{_datadir}/authselect/default`; do
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
%__sed -ie "s/^\(passwd\|group\):\(.*\)systemd\(.*\)/\1:\2systemd altfiles\3/g" %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
done
fi
# Apply any changes to profiles (validates configuration first internally)
%{_bindir}/authselect apply-changes &> /dev/null
# Enable with-sudo feature if sssd-sudo responder is enabled. RHBZ#1582111
CURRENT=`%{_bindir}/authselect current --raw 2> /dev/null`
if [ $? -eq 0 ]; then
PROFILE=`echo $CURRENT | %__awk '{print $1;}'`
if [ $PROFILE == "sssd" ] ; then
if %__grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then
%{_bindir}/authselect enable-feature with-sudo &> /dev/null
elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then
%{_bindir}/authselect enable-feature with-sudo &> /dev/null
fi
fi
fi
exit 0
%posttrans compat
# Fix for RHBZ#1618865
# Remove invalid lines from pwquality.conf generated by authconfig compat tool
# - previous version could write some options without value, which is invalid
# - we delete all options without value from existing file
%__sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null
exit 0
%changelog
* Thu Aug 3 2023 Pavel Březina <pbrezina@redhat.com> - 1.2.6-2
- Fix Japanese translations (RHBZ #2216755)
- Update translations (RHBZ #2189557)
- Do not prompt for password twice when changing password of local user (RHBZ #2179607)
* Thu Dec 1 2022 Pavel Březina <pbrezina@redhat.com> - 1.2.6-1
- Rebase to 1.2.6 (RHBZ #2142805)
- Update translations (RHBZ #2139696)
- Change password hashing algorithm from yescrypt back to sha512 (RHBZ #2151140)
* Thu May 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.2.5-1
- Rebase to 1.2.5 (RHBZ #2080238)
- sssd profile with-smartcard no longer prevents local users from accessing cron (RHBZ #2070325)
- backup-restore now works correctly (RHBZ #2066535)
- add with-subid to sssd profile (RHBZ #2063750)
* Wed Jul 14 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
- Update translations (RHBZ #1961625)
* Wed Jul 14 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-2
- try_first_pass option no longer works on some PAM modules in RHEL8 (RHBZ #1949070)
- Need to localize the description of --debug option in authselect show (RHBZ #1970408)
* Wed Nov 25 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.2-1
- Rebase to authselect-1.2.2 (RHBZ #1892761)
* Fri Jun 19 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-2
- Update translations (RHBZ #1820533)
* Tue May 12 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-1
- Rebase to authselect-1.2.1 (RHBZ #1810471)
- CLI commands are now correctly translated (RHBZ #1816009)
- Remove unsupported features from sssd profile description (RHBZ #1830251)
- add `with-files-access-provider` to sssd profile (RHBZ #1734094)
- switch to pam_usertype module (RHBZ #1773567)
- fix typo in sssd profile description (RHBZ #1787638)
- add minimal profile (RHBZ #1654018)
* Thu Jul 4 2019 Pavel Březina <pbrezina@redhat.com> - 1.1-2
- Update translations (RHBZ #1689973)
* Mon Jun 10 2019 Pavel Březina <pbrezina@redhat.com> - 1.1-1
- Rebase to authselect-1.1 (RHBZ #1685516)
- Notify that oddjob-mkhomedir needs to be enabled manually (RHBZ #1694103)
- Ask for smartcard insertion when smartcard authentication is required (RHBZ #1674397)
- Update translations (RHBZ #1689973)
* Mon Feb 25 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.0-13
- Revert pam_systemd.so to be optional
- Resolves: #rhbz1643928 - pam_systemd shouldn't be optional in system-auth
* Mon Feb 4 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-12
- make authselect work with selinux disabled (RHBZ #1668025)
- require smartcard authentication only for specific services (RHBZ #1665058)
- update translations (RHBZ #1608286)
* Fri Jan 11 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-11
- require libselinux needed by (RHBZ #1664650)
* Fri Jan 11 2019 Pavel Březina <pbrezina@redhat.com> - 1.0-10
- invalid selinux context for files under /etc/authselect (RHBZ #1664650)
* Tue Dec 4 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-9
- fix sources for official rhel translations (RHBZ #1608286)
- fix coverity warnings for authselect enable-features should error on unknown features (RHBZ #1651637)
* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-8
- add official rhel translations (RHBZ #1608286)
* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-7
- pam_systemd shouldn't be optional in system-auth (RHBZ #1643928)
- compat tool: support --enablerequiresmartcard (RHBZ #1649277)
- compat tool: support --smartcardaction=0 (RHBZ #1649279)
- remove ecryptfs from authselect since it is not present in rhel8 (RHBZ #1649282)
- authselect enable-features should error on unknown features (RHBZ #1651637)
* Wed Oct 31 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-6
- Remove mention of Fedora Change page from compat tool (RHBZ #1644309)
* Wed Oct 10 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-5
- Support for "require smartcard for login option" (RHBZ #1611012)
* Mon Oct 1 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-4
- add official rhel translations (RHBZ #1608286)
* Fri Sep 28 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-3
- scriptlet can fail if coreutils is not installed (RHBZ #1630896)
- fix typo (require systemd instead of systemctl)
* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-2
- authconfig --update overwrites current profile (RHBZ #1628492)
- authselect profile nis enhancements (RHBZ #1628493)
- scriptlet can fail if coreutils is not installed (RHBZ #1630896)
- authconfig --update --enablenis stops ypserv (RHBZ #1632567)
- compat tool generates invalid pwquality configuration (RHBZ #1628491)
* Mon Aug 13 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-1
- Rebase to 1.0 (RHBZ #1614235)
* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.4-4
- Rebuild for platform-python
* Mon May 14 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-3
- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)
* Wed Apr 25 2018 Christian Heimes <cheimes@redhat.com> - 0.4-2
- Don't disable oddjobd.service (RHBZ #1571844)
* Mon Apr 9 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-1
- rebasing to 0.4
* Tue Mar 6 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.2-1
- rebasing to 0.3.2
- authselect-compat now only suggests packages, not recommends
* Mon Mar 5 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.1-1
- rebasing to 0.3.1
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-3
- Provide authconfig
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-2
- Properly own all appropriate directories
- Remove unneeded %%defattr
- Remove deprecated Group tag
- Make Obsoletes versioned
- Remove unneeded ldconfig scriptlets
* Tue Feb 20 2018 Pavel Březina <pbrezina@redhat.com> - 0.3-1
- rebasing to 0.3
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-2
- fix rpmlint errors
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-1
- rebasing to 0.2
* Mon Jul 31 2017 Jakub Hrozek <jakub.hrozek@posteo.se> - 0.1-1
- initial packaging

14
authselect.rpmlintrc Normal file
View File

@ -0,0 +1,14 @@
# Whitelist known warnings that can not be fixed
addFilter("authselect.*: W: package-with-huge-docs 70%");
addFilter("authselect.*: W: obsolete-not-provided authconfig");
addFilter("authselect.*: W: obsolete-not-provided authselect-compat");
addFilter("authselect.*: W: non-conffile-in-etc /etc/bash_completion.d/authselect-completion.sh");
addFilter("authselect-devel.*: W: no-documentation");
addFilter("authselect-libs.*: W: files-duplicate /usr/share/authselect/default/winbind/dconf-locks /usr/share/authselect/default/minimal/dconf-locks:/usr/share/authselect/default/nis/dconf-locks");
addFilter("authselect-libs.*: W: files-duplicate /usr/share/authselect/default/winbind/smartcard-auth /usr/share/authselect/default/minimal/fingerprint-auth:/usr/share/authselect/default/minimal/smartcard-auth:/usr/share/authselect/default/nis/smartcard-auth");
addFilter("authselect-libs.*: W: files-duplicate /usr/share/authselect/default/minimal/system-auth /usr/share/authselect/default/minimal/password-auth");
addFilter("authselect-libs.*: W: files-duplicate /usr/share/authselect/default/winbind/postlogin /usr/share/authselect/default/minimal/postlogin:/usr/share/authselect/default/nis/postlogin:/usr/share/authselect/default/sssd/postlogin");
addFilter("authselect-libs.*: W: files-duplicate /usr/share/authselect/default/winbind/dconf-db /usr/share/authselect/default/nis/dconf-db");
addFilter("authselect-libs.*: W: files-duplicate /usr/share/doc/authselect/README.md /usr/share/doc/authselect-libs/README.md");
addFilter("authselect-libs.*: W: files-duplicate /usr/share/licenses/authselect-libs/COPYING /usr/share/doc/authselect/COPYING");
addFilter("authselect-libs.*: W: dangerous-command-in-%posttrans rm");

489
authselect.spec Normal file
View File

@ -0,0 +1,489 @@
# Do not terminate build if language files are empty.
%define _empty_manifest_terminate_build 0
Name: authselect
Version: 1.5.0
Release: 8%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/authselect/authselect
License: GPL-3.0-or-later
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%global makedir %{_builddir}/%{name}-%{version}
# Disable NIS profile on RHEL
%if 0%{?rhel}
%global with_nis_profile 0
%else
%global with_nis_profile 1
%endif
# Set the default profile
%{?fedora:%global default_profile local with-silent-lastlog}
%{?rhel:%global default_profile local}
# Patches
Patch0001: 0001-sssd-reintroduce-with-files-access-provider.patch
Patch0002: 0002-spec-modify-specfile-for-Fedora-40-and-RHEL-10-as-mi.patch
Patch0003: 0003-po-update-translations.patch
Patch0004: 0004-nis-install-nis-profile-conditionally.patch
Patch0005: 0005-configure-drop-user-nsswitch.conf-support.patch
Patch0006: 0006-configure-drop-authconfig-compat-tool.patch
Patch0007: 0007-ci-remove-python-checks.patch
Patch0008: 0008-pot-update-pot-files.patch
Patch0009: 0009-profiles-merge-groups-records-with-SUCCESS-merge.patch
Patch0010: 0010-spec-use-altfiles-with-success-merge-on-ostree-syste.patch
Patch0011: 0011-profiles-put-myhostname-before-dns.patch
# RHEL-only patches
%if 0%{?rhel}
Patch0901: 0901-rhel10-remove-systemd-homed.patch
Patch0902: 0902-rhel10-remove-ecryptfs-support.patch
Patch0903: 0903-rhel10-remove-systemd-resolved.patch
Patch0904: 0904-rhel10-move-myhostname-after-dns-to-fix-hostname-fqd.patch
%endif
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: findutils
BuildRequires: libtool
BuildRequires: m4
BuildRequires: gcc
BuildRequires: pkgconfig
BuildRequires: pkgconfig(popt)
BuildRequires: gettext-devel
BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libselinux-devel
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
Suggests: fprintd-pam
Suggests: oddjob-mkhomedir
# Properly obsolete removed authselect-compat package.
Obsoletes: authselect-compat < 1.3
%description
Authselect is designed to be a replacement for authconfig but it takes
a different approach to configure the system. Instead of letting
the administrator build the PAM stack with a tool (which may potentially
end up with a broken configuration), it would ship several tested stacks
(profiles) that solve a use-case and are well tested and supported.
At the same time, some obsolete features of authconfig are not
supported by authselect.
%package libs
Summary: Utility library used by the authselect tool
# Required by scriptlets
Requires: coreutils
Requires: sed
Suggests: systemd
%description libs
Common library files for authselect. This package is used by the authselect
command line tool and any other potential front-ends.
%package devel
Summary: Development libraries and headers for authselect
Requires: authselect-libs%{?_isa} = %{version}-%{release}
%description devel
System header files and development libraries for authselect. Useful if
you develop a front-end for the authselect library.
%prep
%setup -q
for p in %patches ; do
%__patch -p1 -i $p
done
%build
autoreconf -if
%configure \
%if %{with_nis_profile}
--with-nis-profile \
%endif
%{nil}
%make_build
%check
%make_build check
%install
%make_install
# Find translations
%find_lang %{name}
%find_lang %{name} %{name}.8.lang --with-man
%find_lang %{name}-migration %{name}-migration.7.lang --with-man
%find_lang %{name}-profiles %{name}-profiles.5.lang --with-man
# We want this file to contain only manual page translations
%__sed -i '/LC_MESSAGES/d' %{name}.8.lang
# Remove .la and .a files created by libtool
find $RPM_BUILD_ROOT -name "*.la" -exec %__rm -f {} \;
find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%ldconfig_scriptlets libs
%files libs -f %{name}.lang -f %{name}-profiles.5.lang
%dir %{_sysconfdir}/authselect
%dir %{_sysconfdir}/authselect/custom
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/authselect.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-db
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/dconf-locks
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/fingerprint-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/nsswitch.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/password-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/nsswitch.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/fingerprint-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/password-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth
%dir %{_localstatedir}/lib/authselect
%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
%dir %{_datadir}/authselect
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/local/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/local/dconf-db
%{_datadir}/authselect/default/local/dconf-locks
%{_datadir}/authselect/default/local/fingerprint-auth
%{_datadir}/authselect/default/local/nsswitch.conf
%{_datadir}/authselect/default/local/password-auth
%{_datadir}/authselect/default/local/postlogin
%{_datadir}/authselect/default/local/README
%{_datadir}/authselect/default/local/REQUIREMENTS
%{_datadir}/authselect/default/local/smartcard-auth
%{_datadir}/authselect/default/local/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
%{_datadir}/authselect/default/sssd/nsswitch.conf
%{_datadir}/authselect/default/sssd/password-auth
%{_datadir}/authselect/default/sssd/postlogin
%{_datadir}/authselect/default/sssd/README
%{_datadir}/authselect/default/sssd/REQUIREMENTS
%{_datadir}/authselect/default/sssd/smartcard-auth
%{_datadir}/authselect/default/sssd/system-auth
%{_datadir}/authselect/default/winbind/dconf-db
%{_datadir}/authselect/default/winbind/dconf-locks
%{_datadir}/authselect/default/winbind/fingerprint-auth
%{_datadir}/authselect/default/winbind/nsswitch.conf
%{_datadir}/authselect/default/winbind/password-auth
%{_datadir}/authselect/default/winbind/postlogin
%{_datadir}/authselect/default/winbind/README
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/smartcard-auth
%{_datadir}/authselect/default/winbind/system-auth
%if %{with_nis_profile}
%dir %{_datadir}/authselect/default/nis/
%{_datadir}/authselect/default/nis/dconf-db
%{_datadir}/authselect/default/nis/dconf-locks
%{_datadir}/authselect/default/nis/fingerprint-auth
%{_datadir}/authselect/default/nis/nsswitch.conf
%{_datadir}/authselect/default/nis/password-auth
%{_datadir}/authselect/default/nis/postlogin
%{_datadir}/authselect/default/nis/README
%{_datadir}/authselect/default/nis/REQUIREMENTS
%{_datadir}/authselect/default/nis/smartcard-auth
%{_datadir}/authselect/default/nis/system-auth
%endif
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
%{_datadir}/doc/authselect/COPYING
%{_datadir}/doc/authselect/README.md
%license COPYING
%doc README.md
%files devel
%{_includedir}/authselect.h
%{_libdir}/libauthselect.so
%{_libdir}/pkgconfig/authselect.pc
%files -f %{name}.8.lang -f %{name}-migration.7.lang
%{_bindir}/authselect
%{_mandir}/man8/authselect.8*
%{_mandir}/man7/authselect-migration.7*
%{_sysconfdir}/bash_completion.d/authselect-completion.sh
%preun
if [ $1 == 0 ] ; then
# Remove authselect symbolic links so all authselect files can be
# deleted safely. If this fail, the uninstallation must fail to avoid
# breaking the system by removing PAM files. However, the command can
# only fail if it can not write to the file system.
%{_bindir}/authselect opt-out
fi
%posttrans libs
# Keep nss-altfiles for all rpm-ostree based systems.
# See https://github.com/authselect/authselect/issues/48
if test -e /run/ostree-booted; then
for PROFILE in `ls %{_datadir}/authselect/default`; do
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
%__sed -i -e 's/{if "with-altfiles":\([^}]\+\)}/\1/g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
done
fi
# If this is a new installation select the default configuration.
if [ $1 == 1 ] ; then
%{_bindir}/authselect select %{default_profile} --force --nobackup &> /dev/null
exit 0
fi
# Minimal profile was removed. Switch to local during upgrade.
%__sed -i '1 s/^minimal$/local/' %{_sysconfdir}/authselect/authselect.conf
for file in %{_sysconfdir}/authselect/custom/*/*; do
link=`%{_bindir}/readlink "$file"`
if [[ "$link" == %{_datadir}/authselect/default/minimal/* ]]; then
target=`%{_bindir}/basename "$link"`
%{_bindir}/ln -sfn "%{_datadir}/authselect/default/local/$target" "$file"
fi
done
# Apply any changes to profiles (validates configuration first internally)
%{_bindir}/authselect apply-changes &> /dev/null
exit 0
%changelog
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.5.0-8
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Fri Aug 02 2024 Pavel Březina <pbrezina@redhat.com> - 1.5.0-7
- myhostname is put after dns module in nsswitch.conf hosts to fix hostname --fqdn (RHEL-39537)
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.5.0-6
- Bump release for June 2024 mass rebuild
* Tue Feb 27 2024 Jonathan Lebon <jonathan@jlebon.com> - 1.5.0-5
- Fix altfiles rendering on OSTree variants
* Fri Feb 23 2024 Pavel Březina <pbrezina@redhat.com> - 1.5.0-4
- Add back with-files-access-provider
- Remove outdated scriptlets
- Group merging added to nsswitch.conf group in all profiles
- myhostname is put right before dns module in nsswitch.conf hosts (rhbz#2257197)
- Internal packaging changes
* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jan 18 2024 Pavel Březina <pbrezina@redhat.com> - 1.5.0-1
- Rebase to 1.5.0
- "minimal" profile was removed and replaced with "local". (rhbz#2253180)
- "local" profile is now default (rhbz#2253180)
* Wed Sep 27 2023 Pavel Březina <pbrezina@redhat.com> - 1.4.3-1
- Rebase to 1.4.3
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Dec 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.2-1
- Rebase to 1.4.2
* Thu Dec 1 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.1-1
- Rebase to 1.4.1
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Fri Jul 8 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.0-2
- Fix issues with popt-1.19
* Thu May 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.0-1
- Rebase to 1.3.0
* Thu Feb 10 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-10
- Fix mdns support (#2052269)
* Thu Feb 3 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-9
- Make authselect compatible with ostree (#2034360)
- Authselect now requires explicit opt-out if users don't want to use it (#2051545)
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Jan 13 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-7
- Remove unnecessary dependencies (#2039869)
* Thu Jan 13 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-6
- Fix detection of ostree system (#2034360)
* Tue Dec 28 2021 Frantisek Zatloukal <fzatlouk@redhat.com> - 1.3.0-5
- Try to use io.open() in pre scriptlet instead of rpm.open() (rpm >= 4.17.0)
* Tue Dec 21 2021 Frantisek Zatloukal <fzatlouk@redhat.com> - 1.3.0-4
- Use lua for pre scriptlets to reduce dependencies
* Fri Dec 10 2021 Pavel Březina <pbrezina@redhat.com> - 1.3.0-3
- Update conflicting versions of glibc and pam
* Mon Dec 6 2021 Pavel Březina <pbrezina@redhat.com> - 1.3.0-1
- Rebase to 1.3.0
- Authselect configuration is now enforced (#2000936)
* Sat Aug 14 2021 Björn Esser <besser82@fedoraproject.org> - 1.2.4-2
- Add proper Obsoletes for removed authselect-compat package
Fixes: rhbz#1993189
* Mon Aug 9 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.4-1
- Rebase to 1.2.4
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 1.2.3-3
- Backport support for yescrypt hash method
* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 1.2.3-2
- Rebuilt for Python 3.10
* Wed Mar 31 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-1
- Rebase to 1.2.3
* Tue Mar 09 2021 Benjamin Berg <bberg@redhat.com> - 1.2.2-4
- Add patch to make fingerprint-auth return non-failing pam_fprintd.so errors
Resolves: #1935331
* Thu Mar 4 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
- minimal: add dconf settings to explicitly disable fingerprint and smartcard authentication
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Nov 25 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.2-1
- Rebase to 1.2.2
- Add nss-altfiles to profiles on Fedora Silverblue
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 22 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-3
- Add resolved by default to nis and minimal profiles
- Fix parsing of multiple conditionals on the same line
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.2.1-2
- Rebuilt for Python 3.9
* Mon May 11 2020 Pavel Březina <pbrezina@redhat.com> - 1.2.1-1
- Rebase to 1.2.1
* Wed Mar 4 2020 Pavel Březina <pbrezina@redhat.com> - 1.2-1
- Rebase to 1.2
* Mon Feb 17 2020 Pavel Březina <pbrezina@redhat.com> - 1.1-7
- fix restoring non-authselect configuration from backup
* Wed Jan 29 2020 Pavel Březina <pbrezina@redhat.com> - 1.1-6
- cli: fix auto backup when --force is set
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1.1-4
- Rebuilt for Python 3.8.0rc1 (#1748018)
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 1.1-3
- Rebuilt for Python 3.8
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jun 13 2019 Pavel Březina <pbrezina@redhat.com> - 1.1-1
- Rebase to 1.1
* Tue Feb 26 2019 Pavel Březina <pbrezina@redhat.com> - 1.0.3-1
- Rebase to 1.0.3
* Tue Feb 26 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.0.2-4
- Use %ghost for files owned by authselect
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Dec 3 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.2-2
- Resolves rhbz#1655025 (invalid backup).
* Fri Nov 23 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.2-1
- Rebase to 1.0.2
* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.1-2
- Require systemd instead of systemctl
* Thu Sep 27 2018 Pavel Březina <pbrezina@redhat.com> - 1.0.1-1
- Rebase to 1.0.1
* Fri Sep 14 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-3
- Scriptlets should no produce any error messages (RHBZ #1622272)
- Provide fix for pwquality configuration (RHBZ #1618865)
* Thu Aug 30 2018 Adam Williamson <awilliam@redhat.com> - 1.0-2
- Backport PR #78 to fix broken pwquality config (RHBZ #1618865)
* Mon Aug 13 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-1
- Rebase to 1.0
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.4-4
- Rebuilt for Python 3.7
* Mon May 14 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-3
- Disable sssd as sudo rules source with sssd profile by default (RHBZ #1573403)
* Wed Apr 25 2018 Christian Heimes <cheimes@redhat.com> - 0.4-2
- Don't disable oddjobd.service (RHBZ #1571844)
* Mon Apr 9 2018 Pavel Březina <pbrezina@redhat.com> - 0.4-1
- rebasing to 0.4
* Tue Mar 6 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.2-1
- rebasing to 0.3.2
- authselect-compat now only suggests packages, not recommends
* Mon Mar 5 2018 Pavel Březina <pbrezina@redhat.com> - 0.3.1-1
- rebasing to 0.3.1
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-3
- Provide authconfig
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.3-2
- Properly own all appropriate directories
- Remove unneeded %%defattr
- Remove deprecated Group tag
- Make Obsoletes versioned
- Remove unneeded ldconfig scriptlets
* Tue Feb 20 2018 Pavel Březina <pbrezina@redhat.com> - 0.3-1
- rebasing to 0.3
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-2
- fix rpmlint errors
* Wed Jan 10 2018 Pavel Březina <pbrezina@redhat.com> - 0.2-1
- rebasing to 0.2
* Mon Jul 31 2017 Jakub Hrozek <jakub.hrozek@posteo.se> - 0.1-1
- initial packaging

8
gating.yaml Normal file
View File

@ -0,0 +1,8 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (authselect-1.5.0.tar.gz) = 33101654f8fd15e14bb644cf486734757fcfb7f0b83916ec1571f71d3e558e199ac6a14d10d402932531b54951717fda65d4a506199f9760937af26159ee5894

11
tests/tests.yml Normal file
View File

@ -0,0 +1,11 @@
---
- hosts: localhost
tags:
- classic
roles:
- role: standard-test-basic
become: True
tests:
- simple:
dir: .
run: authselect list