new upstream release with multiple improvements
This commit is contained in:
parent
be55e6d98b
commit
26153ac92d
@ -1,15 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.2.0/configure.ac.links Linux-PAM-1.2.0/configure.ac
|
|
||||||
--- Linux-PAM-1.2.0/configure.ac.links 2015-05-15 16:00:03.406295266 +0200
|
|
||||||
+++ Linux-PAM-1.2.0/configure.ac 2015-05-15 16:00:03.425295702 +0200
|
|
||||||
@@ -564,9 +564,9 @@ JH_CHECK_XML_CATALOG([-//OASIS//DTD DocB
|
|
||||||
JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
|
|
||||||
[DocBook XSL Stylesheets], [], enable_docu=no)
|
|
||||||
|
|
||||||
-AC_PATH_PROG([BROWSER], [w3m])
|
|
||||||
+AC_PATH_PROG([BROWSER], [links])
|
|
||||||
if test ! -z "$BROWSER"; then
|
|
||||||
- BROWSER="$BROWSER -T text/html -dump"
|
|
||||||
+ BROWSER="$BROWSER -no-numbering -no-references -dump"
|
|
||||||
else
|
|
||||||
enable_docu=no
|
|
||||||
fi
|
|
@ -1,445 +0,0 @@
|
|||||||
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
|
|
||||||
index 663f1f3..9bfbdf0 100644
|
|
||||||
--- a/libpam/pam_get_authtok.c
|
|
||||||
+++ b/libpam/pam_get_authtok.c
|
|
||||||
@@ -38,6 +38,8 @@
|
|
||||||
|
|
||||||
#define PROMPT _("Password: ")
|
|
||||||
/* For Translators: "%s%s" could be replaced with "<service> " or "". */
|
|
||||||
+#define PROMPTCURRENT _("Current %s%spassword: ")
|
|
||||||
+/* For Translators: "%s%s" could be replaced with "<service> " or "". */
|
|
||||||
#define PROMPT1 _("New %s%spassword: ")
|
|
||||||
/* For Translators: "%s%s" could be replaced with "<service> " or "". */
|
|
||||||
#define PROMPT2 _("Retype new %s%spassword: ")
|
|
||||||
@@ -89,12 +91,14 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
|
|
||||||
|
|
||||||
/* PAM_AUTHTOK in password stack returns new password,
|
|
||||||
which needs to be verified. */
|
|
||||||
- if (item == PAM_AUTHTOK && pamh->choice == PAM_CHAUTHTOK)
|
|
||||||
+ if (pamh->choice == PAM_CHAUTHTOK)
|
|
||||||
{
|
|
||||||
- chpass = 1;
|
|
||||||
- if (!(flags & PAM_GETAUTHTOK_NOVERIFY))
|
|
||||||
- ++chpass;
|
|
||||||
-
|
|
||||||
+ if (item == PAM_AUTHTOK)
|
|
||||||
+ {
|
|
||||||
+ chpass = 1;
|
|
||||||
+ if (!(flags & PAM_GETAUTHTOK_NOVERIFY))
|
|
||||||
+ ++chpass;
|
|
||||||
+ }
|
|
||||||
authtok_type = get_option (pamh, "authtok_type");
|
|
||||||
if (authtok_type == NULL)
|
|
||||||
{
|
|
||||||
@@ -144,6 +148,10 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
|
|
||||||
PROMPT2, authtok_type,
|
|
||||||
strlen (authtok_type) > 0?" ":"");
|
|
||||||
}
|
|
||||||
+ else if (item == PAM_OLDAUTHTOK)
|
|
||||||
+ retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
|
|
||||||
+ PROMPTCURRENT, authtok_type,
|
|
||||||
+ strlen (authtok_type) > 0?" ":"");
|
|
||||||
else
|
|
||||||
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], "%s",
|
|
||||||
PROMPT);
|
|
||||||
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
|
|
||||||
index 6d8e4ba..60d9097 100644
|
|
||||||
--- a/modules/pam_unix/pam_unix.8.xml
|
|
||||||
+++ b/modules/pam_unix/pam_unix.8.xml
|
|
||||||
@@ -217,13 +217,13 @@
|
|
||||||
</varlistentry>
|
|
||||||
<varlistentry>
|
|
||||||
<term>
|
|
||||||
- <option>not_set_pass</option>
|
|
||||||
+ <option>authtok_type=<replaceable>type</replaceable></option>
|
|
||||||
</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
- This argument is used to inform the module that it is not to
|
|
||||||
- pay attention to/make available the old or new passwords from/to
|
|
||||||
- other (stacked) password modules.
|
|
||||||
+ This argument can be used to modify the password prompt
|
|
||||||
+ when changing passwords to include the type of the password.
|
|
||||||
+ Empty by default.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
|
|
||||||
index 9f66c5d..673861e 100644
|
|
||||||
--- a/modules/pam_unix/pam_unix_auth.c
|
|
||||||
+++ b/modules/pam_unix/pam_unix_auth.c
|
|
||||||
@@ -103,7 +103,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
unsigned int ctrl;
|
|
||||||
int retval, *ret_data = NULL;
|
|
||||||
const char *name;
|
|
||||||
- const void *p;
|
|
||||||
+ const char *p;
|
|
||||||
|
|
||||||
D(("called."));
|
|
||||||
|
|
||||||
@@ -151,8 +151,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
}
|
|
||||||
/* get this user's authentication token */
|
|
||||||
|
|
||||||
- retval = _unix_read_password(pamh, ctrl, NULL, _("Password: "), NULL
|
|
||||||
- ,_UNIX_AUTHTOK, &p);
|
|
||||||
+ retval = pam_get_authtok(pamh, PAM_AUTHTOK, &p , NULL);
|
|
||||||
if (retval != PAM_SUCCESS) {
|
|
||||||
if (retval != PAM_CONV_AGAIN) {
|
|
||||||
pam_syslog(pamh, LOG_CRIT,
|
|
||||||
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
|
|
||||||
index fa29327..49dd831 100644
|
|
||||||
--- a/modules/pam_unix/pam_unix_passwd.c
|
|
||||||
+++ b/modules/pam_unix/pam_unix_passwd.c
|
|
||||||
@@ -612,7 +612,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
|
|
||||||
/* <DO NOT free() THESE> */
|
|
||||||
const char *user;
|
|
||||||
- const void *pass_old, *pass_new;
|
|
||||||
+ const void *item;
|
|
||||||
+ const char *pass_old, *pass_new;
|
|
||||||
/* </DO NOT free() THESE> */
|
|
||||||
|
|
||||||
D(("called."));
|
|
||||||
@@ -680,8 +681,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
* obtain and verify the current password (OLDAUTHTOK) for
|
|
||||||
* the user.
|
|
||||||
*/
|
|
||||||
- char *Announce;
|
|
||||||
-
|
|
||||||
D(("prelim check"));
|
|
||||||
|
|
||||||
if (_unix_blankpasswd(pamh, ctrl, user)) {
|
|
||||||
@@ -689,22 +688,12 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
} else if (off(UNIX__IAMROOT, ctrl) ||
|
|
||||||
(on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
|
|
||||||
/* instruct user what is happening */
|
|
||||||
- if (asprintf(&Announce, _("Changing password for %s."),
|
|
||||||
- user) < 0) {
|
|
||||||
- pam_syslog(pamh, LOG_CRIT,
|
|
||||||
- "password - out of memory");
|
|
||||||
- return PAM_BUF_ERR;
|
|
||||||
+ if (off(UNIX__QUIET, ctrl)) {
|
|
||||||
+ retval = pam_info(pamh, _("Changing password for %s."), user);
|
|
||||||
+ if (retval != PAM_SUCCESS)
|
|
||||||
+ return retval;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- lctrl = ctrl;
|
|
||||||
- set(UNIX__OLD_PASSWD, lctrl);
|
|
||||||
- retval = _unix_read_password(pamh, lctrl
|
|
||||||
- ,Announce
|
|
||||||
- ,_("(current) UNIX password: ")
|
|
||||||
- ,NULL
|
|
||||||
- ,_UNIX_OLD_AUTHTOK
|
|
||||||
- ,&pass_old);
|
|
||||||
- free(Announce);
|
|
||||||
+ retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass_old, NULL);
|
|
||||||
|
|
||||||
if (retval != PAM_SUCCESS) {
|
|
||||||
pam_syslog(pamh, LOG_NOTICE,
|
|
||||||
@@ -725,12 +714,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
pass_old = NULL;
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
- retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
|
|
||||||
pass_old = NULL;
|
|
||||||
- if (retval != PAM_SUCCESS) {
|
|
||||||
- pam_syslog(pamh, LOG_CRIT,
|
|
||||||
- "failed to set PAM_OLDAUTHTOK");
|
|
||||||
- }
|
|
||||||
retval = _unix_verify_shadow(pamh,user, ctrl);
|
|
||||||
if (retval == PAM_AUTHTOK_ERR) {
|
|
||||||
if (off(UNIX__IAMROOT, ctrl))
|
|
||||||
@@ -760,23 +744,14 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
* previous call to this function].
|
|
||||||
*/
|
|
||||||
|
|
||||||
- if (off(UNIX_NOT_SET_PASS, ctrl)) {
|
|
||||||
- retval = pam_get_item(pamh, PAM_OLDAUTHTOK
|
|
||||||
- ,&pass_old);
|
|
||||||
- } else {
|
|
||||||
- retval = pam_get_data(pamh, _UNIX_OLD_AUTHTOK
|
|
||||||
- ,&pass_old);
|
|
||||||
- if (retval == PAM_NO_MODULE_DATA) {
|
|
||||||
- retval = PAM_SUCCESS;
|
|
||||||
- pass_old = NULL;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- D(("pass_old [%s]", pass_old));
|
|
||||||
+ retval = pam_get_item(pamh, PAM_OLDAUTHTOK, &item);
|
|
||||||
|
|
||||||
if (retval != PAM_SUCCESS) {
|
|
||||||
pam_syslog(pamh, LOG_NOTICE, "user not authenticated");
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
+ pass_old = item;
|
|
||||||
+ D(("pass_old [%s]", pass_old));
|
|
||||||
|
|
||||||
D(("get new password now"));
|
|
||||||
|
|
||||||
@@ -785,7 +760,9 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
if (on(UNIX_USE_AUTHTOK, lctrl)) {
|
|
||||||
set(UNIX_USE_FIRST_PASS, lctrl);
|
|
||||||
}
|
|
||||||
- retry = 0;
|
|
||||||
+ if (on(UNIX_USE_FIRST_PASS, lctrl)) {
|
|
||||||
+ retry = MAX_PASSWD_TRIES-1;
|
|
||||||
+ }
|
|
||||||
retval = PAM_AUTHTOK_ERR;
|
|
||||||
while ((retval != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) {
|
|
||||||
/*
|
|
||||||
@@ -793,12 +770,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
* password -- needed for pluggable password strength checking
|
|
||||||
*/
|
|
||||||
|
|
||||||
- retval = _unix_read_password(pamh, lctrl
|
|
||||||
- ,NULL
|
|
||||||
- ,_("Enter new UNIX password: ")
|
|
||||||
- ,_("Retype new UNIX password: ")
|
|
||||||
- ,_UNIX_NEW_AUTHTOK
|
|
||||||
- ,&pass_new);
|
|
||||||
+ retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass_new, NULL);
|
|
||||||
|
|
||||||
if (retval != PAM_SUCCESS) {
|
|
||||||
if (on(UNIX_DEBUG, ctrl)) {
|
|
||||||
@@ -822,7 +794,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
retval = _pam_unix_approve_pass(pamh, ctrl, pass_old,
|
|
||||||
pass_new, pass_min_len);
|
|
||||||
|
|
||||||
- if (retval != PAM_SUCCESS && off(UNIX_NOT_SET_PASS, ctrl)) {
|
|
||||||
+ if (retval != PAM_SUCCESS) {
|
|
||||||
pam_set_item(pamh, PAM_AUTHTOK, NULL);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
|
|
||||||
index 0fd1dba..fc8595e 100644
|
|
||||||
--- a/modules/pam_unix/support.c
|
|
||||||
+++ b/modules/pam_unix/support.c
|
|
||||||
@@ -853,160 +853,6 @@ cleanup:
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/*
|
|
||||||
- * obtain a password from the user
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
-int _unix_read_password(pam_handle_t * pamh
|
|
||||||
- ,unsigned int ctrl
|
|
||||||
- ,const char *comment
|
|
||||||
- ,const char *prompt1
|
|
||||||
- ,const char *prompt2
|
|
||||||
- ,const char *data_name
|
|
||||||
- ,const void **pass)
|
|
||||||
-{
|
|
||||||
- int authtok_flag;
|
|
||||||
- int retval = PAM_SUCCESS;
|
|
||||||
- char *token;
|
|
||||||
-
|
|
||||||
- D(("called"));
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * make sure nothing inappropriate gets returned
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
- *pass = token = NULL;
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * which authentication token are we getting?
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
- authtok_flag = on(UNIX__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK;
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * should we obtain the password from a PAM item ?
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
- if (on(UNIX_TRY_FIRST_PASS, ctrl) || on(UNIX_USE_FIRST_PASS, ctrl)) {
|
|
||||||
- retval = pam_get_item(pamh, authtok_flag, pass);
|
|
||||||
- if (retval != PAM_SUCCESS) {
|
|
||||||
- /* very strange. */
|
|
||||||
- pam_syslog(pamh, LOG_ALERT,
|
|
||||||
- "pam_get_item returned error to unix-read-password"
|
|
||||||
- );
|
|
||||||
- return retval;
|
|
||||||
- } else if (*pass != NULL) { /* we have a password! */
|
|
||||||
- return PAM_SUCCESS;
|
|
||||||
- } else if (on(UNIX_USE_AUTHTOK, ctrl)
|
|
||||||
- && off(UNIX__OLD_PASSWD, ctrl)) {
|
|
||||||
- return PAM_AUTHTOK_ERR;
|
|
||||||
- } else if (on(UNIX_USE_FIRST_PASS, ctrl)) {
|
|
||||||
- return PAM_AUTHTOK_RECOVERY_ERR; /* didn't work */
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- /*
|
|
||||||
- * getting here implies we will have to get the password from the
|
|
||||||
- * user directly.
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
- {
|
|
||||||
- int replies=1;
|
|
||||||
- char *resp[2] = { NULL, NULL };
|
|
||||||
-
|
|
||||||
- if (comment != NULL && off(UNIX__QUIET, ctrl)) {
|
|
||||||
- retval = pam_info(pamh, "%s", comment);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (retval == PAM_SUCCESS) {
|
|
||||||
- retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF,
|
|
||||||
- &resp[0], "%s", prompt1);
|
|
||||||
-
|
|
||||||
- if (retval == PAM_SUCCESS && prompt2 != NULL) {
|
|
||||||
- retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF,
|
|
||||||
- &resp[1], "%s", prompt2);
|
|
||||||
- ++replies;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (resp[0] != NULL && resp[replies-1] != NULL) {
|
|
||||||
- /* interpret the response */
|
|
||||||
-
|
|
||||||
- if (retval == PAM_SUCCESS) { /* a good conversation */
|
|
||||||
-
|
|
||||||
- token = resp[0];
|
|
||||||
- if (token != NULL) {
|
|
||||||
- if (replies == 2) {
|
|
||||||
- /* verify that password entered correctly */
|
|
||||||
- if (strcmp(token, resp[replies - 1])) {
|
|
||||||
- /* mistyped */
|
|
||||||
- retval = PAM_AUTHTOK_RECOVERY_ERR;
|
|
||||||
- _make_remark(pamh, ctrl,
|
|
||||||
- PAM_ERROR_MSG, MISTYPED_PASS);
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- } else {
|
|
||||||
- pam_syslog(pamh, LOG_NOTICE,
|
|
||||||
- "could not recover authentication token");
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- } else {
|
|
||||||
- retval = (retval == PAM_SUCCESS)
|
|
||||||
- ? PAM_AUTHTOK_RECOVERY_ERR : retval;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- resp[0] = NULL;
|
|
||||||
- if (replies > 1)
|
|
||||||
- _pam_delete(resp[1]);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (retval != PAM_SUCCESS) {
|
|
||||||
- _pam_delete(token);
|
|
||||||
-
|
|
||||||
- if (on(UNIX_DEBUG, ctrl))
|
|
||||||
- pam_syslog(pamh, LOG_DEBUG,
|
|
||||||
- "unable to obtain a password");
|
|
||||||
- return retval;
|
|
||||||
- }
|
|
||||||
- /* 'token' is the entered password */
|
|
||||||
-
|
|
||||||
- if (off(UNIX_NOT_SET_PASS, ctrl)) {
|
|
||||||
-
|
|
||||||
- /* we store this password as an item */
|
|
||||||
-
|
|
||||||
- retval = pam_set_item(pamh, authtok_flag, token);
|
|
||||||
- _pam_delete(token); /* clean it up */
|
|
||||||
- if (retval != PAM_SUCCESS
|
|
||||||
- || (retval = pam_get_item(pamh, authtok_flag, pass))
|
|
||||||
- != PAM_SUCCESS) {
|
|
||||||
-
|
|
||||||
- *pass = NULL;
|
|
||||||
- pam_syslog(pamh, LOG_CRIT, "error manipulating password");
|
|
||||||
- return retval;
|
|
||||||
-
|
|
||||||
- }
|
|
||||||
- } else {
|
|
||||||
- /*
|
|
||||||
- * then store it as data specific to this module. pam_end()
|
|
||||||
- * will arrange to clean it up.
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
- retval = pam_set_data(pamh, data_name, (void *) token, _cleanup);
|
|
||||||
- if (retval != PAM_SUCCESS) {
|
|
||||||
- pam_syslog(pamh, LOG_CRIT,
|
|
||||||
- "error manipulating password data [%s]",
|
|
||||||
- pam_strerror(pamh, retval));
|
|
||||||
- _pam_delete(token);
|
|
||||||
- return retval;
|
|
||||||
- }
|
|
||||||
- *pass = token;
|
|
||||||
- token = NULL; /* break link to password */
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- return PAM_SUCCESS;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/* ****************************************************************** *
|
|
||||||
* Copyright (c) Jan Rêkorajski 1999.
|
|
||||||
* Copyright (c) Andrew G. Morgan 1996-8.
|
|
||||||
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
|
|
||||||
index b767c26..b4c279c 100644
|
|
||||||
--- a/modules/pam_unix/support.h
|
|
||||||
+++ b/modules/pam_unix/support.h
|
|
||||||
@@ -18,8 +18,6 @@
|
|
||||||
* typed were not the same.
|
|
||||||
*/
|
|
||||||
|
|
||||||
-#define MISTYPED_PASS "Sorry, passwords do not match"
|
|
||||||
-
|
|
||||||
/* type definition for the control options */
|
|
||||||
|
|
||||||
typedef struct {
|
|
||||||
@@ -72,7 +70,7 @@ typedef struct {
|
|
||||||
some information may be sensitive */
|
|
||||||
#define UNIX_USE_FIRST_PASS 4
|
|
||||||
#define UNIX_TRY_FIRST_PASS 5
|
|
||||||
-#define UNIX_NOT_SET_PASS 6 /* don't set the AUTHTOK items */
|
|
||||||
+#define UNIX_AUTHTOK_TYPE 6 /* TYPE for pam_get_authtok() */
|
|
||||||
|
|
||||||
#define UNIX__PRELIM 7 /* internal */
|
|
||||||
#define UNIX__UPDATE 8 /* internal */
|
|
||||||
@@ -116,7 +114,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
|
|
||||||
/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
|
|
||||||
/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0},
|
|
||||||
/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0},
|
|
||||||
-/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0},
|
|
||||||
+/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
|
|
||||||
/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
|
|
||||||
/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
|
|
||||||
/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
|
|
||||||
From a1765a0bc62fff8c22091c661aafa10167ec7da8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Mon, 4 Apr 2016 14:23:22 +0200
|
|
||||||
Subject: [PATCH] pam_unix: Make password expiration messages more
|
|
||||||
user-friendly.
|
|
||||||
|
|
||||||
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password
|
|
||||||
expiration messages more user-friendly.
|
|
||||||
---
|
|
||||||
modules/pam_unix/pam_unix_acct.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
|
|
||||||
index 17a0890..782d84a 100644
|
|
||||||
--- a/modules/pam_unix/pam_unix_acct.c
|
|
||||||
+++ b/modules/pam_unix/pam_unix_acct.c
|
|
||||||
@@ -258,13 +258,13 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
"expired password for user %s (root enforced)",
|
|
||||||
uname);
|
|
||||||
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
|
|
||||||
- _("You are required to change your password immediately (root enforced)"));
|
|
||||||
+ _("You are required to change your password immediately (administrator enforced)"));
|
|
||||||
} else {
|
|
||||||
pam_syslog(pamh, LOG_DEBUG,
|
|
||||||
"expired password for user %s (password aged)",
|
|
||||||
uname);
|
|
||||||
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
|
|
||||||
- _("You are required to change your password immediately (password aged)"));
|
|
||||||
+ _("You are required to change your password immediately (password expired)"));
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case PAM_AUTHTOK_EXPIRED:
|
|
||||||
--
|
|
||||||
2.5.5
|
|
||||||
|
|
@ -1,7 +1,6 @@
|
|||||||
diff --git a/modules/pam_pwhistory/Makefile.am b/modules/pam_pwhistory/Makefile.am
|
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am
|
||||||
index 4bb4d6d..9157b91 100644
|
--- Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper 2016-03-24 12:45:42.000000000 +0100
|
||||||
--- a/modules/pam_pwhistory/Makefile.am
|
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am 2016-05-06 15:18:42.307637933 +0200
|
||||||
+++ b/modules/pam_pwhistory/Makefile.am
|
|
||||||
@@ -1,5 +1,6 @@
|
@@ -1,5 +1,6 @@
|
||||||
#
|
#
|
||||||
# Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de>
|
# Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de>
|
||||||
@ -9,7 +8,7 @@ index 4bb4d6d..9157b91 100644
|
|||||||
#
|
#
|
||||||
|
|
||||||
CLEANFILES = *~
|
CLEANFILES = *~
|
||||||
@@ -9,25 +10,34 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_pwhistory
|
@@ -9,25 +10,34 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-
|
||||||
|
|
||||||
TESTS = tst-pam_pwhistory
|
TESTS = tst-pam_pwhistory
|
||||||
|
|
||||||
@ -50,10 +49,9 @@ index 4bb4d6d..9157b91 100644
|
|||||||
if ENABLE_REGENERATE_MAN
|
if ENABLE_REGENERATE_MAN
|
||||||
noinst_DATA = README
|
noinst_DATA = README
|
||||||
README: pam_pwhistory.8.xml
|
README: pam_pwhistory.8.xml
|
||||||
diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
|
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c
|
||||||
index 836d713..e319ff3 100644
|
--- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper 2016-03-24 12:45:42.000000000 +0100
|
||||||
--- a/modules/pam_pwhistory/opasswd.c
|
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c 2016-05-06 15:18:42.307637933 +0200
|
||||||
+++ b/modules/pam_pwhistory/opasswd.c
|
|
||||||
@@ -1,5 +1,6 @@
|
@@ -1,5 +1,6 @@
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
|
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
|
||||||
@ -112,7 +110,7 @@ index 836d713..e319ff3 100644
|
|||||||
|
|
||||||
static int
|
static int
|
||||||
parse_entry (char *line, opwd *data)
|
parse_entry (char *line, opwd *data)
|
||||||
@@ -112,8 +135,8 @@ compare_password(const char *newpass, const char *oldpass)
|
@@ -117,8 +140,8 @@ compare_password(const char *newpass, co
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check, if the new password is already in the opasswd file. */
|
/* Check, if the new password is already in the opasswd file. */
|
||||||
@ -123,7 +121,7 @@ index 836d713..e319ff3 100644
|
|||||||
const char *newpass, int debug)
|
const char *newpass, int debug)
|
||||||
{
|
{
|
||||||
int retval = PAM_SUCCESS;
|
int retval = PAM_SUCCESS;
|
||||||
@@ -123,6 +146,11 @@ check_old_pass (pam_handle_t *pamh, const char *user,
|
@@ -128,6 +151,11 @@ check_old_pass (pam_handle_t *pamh, cons
|
||||||
opwd entry;
|
opwd entry;
|
||||||
int found = 0;
|
int found = 0;
|
||||||
|
|
||||||
@ -135,7 +133,7 @@ index 836d713..e319ff3 100644
|
|||||||
if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL)
|
if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL)
|
||||||
{
|
{
|
||||||
if (errno != ENOENT)
|
if (errno != ENOENT)
|
||||||
@@ -208,9 +236,9 @@ check_old_pass (pam_handle_t *pamh, const char *user,
|
@@ -213,9 +241,9 @@ check_old_pass (pam_handle_t *pamh, cons
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -148,7 +146,7 @@ index 836d713..e319ff3 100644
|
|||||||
{
|
{
|
||||||
char opasswd_tmp[] = TMP_PASSWORDS_FILE;
|
char opasswd_tmp[] = TMP_PASSWORDS_FILE;
|
||||||
struct stat opasswd_stat;
|
struct stat opasswd_stat;
|
||||||
@@ -221,10 +249,35 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
@@ -226,10 +254,35 @@ save_old_pass (pam_handle_t *pamh, const
|
||||||
char *buf = NULL;
|
char *buf = NULL;
|
||||||
size_t buflen = 0;
|
size_t buflen = 0;
|
||||||
int found = 0;
|
int found = 0;
|
||||||
@ -184,7 +182,7 @@ index 836d713..e319ff3 100644
|
|||||||
if (oldpass == NULL || *oldpass == '\0')
|
if (oldpass == NULL || *oldpass == '\0')
|
||||||
return PAM_SUCCESS;
|
return PAM_SUCCESS;
|
||||||
|
|
||||||
@@ -447,7 +500,7 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
@@ -452,7 +505,7 @@ save_old_pass (pam_handle_t *pamh, const
|
||||||
{
|
{
|
||||||
char *out;
|
char *out;
|
||||||
|
|
||||||
@ -193,10 +191,9 @@ index 836d713..e319ff3 100644
|
|||||||
{
|
{
|
||||||
retval = PAM_AUTHTOK_ERR;
|
retval = PAM_AUTHTOK_ERR;
|
||||||
if (oldpf)
|
if (oldpf)
|
||||||
diff --git a/modules/pam_pwhistory/opasswd.h b/modules/pam_pwhistory/opasswd.h
|
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h
|
||||||
index db3e656..1b08699 100644
|
--- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper 2016-03-24 12:45:42.000000000 +0100
|
||||||
--- a/modules/pam_pwhistory/opasswd.h
|
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h 2016-05-06 15:18:42.307637933 +0200
|
||||||
+++ b/modules/pam_pwhistory/opasswd.h
|
|
||||||
@@ -1,5 +1,6 @@
|
@@ -1,5 +1,6 @@
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
|
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
|
||||||
@ -242,10 +239,9 @@ index db3e656..1b08699 100644
|
|||||||
+save_old_pass, const char *user, int howmany, int debug);
|
+save_old_pass, const char *user, int howmany, int debug);
|
||||||
|
|
||||||
#endif /* __OPASSWD_H__ */
|
#endif /* __OPASSWD_H__ */
|
||||||
diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c
|
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c
|
||||||
index 654edd3..d6c5c47 100644
|
--- Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper 2016-04-04 11:22:28.000000000 +0200
|
||||||
--- a/modules/pam_pwhistory/pam_pwhistory.c
|
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c 2016-05-06 15:19:31.610785512 +0200
|
||||||
+++ b/modules/pam_pwhistory/pam_pwhistory.c
|
|
||||||
@@ -1,6 +1,7 @@
|
@@ -1,6 +1,7 @@
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2008, 2012 Thorsten Kukuk
|
* Copyright (c) 2008, 2012 Thorsten Kukuk
|
||||||
@ -278,7 +274,7 @@ index 654edd3..d6c5c47 100644
|
|||||||
|
|
||||||
struct options_t {
|
struct options_t {
|
||||||
int debug;
|
int debug;
|
||||||
@@ -102,6 +108,184 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options)
|
@@ -102,6 +108,184 @@ parse_option (pam_handle_t *pamh, const
|
||||||
pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv);
|
pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -463,23 +459,22 @@ index 654edd3..d6c5c47 100644
|
|||||||
|
|
||||||
/* This module saves the current crypted password in /etc/security/opasswd
|
/* This module saves the current crypted password in /etc/security/opasswd
|
||||||
and then compares the new password with all entries in this file. */
|
and then compares the new password with all entries in this file. */
|
||||||
@@ -109,7 +293,6 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options)
|
@@ -109,7 +293,6 @@ parse_option (pam_handle_t *pamh, const
|
||||||
PAM_EXTERN int
|
int
|
||||||
pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
|
pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||||
{
|
{
|
||||||
- struct passwd *pwd;
|
- struct passwd *pwd;
|
||||||
const char *newpass;
|
const char *newpass;
|
||||||
const char *user;
|
const char *user;
|
||||||
int retval, tries;
|
int retval, tries;
|
||||||
@@ -154,31 +337,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
|
@@ -154,31 +337,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
||||||
return PAM_SUCCESS;
|
return PAM_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
- pwd = pam_modutil_getpwnam (pamh, user);
|
- pwd = pam_modutil_getpwnam (pamh, user);
|
||||||
- if (pwd == NULL)
|
- if (pwd == NULL)
|
||||||
- return PAM_USER_UNKNOWN;
|
- return PAM_USER_UNKNOWN;
|
||||||
+ retval = save_old_pass (pamh, user, options.remember, options.debug);
|
-
|
||||||
|
|
||||||
- if ((strcmp(pwd->pw_passwd, "x") == 0) ||
|
- if ((strcmp(pwd->pw_passwd, "x") == 0) ||
|
||||||
- ((pwd->pw_passwd[0] == '#') &&
|
- ((pwd->pw_passwd[0] == '#') &&
|
||||||
- (pwd->pw_passwd[1] == '#') &&
|
- (pwd->pw_passwd[1] == '#') &&
|
||||||
@ -488,8 +483,7 @@ index 654edd3..d6c5c47 100644
|
|||||||
- struct spwd *spw = pam_modutil_getspnam (pamh, user);
|
- struct spwd *spw = pam_modutil_getspnam (pamh, user);
|
||||||
- if (spw == NULL)
|
- if (spw == NULL)
|
||||||
- return PAM_USER_UNKNOWN;
|
- return PAM_USER_UNKNOWN;
|
||||||
+ if (retval == PAM_PWHISTORY_RUN_HELPER)
|
+ retval = save_old_pass (pamh, user, options.remember, options.debug);
|
||||||
+ retval = run_save_helper(pamh, user, options.remember, options.debug);
|
|
||||||
|
|
||||||
- retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp,
|
- retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp,
|
||||||
- options.remember, options.debug);
|
- options.remember, options.debug);
|
||||||
@ -503,12 +497,15 @@ index 654edd3..d6c5c47 100644
|
|||||||
- if (retval != PAM_SUCCESS)
|
- if (retval != PAM_SUCCESS)
|
||||||
- return retval;
|
- return retval;
|
||||||
- }
|
- }
|
||||||
|
+ if (retval == PAM_PWHISTORY_RUN_HELPER)
|
||||||
|
+ retval = run_save_helper(pamh, user, options.remember, options.debug);
|
||||||
|
+
|
||||||
+ if (retval != PAM_SUCCESS)
|
+ if (retval != PAM_SUCCESS)
|
||||||
+ return retval;
|
+ return retval;
|
||||||
|
|
||||||
newpass = NULL;
|
newpass = NULL;
|
||||||
tries = 0;
|
tries = 0;
|
||||||
@@ -207,8 +372,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
|
@@ -207,8 +372,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
||||||
if (options.debug)
|
if (options.debug)
|
||||||
pam_syslog (pamh, LOG_DEBUG, "check against old password file");
|
pam_syslog (pamh, LOG_DEBUG, "check against old password file");
|
||||||
|
|
||||||
@ -522,85 +519,9 @@ index 654edd3..d6c5c47 100644
|
|||||||
{
|
{
|
||||||
if (getuid() || options.enforce_for_root ||
|
if (getuid() || options.enforce_for_root ||
|
||||||
(flags & PAM_CHANGE_EXPIRED_AUTHTOK))
|
(flags & PAM_CHANGE_EXPIRED_AUTHTOK))
|
||||||
diff --git a/modules/pam_pwhistory/pwhistory_helper.8.xml b/modules/pam_pwhistory/pwhistory_helper.8.xml
|
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c
|
||||||
new file mode 100644
|
--- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper 2016-05-06 15:18:42.308637957 +0200
|
||||||
index 0000000..a030176
|
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c 2016-05-06 15:18:42.308637957 +0200
|
||||||
--- /dev/null
|
|
||||||
+++ b/modules/pam_pwhistory/pwhistory_helper.8.xml
|
|
||||||
@@ -0,0 +1,68 @@
|
|
||||||
+<?xml version="1.0" encoding='UTF-8'?>
|
|
||||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
|
||||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
|
||||||
+
|
|
||||||
+<refentry id="pwhistory_helper">
|
|
||||||
+
|
|
||||||
+ <refmeta>
|
|
||||||
+ <refentrytitle>pwhistory_helper</refentrytitle>
|
|
||||||
+ <manvolnum>8</manvolnum>
|
|
||||||
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
|
|
||||||
+ </refmeta>
|
|
||||||
+
|
|
||||||
+ <refnamediv id="pwhistory_helper-name">
|
|
||||||
+ <refname>pwhistory_helper</refname>
|
|
||||||
+ <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose>
|
|
||||||
+ </refnamediv>
|
|
||||||
+
|
|
||||||
+ <refsynopsisdiv>
|
|
||||||
+ <cmdsynopsis id="pwhistory_helper-cmdsynopsis">
|
|
||||||
+ <command>pwhistory_helper</command>
|
|
||||||
+ <arg choice="opt">
|
|
||||||
+ ...
|
|
||||||
+ </arg>
|
|
||||||
+ </cmdsynopsis>
|
|
||||||
+ </refsynopsisdiv>
|
|
||||||
+
|
|
||||||
+ <refsect1 id="pwhistory_helper-description">
|
|
||||||
+
|
|
||||||
+ <title>DESCRIPTION</title>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ <emphasis>pwhistory_helper</emphasis> is a helper program for the
|
|
||||||
+ <emphasis>pam_pwhistory</emphasis> module that transfers password hashes
|
|
||||||
+ from passwd or shadow file to the opasswd file and checks a password
|
|
||||||
+ supplied by user against the existing hashes in the opasswd file.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ The purpose of the helper is to enable tighter confinement of
|
|
||||||
+ login and password changing services. The helper is thus called only
|
|
||||||
+ when SELinux is enabled on the system.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ The interface of the helper - command line options, and input/output
|
|
||||||
+ data format are internal to the <emphasis>pam_pwhistory</emphasis>
|
|
||||||
+ module and it should not be called directly from applications.
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pwhistory_helper-see_also'>
|
|
||||||
+ <title>SEE ALSO</title>
|
|
||||||
+ <para>
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pwhistory_helper-author'>
|
|
||||||
+ <title>AUTHOR</title>
|
|
||||||
+ <para>
|
|
||||||
+ Written by Tomas Mraz based on the code originally in
|
|
||||||
+ <emphasis>pam_pwhistory and pam_unix</emphasis> modules.
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+</refentry>
|
|
||||||
diff --git a/modules/pam_pwhistory/pwhistory_helper.c b/modules/pam_pwhistory/pwhistory_helper.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..b07ab81
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/modules/pam_pwhistory/pwhistory_helper.c
|
|
||||||
@@ -0,0 +1,209 @@
|
@@ -0,0 +1,209 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
+ * Copyright (c) 2013 Red Hat, Inc.
|
||||||
@ -811,3 +732,75 @@ index 0000000..b07ab81
|
|||||||
+ return PAM_SYSTEM_ERR;
|
+ return PAM_SYSTEM_ERR;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
|
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml
|
||||||
|
--- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper 2016-05-06 15:18:42.308637957 +0200
|
||||||
|
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml 2016-05-06 15:18:42.308637957 +0200
|
||||||
|
@@ -0,0 +1,68 @@
|
||||||
|
+<?xml version="1.0" encoding='UTF-8'?>
|
||||||
|
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||||
|
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
||||||
|
+
|
||||||
|
+<refentry id="pwhistory_helper">
|
||||||
|
+
|
||||||
|
+ <refmeta>
|
||||||
|
+ <refentrytitle>pwhistory_helper</refentrytitle>
|
||||||
|
+ <manvolnum>8</manvolnum>
|
||||||
|
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
|
||||||
|
+ </refmeta>
|
||||||
|
+
|
||||||
|
+ <refnamediv id="pwhistory_helper-name">
|
||||||
|
+ <refname>pwhistory_helper</refname>
|
||||||
|
+ <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose>
|
||||||
|
+ </refnamediv>
|
||||||
|
+
|
||||||
|
+ <refsynopsisdiv>
|
||||||
|
+ <cmdsynopsis id="pwhistory_helper-cmdsynopsis">
|
||||||
|
+ <command>pwhistory_helper</command>
|
||||||
|
+ <arg choice="opt">
|
||||||
|
+ ...
|
||||||
|
+ </arg>
|
||||||
|
+ </cmdsynopsis>
|
||||||
|
+ </refsynopsisdiv>
|
||||||
|
+
|
||||||
|
+ <refsect1 id="pwhistory_helper-description">
|
||||||
|
+
|
||||||
|
+ <title>DESCRIPTION</title>
|
||||||
|
+
|
||||||
|
+ <para>
|
||||||
|
+ <emphasis>pwhistory_helper</emphasis> is a helper program for the
|
||||||
|
+ <emphasis>pam_pwhistory</emphasis> module that transfers password hashes
|
||||||
|
+ from passwd or shadow file to the opasswd file and checks a password
|
||||||
|
+ supplied by user against the existing hashes in the opasswd file.
|
||||||
|
+ </para>
|
||||||
|
+
|
||||||
|
+ <para>
|
||||||
|
+ The purpose of the helper is to enable tighter confinement of
|
||||||
|
+ login and password changing services. The helper is thus called only
|
||||||
|
+ when SELinux is enabled on the system.
|
||||||
|
+ </para>
|
||||||
|
+
|
||||||
|
+ <para>
|
||||||
|
+ The interface of the helper - command line options, and input/output
|
||||||
|
+ data format are internal to the <emphasis>pam_pwhistory</emphasis>
|
||||||
|
+ module and it should not be called directly from applications.
|
||||||
|
+ </para>
|
||||||
|
+ </refsect1>
|
||||||
|
+
|
||||||
|
+ <refsect1 id='pwhistory_helper-see_also'>
|
||||||
|
+ <title>SEE ALSO</title>
|
||||||
|
+ <para>
|
||||||
|
+ <citerefentry>
|
||||||
|
+ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
|
||||||
|
+ </citerefentry>
|
||||||
|
+ </para>
|
||||||
|
+ </refsect1>
|
||||||
|
+
|
||||||
|
+ <refsect1 id='pwhistory_helper-author'>
|
||||||
|
+ <title>AUTHOR</title>
|
||||||
|
+ <para>
|
||||||
|
+ Written by Tomas Mraz based on the code originally in
|
||||||
|
+ <emphasis>pam_pwhistory and pam_unix</emphasis> modules.
|
||||||
|
+ </para>
|
||||||
|
+ </refsect1>
|
||||||
|
+
|
||||||
|
+</refentry>
|
13
pam.spec
13
pam.spec
@ -2,8 +2,8 @@
|
|||||||
|
|
||||||
Summary: An extensible library which provides authentication for applications
|
Summary: An extensible library which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 1.2.1
|
Version: 1.3.0
|
||||||
Release: 8%{?dist}
|
Release: 1%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+
|
# The library is BSD licensed with option to relicense as GPLv2+
|
||||||
# - this option is redundant as the BSD license allows that anyway.
|
# - this option is redundant as the BSD license allows that anyway.
|
||||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||||
@ -39,11 +39,9 @@ Patch15: pam-1.1.8-full-relro.patch
|
|||||||
Patch20: pam-1.2.0-unix-no-fallback.patch
|
Patch20: pam-1.2.0-unix-no-fallback.patch
|
||||||
Patch28: pam-1.1.1-console-errmsg.patch
|
Patch28: pam-1.1.1-console-errmsg.patch
|
||||||
# Upstreamed partially
|
# Upstreamed partially
|
||||||
Patch29: pam-1.1.8-pwhistory-helper.patch
|
Patch29: pam-1.3.0-pwhistory-helper.patch
|
||||||
Patch30: pam-1.2.0-use-links.patch
|
|
||||||
Patch31: pam-1.1.8-audit-user-mgmt.patch
|
Patch31: pam-1.1.8-audit-user-mgmt.patch
|
||||||
Patch32: pam-1.2.1-console-devname.patch
|
Patch32: pam-1.2.1-console-devname.patch
|
||||||
Patch33: pam-1.2.1-unix-get-authtok.patch
|
|
||||||
|
|
||||||
%define _pamlibdir %{_libdir}
|
%define _pamlibdir %{_libdir}
|
||||||
%define _moduledir %{_libdir}/security
|
%define _moduledir %{_libdir}/security
|
||||||
@ -120,10 +118,8 @@ cp %{SOURCE18} .
|
|||||||
%patch20 -p1 -b .no-fallback
|
%patch20 -p1 -b .no-fallback
|
||||||
%patch28 -p1 -b .errmsg
|
%patch28 -p1 -b .errmsg
|
||||||
%patch29 -p1 -b .pwhhelper
|
%patch29 -p1 -b .pwhhelper
|
||||||
%patch30 -p1 -b .links
|
|
||||||
%patch31 -p1 -b .audit-user-mgmt
|
%patch31 -p1 -b .audit-user-mgmt
|
||||||
%patch32 -p1 -b .devname
|
%patch32 -p1 -b .devname
|
||||||
%patch33 -p1 -b .get-authtok
|
|
||||||
autoreconf -i
|
autoreconf -i
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -373,6 +369,9 @@ fi
|
|||||||
%doc doc/adg/*.txt doc/adg/html
|
%doc doc/adg/*.txt doc/adg/html
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri May 6 2016 Tomáš Mráz <tmraz@redhat.com> 1.3.0-1
|
||||||
|
- new upstream release with multiple improvements
|
||||||
|
|
||||||
* Mon Apr 11 2016 Tomáš Mráz <tmraz@redhat.com> 1.2.1-8
|
* Mon Apr 11 2016 Tomáš Mráz <tmraz@redhat.com> 1.2.1-8
|
||||||
- make cracklib-dicts dependency weak (#1323172)
|
- make cracklib-dicts dependency weak (#1323172)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user