Update Red Hat PAM modules to version 1.0.0 which includes pam_faillock

Drop also pam_tally2 which was obsoleted and deprecated long time ago
2018-12-04 09:15:56 +01:00 · 2018-12-04 09:15:56 +01:00 · 40b927d103
commit 40b927d103
parent 94c0a4fee4
12 changed files with 87 additions and 2026 deletions
--- a/pam-1.1.0-console-nochmod.patch
+++ b/pam-1.1.0-console-nochmod.patch
@ -1,26 +0,0 @@
-diff -up Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod Linux-PAM-1.1.0/modules/pam_console/console.handlers
--- Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod	2008-12-16 13:37:52.000000000 +0100
-+++ Linux-PAM-1.1.0/modules/pam_console/console.handlers	2009-09-01 17:20:08.000000000 +0200
-@@ -15,5 +15,3 @@
- # touch unlock wait /var/run/console-unlocked
- 
- console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
-/sbin/pam_console_apply lock logfail wait -t tty -s
-/sbin/pam_console_apply unlock logfail wait -r -t tty -s
-diff -up Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod Linux-PAM-1.1.0/modules/pam_console/Makefile.am
--- Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod	2008-12-16 13:37:52.000000000 +0100
-+++ Linux-PAM-1.1.0/modules/pam_console/Makefile.am	2009-09-01 17:42:47.000000000 +0200
-@@ -38,7 +38,6 @@ sbin_PROGRAMS = pam_console_apply
- 
- 
- secureconf_DATA = console.perms console.handlers
-permsd_DATA = 50-default.perms
- 
- FLEX_OPTS = -Cr
- BISON_OPTS = -d
-@@ -62,4 +61,5 @@ configfile.c: configfile.tab.c configfil
- 
- install-data-local:
- 	mkdir -p $(DESTDIR)$(secureconfdir)/console.apps
-+	mkdir -p $(DESTDIR)$(permsddir)
- 	mkdir -m $(LOCKMODE) -p -p $(DESTDIR)$(LOCKDIR)
--- a/pam-1.1.0-notally.patch
+++ b/pam-1.1.0-notally.patch
@ -1,12 +0,0 @@
-diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am
--- Linux-PAM-1.1.0/modules/Makefile.am.notally	2009-07-27 17:39:25.000000000 +0200
-+++ Linux-PAM-1.1.0/modules/Makefile.am	2009-09-01 17:40:16.000000000 +0200
-@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de
- 	pam_mkhomedir pam_motd pam_namespace pam_nologin \
- 	pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
- 	pam_selinux pam_sepermit pam_shells pam_stress \
-	pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
-+	pam_succeed_if pam_tally2 pam_time pam_timestamp \
- 	pam_tty_audit pam_umask \
- 	pam_unix pam_userdb pam_warn pam_wheel pam_xauth
- 
--- a/pam-1.1.1-console-errmsg.patch
+++ b/pam-1.1.1-console-errmsg.patch
@ -1,12 +0,0 @@
-diff -up Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c
--- Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg	2008-12-16 13:37:52.000000000 +0100
-+++ Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c	2014-06-19 13:23:28.948343737 +0200
-@@ -65,7 +65,7 @@ parse_files(void)
- 	on system locale */
- 	oldlocale = setlocale(LC_COLLATE, "C");
- 
-	rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf);
-+	rc = glob(PERMS_GLOB, 0, NULL, &globbuf);
- 	setlocale(LC_COLLATE, oldlocale);
- 	if (rc)
- 		return;
--- a/pam-1.1.8-full-relro.patch
+++ b/pam-1.1.8-full-relro.patch
@ -1,24 +1,3 @@
-diff -up Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_console/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro	2014-08-13 16:02:49.000000000 +0200
-+++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am	2014-09-10 17:14:33.245554314 +0200
-@@ -33,6 +33,8 @@ pam_console_la_LIBADD = -L$(top_builddir
- 
- pam_console_apply_LDADD = -L$(top_builddir)/libpam -lpam
- 
-+pam_console_apply_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
-+
- securelib_LTLIBRARIES = pam_console.la
- sbin_PROGRAMS = pam_console_apply
- 
-@@ -47,7 +49,7 @@ pam_console_apply_SOURCES = pam_console_
- 			 configfile.c configfile.h hashtable.c hashtable.h hashtable_private.h
- 
- pam_console_la_CFLAGS = $(AM_CFLAGS)
-pam_console_apply_CFLAGS = $(AM_CFLAGS)
-+pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
- 
- configfile.tab.c: configfile.y
- 	$(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $<
 diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am
 --- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro	2014-09-10 17:17:20.273401344 +0200
 +++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am	2014-09-10 17:17:07.857115369 +0200
--- a/pam-1.2.0-redhat-modules.patch
+++ b/pam-1.2.0-redhat-modules.patch
@ -1,23 +0,0 @@
-diff -up Linux-PAM-1.2.0/configure.ac.redhat-modules Linux-PAM-1.2.0/configure.ac
--- Linux-PAM-1.2.0/configure.ac.redhat-modules	2015-03-25 16:50:10.000000000 +0100
-+++ Linux-PAM-1.2.0/configure.ac	2015-05-15 15:46:50.996074677 +0200
-@@ -616,6 +616,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
- 	libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
- 	po/Makefile.in \
- 	modules/Makefile \
-+	modules/pam_chroot/Makefile modules/pam_console/Makefile \
-+	modules/pam_postgresok/Makefile \
- 	modules/pam_access/Makefile modules/pam_cracklib/Makefile \
-         modules/pam_debug/Makefile modules/pam_deny/Makefile \
- 	modules/pam_echo/Makefile modules/pam_env/Makefile \
-diff -up Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules Linux-PAM-1.2.0/modules/Makefile.am
--- Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules	2015-03-24 13:02:32.000000000 +0100
-+++ Linux-PAM-1.2.0/modules/Makefile.am	2015-05-15 15:46:50.995074654 +0200
-@@ -3,6 +3,7 @@
- #
- 
- SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
-+	pam_chroot pam_console pam_postgresok \
- 	pam_env pam_exec pam_faildelay pam_filter pam_ftp \
- 	pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
- 	pam_listfile pam_localuser pam_loginuid pam_mail \
--- a/pam-1.2.1-console-devname.patch
+++ b/pam-1.2.1-console-devname.patch
@ -1,9 +0,0 @@
-diff -up Linux-PAM-1.2.1/modules/pam_console/console.handlers.devname Linux-PAM-1.2.1/modules/pam_console/console.handlers
--- Linux-PAM-1.2.1/modules/pam_console/console.handlers.devname	2015-10-16 14:15:48.000000000 +0200
-+++ Linux-PAM-1.2.1/modules/pam_console/console.handlers	2016-02-05 17:47:26.056787517 +0100
-@@ -14,4 +14,4 @@
- # echo lock wait Locking console for user on tty
- # touch unlock wait /var/run/console-unlocked
- 
-console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
-+console consoledevs /dev/tty[0-9][0-9]* tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
--- a/pam-1.2.1-faillock-admin-group.patch
+++ b/pam-1.2.1-faillock-admin-group.patch
@ -1,133 +0,0 @@
-diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c
--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group	2016-04-04 16:37:38.696260359 +0200
-+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c	2017-08-21 16:40:01.624706864 +0200
-@@ -1,5 +1,5 @@
- /*
- * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
-+ * Copyright (c) 2010, 2017 Tomas Mraz <tmraz@redhat.com>
-  *
-  * Redistribution and use in source and binary forms, with or without
-  * modification, are permitted provided that the following conditions
-@@ -78,9 +78,11 @@ struct options {
- 	unsigned int root_unlock_time;
- 	const char *dir;
- 	const char *user;
-+	const char *admin_group;
- 	int failures;
- 	uint64_t latest_time;
- 	uid_t uid;
-+	int is_admin;
- 	uint64_t now;
- };
- 
-@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc,
- 				opts->root_unlock_time = temp;
- 			}
- 		}
-+		else if (strncmp(argv[i], "admin_group=", 12) == 0) {
-+			opts->admin_group = argv[i] + 12;
-+		}
-  		else if (strcmp(argv[i], "preauth") == 0) {
- 			opts->action = FAILLOCK_ACTION_PREAUTH;
- 		}
-@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa
- 	}
- 	opts->user = user;
- 	opts->uid = pwd->pw_uid;
-+
-+	if (pwd->pw_uid == 0) {
-+		opts->is_admin = 1;
-+		return PAM_SUCCESS;
-+	}
-+
-+	if (opts->admin_group && *opts->admin_group) {
-+		opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh,
-+			pwd->pw_uid, opts->admin_group);
-+	}
-+
- 	return PAM_SUCCESS;
- }
- 
-@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o
- 		return PAM_SYSTEM_ERR;
- 	}
- 
-	if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
-+	if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
- 		return PAM_SUCCESS;
- 	}
- 
-@@ -262,13 +278,9 @@ check_tally(pam_handle_t *pamh, struct o
- 
- 	opts->failures = failures;
- 
-	if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
-		return PAM_SUCCESS;
-	}
-
- 	if (opts->deny && failures >= opts->deny) {
-		if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
-			(!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
-+		if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
-+			(opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
- #ifdef HAVE_LIBAUDIT
- 			if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
- 				char buf[64];
-@@ -401,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o
- 		audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
- 			NULL, NULL, NULL, 1);
- 
-		if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
-+		if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
- 			audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
- 				NULL, NULL, NULL, 1);
- 		}
-@@ -425,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str
- 	int64_t left;
- 
- 	if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
-		if (opts->uid) {
-			left = opts->latest_time + opts->unlock_time - opts->now;
-+		if (opts->is_admin) {
-+			left = opts->latest_time + opts->root_unlock_time - opts->now;
- 		}
- 		else {
-			left = opts->latest_time + opts->root_unlock_time - opts->now;
-+			left = opts->latest_time + opts->unlock_time - opts->now;
- 		}
- 
- 		if (left > 0) {
-diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml
--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group	2016-05-06 15:24:10.328281818 +0200
-+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml	2017-08-21 16:16:09.448033843 +0200
-@@ -40,6 +40,9 @@
-         root_unlock_time=<replaceable>n</replaceable>
-       </arg>
-       <arg choice="opt">
-+        admin_group=<replaceable>name</replaceable>
-+      </arg>
-+      <arg choice="opt">
-         audit
-       </arg>
-       <arg choice="opt">
-@@ -243,6 +246,20 @@
-                 </para>
-               </listitem>
-             </varlistentry>
-+            <varlistentry>
-+              <term>
-+                <option>admin_group=<replaceable>name</replaceable></option>
-+              </term>
-+              <listitem>
-+                <para>
-+                  If a group name is specified with this option, members
-+                  of the group will be handled by this module the same as
-+                  the root account (the options <option>even_deny_root></option>
-+                  and <option>root_unlock_time</option> will apply to them.
-+                  By default the option is not set.
-+                </para>
-+              </listitem>
-+            </varlistentry>
-         </variablelist>
-   </refsect1>
- 
--- a/pam-1.2.1-faillock.patch
+++ b/pam-1.2.1-faillock.patch
--- a/pam-1.3.1-console-build.patch
+++ b/pam-1.3.1-console-build.patch
@ -1,11 +0,0 @@
-diff -up Linux-PAM-1.3.1/modules/pam_console/sed-static.console-build Linux-PAM-1.3.1/modules/pam_console/sed-static
--- Linux-PAM-1.3.1/modules/pam_console/sed-static.console-build	2014-01-31 14:17:53.000000000 +0100
-+++ Linux-PAM-1.3.1/modules/pam_console/sed-static	2018-09-10 15:06:04.115302315 +0200
-@@ -13,6 +13,7 @@ sed '
- /^YY_BUFFER_STATE yy_scan_buffer/s/^/STATIC /
- /^YY_BUFFER_STATE yy_scan_string/s/^/STATIC /
- /^void yy_switch_to_buffer/s/^/STATIC /
-+/^extern int yylex/s/^extern /STATIC /
- /define YY_DECL int yylex/s/YY_DECL /YY_DECL STATIC /
- /^int yyparse/s/^/STATIC /
- /^void yyrestart/s/^/STATIC /
--- a/pam-1.3.1-redhat-modules.patch
+++ b/pam-1.3.1-redhat-modules.patch
@ -0,0 +1,78 @@
+diff -up Linux-PAM-1.3.1/configure.ac.redhat-modules Linux-PAM-1.3.1/configure.ac
+--- Linux-PAM-1.3.1/configure.ac.redhat-modules	2018-05-18 12:57:57.000000000 +0200
+++ Linux-PAM-1.3.1/configure.ac	2018-11-26 12:58:14.623545121 +0100
+@@ -611,10 +611,12 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
+ 	libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
+ 	po/Makefile.in \
+ 	modules/Makefile \
+	modules/pam_chroot/Makefile modules/pam_console/Makefile \
+	modules/pam_postgresok/Makefile \
+ 	modules/pam_access/Makefile modules/pam_cracklib/Makefile \
+         modules/pam_debug/Makefile modules/pam_deny/Makefile \
+ 	modules/pam_echo/Makefile modules/pam_env/Makefile \
+-	modules/pam_faildelay/Makefile \
+	modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \
+ 	modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
+ 	modules/pam_ftp/Makefile modules/pam_group/Makefile \
+ 	modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
+diff -up Linux-PAM-1.3.1/doc/sag/pam_faillock.xml.redhat-modules Linux-PAM-1.3.1/doc/sag/pam_faillock.xml
+--- Linux-PAM-1.3.1/doc/sag/pam_faillock.xml.redhat-modules	2018-11-26 12:58:14.623545121 +0100
+++ Linux-PAM-1.3.1/doc/sag/pam_faillock.xml	2018-11-26 12:58:14.623545121 +0100
+@@ -0,0 +1,38 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_faillock'>
+  <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisauth"]/*)'/>
+  </cmdsynopsis>
+  <cmdsynopsis>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisacct"]/*)'/>
+  </cmdsynopsis>
+  <section id='sag-pam_faillock-description'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>
+  </section>
+  <section id='sag-pam_faillock-options'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>
+  </section>
+  <section id='sag-pam_faillock-types'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-types"]/*)'/>
+  </section>
+  <section id='sag-pam_faillock-return_values'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-return_values"]/*)'/>
+  </section>
+  <section id='sag-pam_faillock-examples'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>
+  </section>
+  <section id='sag-pam_faillock-author'>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
+  </section>
+</section>
+diff -up Linux-PAM-1.3.1/modules/Makefile.am.redhat-modules Linux-PAM-1.3.1/modules/Makefile.am
+--- Linux-PAM-1.3.1/modules/Makefile.am.redhat-modules	2017-02-10 11:10:15.000000000 +0100
+++ Linux-PAM-1.3.1/modules/Makefile.am	2018-11-26 12:58:14.623545121 +0100
+@@ -3,13 +3,14 @@
+ #
+ 
+ SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
+	pam_chroot pam_console pam_postgresok pam_faillock \
+ 	pam_env pam_exec pam_faildelay pam_filter pam_ftp \
+ 	pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
+ 	pam_listfile pam_localuser pam_loginuid pam_mail \
+ 	pam_mkhomedir pam_motd pam_namespace pam_nologin \
+ 	pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
+ 	pam_selinux pam_sepermit pam_shells pam_stress \
+-	pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
+	pam_succeed_if pam_time pam_timestamp \
+ 	pam_tty_audit pam_umask \
+ 	pam_unix pam_userdb pam_warn pam_wheel pam_xauth
+ 
--- a/pam.spec
+++ b/pam.spec
@ -1,9 +1,9 @@
-%global pam_redhat_version 0.99.11
+%global pam_redhat_version 1.0.0

 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 13%{?dist}
+Release: 14%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -25,23 +25,16 @@ Source15: pamtmp.conf
 Source16: postlogin.pamd
 Source17: postlogin.5
 Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
-Patch1:  pam-1.2.0-redhat-modules.patch
-Patch4:  pam-1.1.0-console-nochmod.patch
-Patch5:  pam-1.1.0-notally.patch
-Patch7:  pam-1.2.1-faillock.patch
-Patch8:  pam-1.2.1-faillock-admin-group.patch
+Patch1:  pam-1.3.1-redhat-modules.patch
 Patch9:  pam-1.3.1-noflex.patch
 Patch10: pam-1.1.3-nouserenv.patch
 Patch13: pam-1.1.6-limits-user.patch
 Patch15: pam-1.1.8-full-relro.patch
-Patch28: pam-1.1.1-console-errmsg.patch
 # Upstreamed partially
 Patch29: pam-1.3.0-pwhistory-helper.patch
 Patch31: pam-1.1.8-audit-user-mgmt.patch
-Patch32: pam-1.2.1-console-devname.patch
 Patch33: pam-1.3.0-unix-nomsg.patch
 Patch34: pam-1.3.1-coverity.patch
-Patch35: pam-1.3.1-console-build.patch
 # https://github.com/linux-pam/linux-pam/commit/a2b72aeb86f297d349bc9e6a8f059fedf97a499a
 Patch36: pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch
 # https://github.com/linux-pam/linux-pam/commit/f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016.patch
@ -128,21 +121,14 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 cp %{SOURCE18} .

 %patch1 -p1 -b .redhat-modules
-%patch4 -p1 -b .nochmod
-%patch5 -p1 -b .notally
-%patch7 -p1 -b .faillock
-%patch8 -p1 -b .admin-group
 %patch9 -p1 -b .noflex
 %patch10 -p1 -b .nouserenv
 %patch13 -p1 -b .limits
 %patch15 -p1 -b .relro
-%patch28 -p1 -b .errmsg
 %patch29 -p1 -b .pwhhelper
 %patch31 -p1 -b .audit-user-mgmt
-%patch32 -p1 -b .devname
 %patch33 -p1 -b .nomsg
 %patch34 -p1 -b .coverity
-%patch35 -p1 -b .console-build
 %patch36 -p1 -b .remove-prototype
 %patch37 -p1 -b .bcrypt_b
 %patch38 -p1 -b .gensalt-autoentropy
@ -253,6 +239,7 @@ if [ -d ${dir} ] ; then
 	[ ${dir} = "modules/pam_tty_audit" ] && continue
 %endif
 	[ ${dir} = "modules/pam_tally" ] && continue
+	[ ${dir} = "modules/pam_tally2" ] && continue
 	if ! ls -1 $RPM_BUILD_ROOT%{_moduledir}/`basename ${dir}`*.so ; then
 		echo ERROR `basename ${dir}` did not build a module.
 		exit 1
@ -291,7 +278,6 @@ done
 %{_pamlibdir}/libpamc.so.*
 %{_pamlibdir}/libpam_misc.so.*
 %{_sbindir}/pam_console_apply
-%{_sbindir}/pam_tally2
 %{_sbindir}/faillock
 %attr(4755,root,root) %{_sbindir}/pam_timestamp_check
 %attr(4755,root,root) %{_sbindir}/unix_chkpwd
@ -339,7 +325,6 @@ done
 %{_moduledir}/pam_shells.so
 %{_moduledir}/pam_stress.so
 %{_moduledir}/pam_succeed_if.so
-%{_moduledir}/pam_tally2.so
 %{_moduledir}/pam_time.so
 %{_moduledir}/pam_timestamp.so
 %if %{WITH_AUDIT}
@ -394,6 +379,10 @@ done
 %doc doc/specs/rfc86.0.txt

 %changelog
+* Tue Dec  4 2018 Tomáš Mráz <tmraz@redhat.com> 1.3.1-14
+- Update Red Hat PAM modules to version 1.0.0 which includes pam_faillock
+- Drop also pam_tally2 which was obsoleted and deprecated long time ago
+
 * Sun Dec 02 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-13
 - Backport upstream commit reporting disabled or invalid hashes to syslog
 - Backport upstream commit fixing syslog for disabled or invalid hashes
--- a/2
+++ b/2
@ -1,3 +1,3 @@
 SHA512 (Linux-PAM-1.3.1.tar.xz) = 6bc8e2a5b64686f0a23846221c5228c88418ba485b17c53b3a12f91262b5bb73566d6b6a5daa1f63bbae54310aee918b987e44a72ce809b4e7c668f0fadfe08e
 SHA512 (Linux-PAM-1.3.1.tar.xz.asc) = 8b3ad3f4f29fad663e375296dca00f736b3de764f11d7b7aa615d00efe1c702c9060f244967f2d84d8ef3a342c3a1f8eba6dd52847df427bb3ce0ff765a8108a
-SHA512 (pam-redhat-0.99.11.tar.bz2) = 2897ff3837a24e62dae0b90b85b1b70f9c783b56a0597dd1a52ef24011f74cc5b669f6b76ddac7ee230f32c3295bc3520ef9e88d49b50e52e476b37e85ac548e
+SHA512 (pam-redhat-1.0.0.tar.bz2) = 91af450772f1e0f0a8fe197e6e6c54ee2f7a7397cdb15e60a691c8aefd0e3800fe7beb0135b8ae98566726da4c1c201d78d936c8fe994d859456e00fe948deba