diff --git a/fingerprint-auth.pamd b/fingerprint-auth.pamd new file mode 100644 index 0000000..fdcbcc0 --- /dev/null +++ b/fingerprint-auth.pamd @@ -0,0 +1,18 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth sufficient pam_fprintd.so +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/pam.spec b/pam.spec index d1dbefa..548be59 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.0.91 -Release: 5%{?dist} +Release: 6%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, # pam_rhosts_auth module is BSD with advertising @@ -14,11 +14,14 @@ Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/beta/Linux-PAM-%{version}.t Source2: https://fedorahosted.org/releases/p/a/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2 Source5: other.pamd Source6: system-auth.pamd -Source7: config-util.pamd -Source8: dlopen.sh -Source9: system-auth.5 -Source10: config-util.5 -Source11: 90-nproc.conf +Source7: password-auth.pamd +Source8: fingerprint-auth.pamd +Source9: smartcard-auth.pamd +Source10: config-util.pamd +Source11: dlopen.sh +Source12: system-auth.5 +Source13: config-util.5 +Source14: 90-nproc.conf Patch1: pam-1.0.90-redhat-modules.patch Patch2: pam-1.0.91-std-noclose.patch @@ -84,6 +87,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch1 -p1 -b .redhat-modules %patch2 -p1 -b .std-noclose +libtoolize -f autoreconf %build @@ -126,15 +130,18 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/environment install -d -m 755 $RPM_BUILD_ROOT%{_pamconfdir} install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_pamconfdir}/other install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_pamconfdir}/system-auth -install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/config-util -install -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_secconfdir}/limits.d/90-nproc.conf +install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/password-auth +install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_pamconfdir}/fingerprint-auth +install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_pamconfdir}/smartcard-auth +install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util +install -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_secconfdir}/limits.d/90-nproc.conf install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd install -d -m 755 $RPM_BUILD_ROOT/var/log install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/faillog install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog # Install man pages. -install -m 644 %{SOURCE9} %{SOURCE10} $RPM_BUILD_ROOT%{_mandir}/man5/ +install -m 644 %{SOURCE12} %{SOURCE13} $RPM_BUILD_ROOT%{_mandir}/man5/ for phase in auth acct passwd session ; do ln -sf pam_unix.so $RPM_BUILD_ROOT%{_moduledir}/pam_unix_${phase}.so @@ -179,7 +186,7 @@ done /sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib} for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib} \ - %{SOURCE8} -ldl -lpam -L$RPM_BUILD_ROOT/%{_libdir} ${module} ; then + %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT/%{_libdir} ${module} ; then echo ERROR module: ${module} cannot be loaded. exit 1 fi @@ -204,6 +211,9 @@ fi %dir %{_pamconfdir} %config(noreplace) %{_pamconfdir}/other %config(noreplace) %{_pamconfdir}/system-auth +%config(noreplace) %{_pamconfdir}/password-auth +%config(noreplace) %{_pamconfdir}/fingerprint-auth +%config(noreplace) %{_pamconfdir}/smartcard-auth %config(noreplace) %{_pamconfdir}/config-util %doc Copyright %doc doc/txts @@ -315,6 +325,11 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Fri Apr 10 2009 Tomas Mraz 1.0.91-6 +- add password-auth, fingerprint-auth, and smartcard-auth + for applications which can use them namely gdm (#494874) + patch by Ray Strode + * Thu Mar 26 2009 Tomas Mraz 1.0.91-5 - replace also other std descriptors (#491471) diff --git a/password-auth.pamd b/password-auth.pamd new file mode 100644 index 0000000..fef15f6 --- /dev/null +++ b/password-auth.pamd @@ -0,0 +1,20 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth sufficient pam_unix.so nullok try_first_pass +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +password requisite pam_cracklib.so try_first_pass retry=3 type= +password sufficient pam_unix.so nullok try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/smartcard-auth.pamd b/smartcard-auth.pamd new file mode 100644 index 0000000..e8e51f3 --- /dev/null +++ b/smartcard-auth.pamd @@ -0,0 +1,19 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +password optional pam_pkcs11.so +password requisite pam_cracklib.so try_first_pass retry=3 type= + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/system-auth.5 b/system-auth.5 index a1267f7..8f8ef34 100644 --- a/system-auth.5 +++ b/system-auth.5 @@ -1,25 +1,37 @@ -.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual" +.TH SYSTEM-AUTH 5 "2009 Apr 10" "Red Hat" "Linux-PAM Manual" .SH NAME system-auth \- Common configuration file for PAMified services .SH SYNOPSIS .B /etc/pam.d/system-auth +.B /etc/pam.d/password-auth +.B /etc/pam.d/fingerprint-auth +.B /etc/pam.d/smartcard-auth .sp 2 .SH DESCRIPTION -The purpose of this configuration file is to provide common -configuration file for all applications and service daemons -calling PAM library. +The purpose of these configuration files are to provide a common +interface for all applications and service daemons calling into +the PAM library. .sp The .BR system-auth -configuration file is included from all individual service configuration +configuration file is included from nearly all individual service configuration files with the help of the .BR include directive. +.sp +The +.BR password-auth +.BR fingerprint-auth +.BR smartcard-auth +configuration files are for applications which handle authentication from +different types of devices via simultaneously running individual conversations +instead of one aggregate conversation. + .SH NOTES There should be no .BR sufficient