From 4b9fc2208b670a23b74359c9dd329b036e5b27ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= <tmraz@fedoraproject.org>
Date: Fri, 10 Apr 2009 16:06:24 +0000
Subject: [PATCH] - add password-auth, fingerprint-auth, and smartcard-auth for
 applications     which can use them namely gdm (#494874) patch by Ray Strode

---
 fingerprint-auth.pamd | 18 ++++++++++++++++++
 pam.spec              | 35 +++++++++++++++++++++++++----------
 password-auth.pamd    | 20 ++++++++++++++++++++
 smartcard-auth.pamd   | 19 +++++++++++++++++++
 system-auth.5         | 22 +++++++++++++++++-----
 5 files changed, 99 insertions(+), 15 deletions(-)
 create mode 100644 fingerprint-auth.pamd
 create mode 100644 password-auth.pamd
 create mode 100644 smartcard-auth.pamd

diff --git a/fingerprint-auth.pamd b/fingerprint-auth.pamd
new file mode 100644
index 0000000..fdcbcc0
--- /dev/null
+++ b/fingerprint-auth.pamd
@@ -0,0 +1,18 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        sufficient    pam_fprintd.so
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     required      pam_permit.so
+
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
diff --git a/pam.spec b/pam.spec
index d1dbefa..548be59 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.0.91
-Release: 5%{?dist}
+Release: 6%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -14,11 +14,14 @@ Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/beta/Linux-PAM-%{version}.t
 Source2: https://fedorahosted.org/releases/p/a/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2
 Source5: other.pamd
 Source6: system-auth.pamd
-Source7: config-util.pamd
-Source8: dlopen.sh
-Source9: system-auth.5
-Source10: config-util.5
-Source11: 90-nproc.conf
+Source7: password-auth.pamd
+Source8: fingerprint-auth.pamd
+Source9: smartcard-auth.pamd
+Source10: config-util.pamd
+Source11: dlopen.sh
+Source12: system-auth.5
+Source13: config-util.5
+Source14: 90-nproc.conf
 Patch1:  pam-1.0.90-redhat-modules.patch
 Patch2:  pam-1.0.91-std-noclose.patch
 
@@ -84,6 +87,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 %patch1 -p1 -b .redhat-modules
 %patch2 -p1 -b .std-noclose
 
+libtoolize -f
 autoreconf
 
 %build
@@ -126,15 +130,18 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/environment
 install -d -m 755 $RPM_BUILD_ROOT%{_pamconfdir}
 install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_pamconfdir}/other
 install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_pamconfdir}/system-auth
-install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/config-util
-install -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_secconfdir}/limits.d/90-nproc.conf
+install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/password-auth
+install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_pamconfdir}/fingerprint-auth
+install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_pamconfdir}/smartcard-auth
+install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util
+install -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_secconfdir}/limits.d/90-nproc.conf
 install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd
 install -d -m 755 $RPM_BUILD_ROOT/var/log
 install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/faillog
 install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog
 
 # Install man pages.
-install -m 644 %{SOURCE9} %{SOURCE10} $RPM_BUILD_ROOT%{_mandir}/man5/
+install -m 644 %{SOURCE12} %{SOURCE13} $RPM_BUILD_ROOT%{_mandir}/man5/
 
 for phase in auth acct passwd session ; do
 	ln -sf pam_unix.so $RPM_BUILD_ROOT%{_moduledir}/pam_unix_${phase}.so 
@@ -179,7 +186,7 @@ done
 /sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}
 for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do
 	if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib} \
-		 %{SOURCE8} -ldl -lpam -L$RPM_BUILD_ROOT/%{_libdir} ${module} ; then
+		 %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT/%{_libdir} ${module} ; then
 		echo ERROR module: ${module} cannot be loaded.
 		exit 1
 	fi
@@ -204,6 +211,9 @@ fi
 %dir %{_pamconfdir}
 %config(noreplace) %{_pamconfdir}/other
 %config(noreplace) %{_pamconfdir}/system-auth
+%config(noreplace) %{_pamconfdir}/password-auth
+%config(noreplace) %{_pamconfdir}/fingerprint-auth
+%config(noreplace) %{_pamconfdir}/smartcard-auth
 %config(noreplace) %{_pamconfdir}/config-util
 %doc Copyright
 %doc doc/txts
@@ -315,6 +325,11 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Fri Apr 10 2009 Tomas Mraz <tmraz@redhat.com> 1.0.91-6
+- add password-auth, fingerprint-auth, and smartcard-auth
+  for applications which can use them namely gdm (#494874)
+  patch by Ray Strode
+
 * Thu Mar 26 2009 Tomas Mraz <tmraz@redhat.com> 1.0.91-5
 - replace also other std descriptors (#491471)
 
diff --git a/password-auth.pamd b/password-auth.pamd
new file mode 100644
index 0000000..fef15f6
--- /dev/null
+++ b/password-auth.pamd
@@ -0,0 +1,20 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     required      pam_permit.so
+
+password    requisite     pam_cracklib.so try_first_pass retry=3 type=
+password    sufficient    pam_unix.so nullok try_first_pass use_authtok
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
diff --git a/smartcard-auth.pamd b/smartcard-auth.pamd
new file mode 100644
index 0000000..e8e51f3
--- /dev/null
+++ b/smartcard-auth.pamd
@@ -0,0 +1,19 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     required      pam_permit.so
+
+password    optional      pam_pkcs11.so
+password    requisite     pam_cracklib.so try_first_pass retry=3 type=
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
diff --git a/system-auth.5 b/system-auth.5
index a1267f7..8f8ef34 100644
--- a/system-auth.5
+++ b/system-auth.5
@@ -1,25 +1,37 @@
-.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual"
+.TH SYSTEM-AUTH 5 "2009 Apr 10" "Red Hat" "Linux-PAM Manual"
 .SH NAME
 
 system-auth \- Common configuration file for PAMified services
 
 .SH SYNOPSIS
 .B /etc/pam.d/system-auth
+.B /etc/pam.d/password-auth
+.B /etc/pam.d/fingerprint-auth
+.B /etc/pam.d/smartcard-auth
 .sp 2
 .SH DESCRIPTION
 
-The purpose of this configuration file is to provide common 
-configuration file for all applications and service daemons
-calling PAM library.
+The purpose of these configuration files are to provide a common
+interface for all applications and service daemons calling into
+the PAM library.
 
 .sp
 The
 .BR system-auth
-configuration file is included from all individual service configuration
+configuration file is included from nearly all individual service configuration
 files with the help of the
 .BR include
 directive.
 
+.sp
+The
+.BR password-auth
+.BR fingerprint-auth
+.BR smartcard-auth
+configuration files are for applications which handle authentication from
+different types of devices via simultaneously running individual conversations
+instead of one aggregate conversation.
+
 .SH NOTES
 There should be no
 .BR sufficient