From ca3ead67849dcc1299a086e7de36dd25735d9373 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 17 Sep 2010 17:37:07 +0200 Subject: [PATCH] - add pam_faillock module implementing temporary account lock out based on authentication failures during a specified interval - upgrade to new upstream release --- .gitignore | 1 + ...r.bz2.sign => Linux-PAM-1.1.2.tar.bz2.sign | 6 +- pam-1.1.1-authtok-prompt.patch | 78 ------------------- pam.spec | 17 +++- sources | 3 +- 5 files changed, 18 insertions(+), 87 deletions(-) rename Linux-PAM-1.1.1.tar.bz2.sign => Linux-PAM-1.1.2.tar.bz2.sign (61%) delete mode 100644 pam-1.1.1-authtok-prompt.patch diff --git a/.gitignore b/.gitignore index 3c6b5b2..ac1a976 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ *.tar.bz2 pam-redhat-0.99.10-1.tar.bz2 Linux-PAM-1.1.1.tar.bz2 +/Linux-PAM-1.1.2.tar.bz2 diff --git a/Linux-PAM-1.1.1.tar.bz2.sign b/Linux-PAM-1.1.2.tar.bz2.sign similarity index 61% rename from Linux-PAM-1.1.1.tar.bz2.sign rename to Linux-PAM-1.1.2.tar.bz2.sign index fad7920..ebf862e 100644 --- a/Linux-PAM-1.1.1.tar.bz2.sign +++ b/Linux-PAM-1.1.2.tar.bz2.sign @@ -2,7 +2,7 @@ Version: GnuPG v1.4.9 (GNU/Linux) Comment: See http://www.kernel.org/signature.html for info -iD8DBQBLKOWYyGugalF9Dw4RAqYlAJ9st1NRPyZjWFD+Pl+7ifeiDcDTAwCfeyt7 -l6BKIgA/0NQzw+md5nFXVy4= -=Kxq6 +iD8DBQBMfOpRyGugalF9Dw4RAthOAJ4z/JltpEbOUu6dnmDp1ukQ//1UHwCeJu/F +99nWVREWCPTqNSuGz6H/Zo4= +=G1D5 -----END PGP SIGNATURE----- diff --git a/pam-1.1.1-authtok-prompt.patch b/pam-1.1.1-authtok-prompt.patch deleted file mode 100644 index 84574ac..0000000 --- a/pam-1.1.1-authtok-prompt.patch +++ /dev/null @@ -1,78 +0,0 @@ -Index: libpam/pam_get_authtok.c -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/libpam/pam_get_authtok.c,v -retrieving revision 1.3 -diff -u -p -r1.3 pam_get_authtok.c ---- libpam/pam_get_authtok.c 10 Nov 2009 15:52:20 -0000 1.3 -+++ libpam/pam_get_authtok.c 22 Jan 2010 17:31:40 -0000 -@@ -81,7 +81,7 @@ pam_get_authtok_internal (pam_handle_t * - char *resp[2] = {NULL, NULL}; - const void *prevauthtok; - const char *authtok_type = ""; -- int ask_twice = 0; /* Password change, ask twice for it */ -+ int chpass = 0; /* Password change, ask twice for it */ - int retval; - - if (authtok == NULL) -@@ -91,8 +91,9 @@ pam_get_authtok_internal (pam_handle_t * - which needs to be verified. */ - if (item == PAM_AUTHTOK && pamh->choice == PAM_CHAUTHTOK) - { -+ chpass = 1; - if (!(flags & PAM_GETAUTHTOK_NOVERIFY)) -- ask_twice = 1; -+ ++chpass; - - authtok_type = get_option (pamh, "authtok_type"); - if (authtok_type == NULL) -@@ -110,11 +111,11 @@ pam_get_authtok_internal (pam_handle_t * - return PAM_SUCCESS; - } - else if (get_option (pamh, "use_first_pass") || -- (ask_twice && get_option (pamh, "use_authtok"))) -+ (chpass && get_option (pamh, "use_authtok"))) - { - if (prevauthtok == NULL) - { -- if (ask_twice) -+ if (chpass) - return PAM_AUTHTOK_ERR; - else - return PAM_AUTH_ERR; -@@ -127,16 +128,16 @@ pam_get_authtok_internal (pam_handle_t * - { - retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], - "%s", prompt); -- if (retval == PAM_SUCCESS && ask_twice && resp[0] != NULL) -+ if (retval == PAM_SUCCESS && chpass > 1 && resp[0] != NULL) - retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1], - _("Retype %s"), prompt); - } -- else if (ask_twice) -+ else if (chpass) - { - retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], - PROMPT1, authtok_type, - strlen (authtok_type) > 0?" ":""); -- if (retval == PAM_SUCCESS && ask_twice && resp[0] != NULL) -+ if (retval == PAM_SUCCESS && chpass > 1 && resp[0] != NULL) - retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1], - PROMPT2, authtok_type, - strlen (authtok_type) > 0?" ":""); -@@ -146,14 +147,14 @@ pam_get_authtok_internal (pam_handle_t * - PROMPT); - - if (retval != PAM_SUCCESS || resp[0] == NULL || -- (ask_twice && resp[1] == NULL)) -+ (chpass > 1 && resp[1] == NULL)) - { - /* We want to abort the password change */ - pam_error (pamh, _("Password change aborted.")); - return PAM_AUTHTOK_ERR; - } - -- if (ask_twice && strcmp (resp[0], resp[1]) != 0) -+ if (chpass > 1 && strcmp (resp[0], resp[1]) != 0) - { - pam_error (pamh, MISTYPED_PASS); - _pam_overwrite (resp[0]); diff --git a/pam.spec b/pam.spec index 5eb71a1..61fd013 100644 --- a/pam.spec +++ b/pam.spec @@ -2,8 +2,8 @@ Summary: An extensible library which provides authentication for applications Name: pam -Version: 1.1.1 -Release: 5%{?dist} +Version: 1.1.2 +Release: 1%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, License: BSD and GPLv2+ @@ -26,7 +26,7 @@ Patch2: pam-1.0.91-std-noclose.patch Patch4: pam-1.1.0-console-nochmod.patch Patch5: pam-1.1.0-notally.patch Patch7: pam-1.1.0-console-fixes.patch -Patch8: pam-1.1.1-authtok-prompt.patch +Patch8: pam-1.1.1-faillock.patch %define _sbindir /sbin %define _moduledir /%{_lib}/security @@ -92,7 +92,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch4 -p1 -b .nochmod %patch5 -p1 -b .notally %patch7 -p1 -b .console-fixes -%patch8 -p0 -b .prompt +%patch8 -p1 -b .faillock libtoolize -f autoreconf @@ -145,6 +145,7 @@ install -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_secconfdir}/limits.d/90-nproc.conf install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd install -d -m 755 $RPM_BUILD_ROOT/var/log install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog +install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock # Install man pages. install -m 644 %{SOURCE12} %{SOURCE13} $RPM_BUILD_ROOT%{_mandir}/man5/ @@ -232,6 +233,7 @@ fi /%{_lib}/libpam_misc.so.* %{_sbindir}/pam_console_apply %{_sbindir}/pam_tally2 +%{_sbindir}/faillock %attr(4755,root,root) %{_sbindir}/pam_timestamp_check %attr(4755,root,root) %{_sbindir}/unix_chkpwd %attr(0700,root,root) %{_sbindir}/unix_update @@ -250,6 +252,7 @@ fi %{_moduledir}/pam_env.so %{_moduledir}/pam_exec.so %{_moduledir}/pam_faildelay.so +%{_moduledir}/pam_faillock.so %{_moduledir}/pam_filter.so %{_moduledir}/pam_ftp.so %{_moduledir}/pam_group.so @@ -319,6 +322,7 @@ fi %dir /var/run/sepermit %endif %ghost %verify(not md5 size mtime) /var/log/tallylog +%dir /var/run/faillock %{_mandir}/man5/* %{_mandir}/man8/* @@ -333,6 +337,11 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Fri Sep 17 2010 Tomas Mraz 1.1.2-1 +- add pam_faillock module implementing temporary account lock out based + on authentication failures during a specified interval +- upgrade to new upstream release + * Thu Jul 15 2010 Tomas Mraz 1.1.1-5 - do not overwrite tallylog with empty file on upgrade diff --git a/sources b/sources index 8210a75..2692375 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -c115640346a987356f6b76ec1d425185 pam-redhat-0.99.10-1.tar.bz2 -9b3d952b173d5b9836cbc7e8de108bee Linux-PAM-1.1.1.tar.bz2 +81173dfeffe69d726081f9c5667cd3e7 Linux-PAM-1.1.2.tar.bz2