rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- add pam_faillock module implementing temporary account lock out based

Browse Source 
on authentication failures during a specified interval
- upgrade to new upstream release
This commit is contained in:
Tomas Mraz 2010-09-17 17:37:07 +02:00
parent f9b1a585ea
commit ca3ead6784
5 changed files with 18 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -2,3 +2,4 @@
*.tar.bz2 *.tar.bz2
pam-redhat-0.99.10-1.tar.bz2 pam-redhat-0.99.10-1.tar.bz2
Linux-PAM-1.1.1.tar.bz2 Linux-PAM-1.1.1.tar.bz2
/Linux-PAM-1.1.2.tar.bz2

6
Linux-PAM-1.1.1.tar.bz2.sign → Linux-PAM-1.1.2.tar.bz2.sign
View File

@ -2,7 +2,7 @@
Version: GnuPG v1.4.9 (GNU/Linux) Version: GnuPG v1.4.9 (GNU/Linux)
Comment: See http://www.kernel.org/signature.html for info Comment: See http://www.kernel.org/signature.html for info
iD8DBQBLKOWYyGugalF9Dw4RAqYlAJ9st1NRPyZjWFD+Pl+7ifeiDcDTAwCfeyt7 iD8DBQBMfOpRyGugalF9Dw4RAthOAJ4z/JltpEbOUu6dnmDp1ukQ//1UHwCeJu/F
l6BKIgA/0NQzw+md5nFXVy4= 99nWVREWCPTqNSuGz6H/Zo4=
=Kxq6 =G1D5
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

78
pam-1.1.1-authtok-prompt.patch
View File

@ -1,78 +0,0 @@
Index: libpam/pam_get_authtok.c
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/libpam/pam_get_authtok.c,v
retrieving revision 1.3
diff -u -p -r1.3 pam_get_authtok.c
--- libpam/pam_get_authtok.c 10 Nov 2009 15:52:20 -0000 1.3
+++ libpam/pam_get_authtok.c 22 Jan 2010 17:31:40 -0000
@@ -81,7 +81,7 @@ pam_get_authtok_internal (pam_handle_t *
char *resp[2] = {NULL, NULL};
const void *prevauthtok;
const char *authtok_type = "";
- int ask_twice = 0; /* Password change, ask twice for it */
+ int chpass = 0; /* Password change, ask twice for it */
int retval;
if (authtok == NULL)
@@ -91,8 +91,9 @@ pam_get_authtok_internal (pam_handle_t *
which needs to be verified. */
if (item == PAM_AUTHTOK && pamh->choice == PAM_CHAUTHTOK)
{
+ chpass = 1;
if (!(flags & PAM_GETAUTHTOK_NOVERIFY))
- ask_twice = 1;
+ ++chpass;
authtok_type = get_option (pamh, "authtok_type");
if (authtok_type == NULL)
@@ -110,11 +111,11 @@ pam_get_authtok_internal (pam_handle_t *
return PAM_SUCCESS;
}
else if (get_option (pamh, "use_first_pass") ||
- (ask_twice && get_option (pamh, "use_authtok")))
+ (chpass && get_option (pamh, "use_authtok")))
{
if (prevauthtok == NULL)
{
- if (ask_twice)
+ if (chpass)
return PAM_AUTHTOK_ERR;
else
return PAM_AUTH_ERR;
@@ -127,16 +128,16 @@ pam_get_authtok_internal (pam_handle_t *
{
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
"%s", prompt);
- if (retval == PAM_SUCCESS && ask_twice && resp[0] != NULL)
+ if (retval == PAM_SUCCESS && chpass > 1 && resp[0] != NULL)
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1],
_("Retype %s"), prompt);
}
- else if (ask_twice)
+ else if (chpass)
{
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
PROMPT1, authtok_type,
strlen (authtok_type) > 0?" ":"");
- if (retval == PAM_SUCCESS && ask_twice && resp[0] != NULL)
+ if (retval == PAM_SUCCESS && chpass > 1 && resp[0] != NULL)
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1],
PROMPT2, authtok_type,
strlen (authtok_type) > 0?" ":"");
@@ -146,14 +147,14 @@ pam_get_authtok_internal (pam_handle_t *
PROMPT);
if (retval != PAM_SUCCESS || resp[0] == NULL ||
- (ask_twice && resp[1] == NULL))
+ (chpass > 1 && resp[1] == NULL))
{
/* We want to abort the password change */
pam_error (pamh, _("Password change aborted."));
return PAM_AUTHTOK_ERR;
}
- if (ask_twice && strcmp (resp[0], resp[1]) != 0)
+ if (chpass > 1 && strcmp (resp[0], resp[1]) != 0)
{
pam_error (pamh, MISTYPED_PASS);
_pam_overwrite (resp[0]);

17
pam.spec
View File

@ -2,8 +2,8 @@
Summary: An extensible library which provides authentication for applications Summary: An extensible library which provides authentication for applications
Name: pam Name: pam
Version: 1.1.1 Version: 1.1.2
Release: 5%{?dist} Release: 1%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
License: BSD and GPLv2+ License: BSD and GPLv2+
@ -26,7 +26,7 @@ Patch2: pam-1.0.91-std-noclose.patch
Patch4: pam-1.1.0-console-nochmod.patch Patch4: pam-1.1.0-console-nochmod.patch
Patch5: pam-1.1.0-notally.patch Patch5: pam-1.1.0-notally.patch
Patch7: pam-1.1.0-console-fixes.patch Patch7: pam-1.1.0-console-fixes.patch
Patch8: pam-1.1.1-authtok-prompt.patch Patch8: pam-1.1.1-faillock.patch
%define _sbindir /sbin %define _sbindir /sbin
%define _moduledir /%{_lib}/security %define _moduledir /%{_lib}/security
@ -92,7 +92,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch4 -p1 -b .nochmod %patch4 -p1 -b .nochmod
%patch5 -p1 -b .notally %patch5 -p1 -b .notally
%patch7 -p1 -b .console-fixes %patch7 -p1 -b .console-fixes
%patch8 -p0 -b .prompt %patch8 -p1 -b .faillock
libtoolize -f libtoolize -f
autoreconf autoreconf
@ -145,6 +145,7 @@ install -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_secconfdir}/limits.d/90-nproc.conf
install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd
install -d -m 755 $RPM_BUILD_ROOT/var/log install -d -m 755 $RPM_BUILD_ROOT/var/log
install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog
install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock
# Install man pages. # Install man pages.
install -m 644 %{SOURCE12} %{SOURCE13} $RPM_BUILD_ROOT%{_mandir}/man5/ install -m 644 %{SOURCE12} %{SOURCE13} $RPM_BUILD_ROOT%{_mandir}/man5/
@ -232,6 +233,7 @@ fi
/%{_lib}/libpam_misc.so.* /%{_lib}/libpam_misc.so.*
%{_sbindir}/pam_console_apply %{_sbindir}/pam_console_apply
%{_sbindir}/pam_tally2 %{_sbindir}/pam_tally2
%{_sbindir}/faillock
%attr(4755,root,root) %{_sbindir}/pam_timestamp_check %attr(4755,root,root) %{_sbindir}/pam_timestamp_check
%attr(4755,root,root) %{_sbindir}/unix_chkpwd %attr(4755,root,root) %{_sbindir}/unix_chkpwd
%attr(0700,root,root) %{_sbindir}/unix_update %attr(0700,root,root) %{_sbindir}/unix_update
@ -250,6 +252,7 @@ fi
%{_moduledir}/pam_env.so %{_moduledir}/pam_env.so
%{_moduledir}/pam_exec.so %{_moduledir}/pam_exec.so
%{_moduledir}/pam_faildelay.so %{_moduledir}/pam_faildelay.so
%{_moduledir}/pam_faillock.so
%{_moduledir}/pam_filter.so %{_moduledir}/pam_filter.so
%{_moduledir}/pam_ftp.so %{_moduledir}/pam_ftp.so
%{_moduledir}/pam_group.so %{_moduledir}/pam_group.so
@ -319,6 +322,7 @@ fi
%dir /var/run/sepermit %dir /var/run/sepermit
%endif %endif
%ghost %verify(not md5 size mtime) /var/log/tallylog %ghost %verify(not md5 size mtime) /var/log/tallylog
%dir /var/run/faillock
%{_mandir}/man5/* %{_mandir}/man5/*
%{_mandir}/man8/* %{_mandir}/man8/*
@ -333,6 +337,11 @@ fi
%doc doc/adg/*.txt doc/adg/html %doc doc/adg/*.txt doc/adg/html
%changelog %changelog
* Fri Sep 17 2010 Tomas Mraz <tmraz@redhat.com> 1.1.2-1
- add pam_faillock module implementing temporary account lock out based
on authentication failures during a specified interval
- upgrade to new upstream release
* Thu Jul 15 2010 Tomas Mraz <tmraz@redhat.com> 1.1.1-5 * Thu Jul 15 2010 Tomas Mraz <tmraz@redhat.com> 1.1.1-5
- do not overwrite tallylog with empty file on upgrade - do not overwrite tallylog with empty file on upgrade

3
sources
View File

@ -1,2 +1 @@
c115640346a987356f6b76ec1d425185 pam-redhat-0.99.10-1.tar.bz2 81173dfeffe69d726081f9c5667cd3e7 Linux-PAM-1.1.2.tar.bz2
9b3d952b173d5b9836cbc7e8de108bee Linux-PAM-1.1.1.tar.bz2