spec: require authselect

Related to: https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory

system-auth, smartcard-auth, fingerprint-auth, password-auth and
postlogin are now owned by authselect. Authselect is now a hard
dependency for pam. Users are now expected to use authselect to
configure the system and packages should no longer support
non-authselect configurations.

Resolves: rhbz#2023738
This commit is contained in:
Pavel Březina 2021-11-16 12:47:47 +01:00
parent 52766bc401
commit ff21ecd192
6 changed files with 5 additions and 87 deletions

View File

@ -1,17 +0,0 @@
#%PAM-1.0
auth required pam_env.so
auth [success=done default=bad] pam_fprintd.so
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

View File

@ -4,7 +4,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.5.2
Release: 7%{?dist}
Release: 8%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -15,16 +15,11 @@ Source1: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Li
Source2: https://releases.pagure.org/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.xz
Source3: macros.%{name}
Source5: other.pamd
Source6: system-auth.pamd
Source7: password-auth.pamd
Source8: fingerprint-auth.pamd
Source9: smartcard-auth.pamd
Source10: config-util.pamd
Source11: dlopen.sh
Source12: system-auth.5
Source13: config-util.5
Source15: pamtmp.conf
Source16: postlogin.pamd
Source17: postlogin.5
Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Patch1: pam-1.5.0-redhat-modules.patch
@ -36,6 +31,7 @@ Patch3: pam-1.3.0-unix-nomsg.patch
### Dependencies ###
Requires: libpwquality%{?_isa}
Requires: setup
Requires: authselect >= 1.3
### Build Dependencies ###
BuildRequires: audit-libs-devel
@ -150,12 +146,7 @@ rm -f %{buildroot}%{_sysconfdir}/environment
install -d -m 755 %{buildroot}%{_pam_confdir}
install -d -m 755 %{buildroot}%{_pam_vendordir}
install -m 644 %{SOURCE5} %{buildroot}%{_pam_confdir}/other
install -m 644 %{SOURCE6} %{buildroot}%{_pam_confdir}/system-auth
install -m 644 %{SOURCE7} %{buildroot}%{_pam_confdir}/password-auth
install -m 644 %{SOURCE8} %{buildroot}%{_pam_confdir}/fingerprint-auth
install -m 644 %{SOURCE9} %{buildroot}%{_pam_confdir}/smartcard-auth
install -m 644 %{SOURCE10} %{buildroot}%{_pam_confdir}/config-util
install -m 644 %{SOURCE16} %{buildroot}%{_pam_confdir}/postlogin
install -m 600 /dev/null %{buildroot}%{_pam_secconfdir}/opasswd
install -d -m 755 %{buildroot}/var/log
install -d -m 755 %{buildroot}/var/run/faillock
@ -244,12 +235,7 @@ done
%dir %{_pam_confdir}
%dir %{_pam_vendordir}
%config(noreplace) %{_pam_confdir}/other
%config(noreplace) %{_pam_confdir}/system-auth
%config(noreplace) %{_pam_confdir}/password-auth
%config(noreplace) %{_pam_confdir}/fingerprint-auth
%config(noreplace) %{_pam_confdir}/smartcard-auth
%config(noreplace) %{_pam_confdir}/config-util
%config(noreplace) %{_pam_confdir}/postlogin
%{_rpmconfigdir}/macros.d/macros.%{name}
%{_pam_libdir}/libpam.so.%{so_ver}*
%{_pam_libdir}/libpamc.so.%{so_ver}*
@ -375,6 +361,9 @@ test "$FILE" != %{_sysconfdir}/authselect/fingerprint-auth && \
exit 0
%changelog
* Tue Nov 16 2021 Pavel Březina <pbrezina@redhat.com> - 1.5.2-8
- systemd-auth, smartcard-auth, fingerprint-auth, password-auth and postlogin are now owned by authselect (#2023738)
* Fri Nov 12 2021 Björn Esser <besser82@fedoraproject.org> - 1.5.2-7
- Rebuild(libnsl2)

View File

@ -1,16 +0,0 @@
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok yescrypt shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

View File

@ -1,5 +0,0 @@
#%PAM-1.0
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed

View File

@ -1,17 +0,0 @@
#%PAM-1.0
auth required pam_env.so
auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password optional pam_pkcs11.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

View File

@ -1,16 +0,0 @@
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok yescrypt shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so