From ff21ecd19213fce0570d448831d21f66db6abc2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Tue, 16 Nov 2021 12:47:47 +0100 Subject: [PATCH] spec: require authselect Related to: https://fedoraproject.org/wiki/Changes/Make_Authselect_Mandatory system-auth, smartcard-auth, fingerprint-auth, password-auth and postlogin are now owned by authselect. Authselect is now a hard dependency for pam. Users are now expected to use authselect to configure the system and packages should no longer support non-authselect configurations. Resolves: rhbz#2023738 --- fingerprint-auth.pamd | 17 ----------------- pam.spec | 21 +++++---------------- password-auth.pamd | 16 ---------------- postlogin.pamd | 5 ----- smartcard-auth.pamd | 17 ----------------- system-auth.pamd | 16 ---------------- 6 files changed, 5 insertions(+), 87 deletions(-) delete mode 100644 fingerprint-auth.pamd delete mode 100644 password-auth.pamd delete mode 100644 postlogin.pamd delete mode 100644 smartcard-auth.pamd delete mode 100644 system-auth.pamd diff --git a/fingerprint-auth.pamd b/fingerprint-auth.pamd deleted file mode 100644 index e2a7fb1..0000000 --- a/fingerprint-auth.pamd +++ /dev/null @@ -1,17 +0,0 @@ -#%PAM-1.0 -auth required pam_env.so -auth [success=done default=bad] pam_fprintd.so -auth required pam_deny.so - -account required pam_unix.so -account sufficient pam_localuser.so -account sufficient pam_succeed_if.so uid < 500 quiet -account required pam_permit.so - -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so diff --git a/pam.spec b/pam.spec index 2f228c7..bf1880d 100644 --- a/pam.spec +++ b/pam.spec @@ -4,7 +4,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.5.2 -Release: 7%{?dist} +Release: 8%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -15,16 +15,11 @@ Source1: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Li Source2: https://releases.pagure.org/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.xz Source3: macros.%{name} Source5: other.pamd -Source6: system-auth.pamd -Source7: password-auth.pamd -Source8: fingerprint-auth.pamd -Source9: smartcard-auth.pamd Source10: config-util.pamd Source11: dlopen.sh Source12: system-auth.5 Source13: config-util.5 Source15: pamtmp.conf -Source16: postlogin.pamd Source17: postlogin.5 Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch1: pam-1.5.0-redhat-modules.patch @@ -36,6 +31,7 @@ Patch3: pam-1.3.0-unix-nomsg.patch ### Dependencies ### Requires: libpwquality%{?_isa} Requires: setup +Requires: authselect >= 1.3 ### Build Dependencies ### BuildRequires: audit-libs-devel @@ -150,12 +146,7 @@ rm -f %{buildroot}%{_sysconfdir}/environment install -d -m 755 %{buildroot}%{_pam_confdir} install -d -m 755 %{buildroot}%{_pam_vendordir} install -m 644 %{SOURCE5} %{buildroot}%{_pam_confdir}/other -install -m 644 %{SOURCE6} %{buildroot}%{_pam_confdir}/system-auth -install -m 644 %{SOURCE7} %{buildroot}%{_pam_confdir}/password-auth -install -m 644 %{SOURCE8} %{buildroot}%{_pam_confdir}/fingerprint-auth -install -m 644 %{SOURCE9} %{buildroot}%{_pam_confdir}/smartcard-auth install -m 644 %{SOURCE10} %{buildroot}%{_pam_confdir}/config-util -install -m 644 %{SOURCE16} %{buildroot}%{_pam_confdir}/postlogin install -m 600 /dev/null %{buildroot}%{_pam_secconfdir}/opasswd install -d -m 755 %{buildroot}/var/log install -d -m 755 %{buildroot}/var/run/faillock @@ -244,12 +235,7 @@ done %dir %{_pam_confdir} %dir %{_pam_vendordir} %config(noreplace) %{_pam_confdir}/other -%config(noreplace) %{_pam_confdir}/system-auth -%config(noreplace) %{_pam_confdir}/password-auth -%config(noreplace) %{_pam_confdir}/fingerprint-auth -%config(noreplace) %{_pam_confdir}/smartcard-auth %config(noreplace) %{_pam_confdir}/config-util -%config(noreplace) %{_pam_confdir}/postlogin %{_rpmconfigdir}/macros.d/macros.%{name} %{_pam_libdir}/libpam.so.%{so_ver}* %{_pam_libdir}/libpamc.so.%{so_ver}* @@ -375,6 +361,9 @@ test "$FILE" != %{_sysconfdir}/authselect/fingerprint-auth && \ exit 0 %changelog +* Tue Nov 16 2021 Pavel Březina - 1.5.2-8 +- systemd-auth, smartcard-auth, fingerprint-auth, password-auth and postlogin are now owned by authselect (#2023738) + * Fri Nov 12 2021 Björn Esser - 1.5.2-7 - Rebuild(libnsl2) diff --git a/password-auth.pamd b/password-auth.pamd deleted file mode 100644 index edca995..0000000 --- a/password-auth.pamd +++ /dev/null @@ -1,16 +0,0 @@ -#%PAM-1.0 -auth required pam_env.so -auth sufficient pam_unix.so try_first_pass nullok -auth required pam_deny.so - -account required pam_unix.so - -password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= -password sufficient pam_unix.so try_first_pass use_authtok nullok yescrypt shadow -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so diff --git a/postlogin.pamd b/postlogin.pamd deleted file mode 100644 index 0bc9d0d..0000000 --- a/postlogin.pamd +++ /dev/null @@ -1,5 +0,0 @@ -#%PAM-1.0 -session optional pam_umask.so silent -session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet -session [default=1] pam_lastlog.so nowtmp showfailed -session optional pam_lastlog.so silent noupdate showfailed diff --git a/smartcard-auth.pamd b/smartcard-auth.pamd deleted file mode 100644 index e8dc3c8..0000000 --- a/smartcard-auth.pamd +++ /dev/null @@ -1,17 +0,0 @@ -#%PAM-1.0 -auth required pam_env.so -auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card -auth required pam_deny.so - -account required pam_unix.so -account sufficient pam_localuser.so -account sufficient pam_succeed_if.so uid < 500 quiet -account required pam_permit.so - -password optional pam_pkcs11.so - -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so diff --git a/system-auth.pamd b/system-auth.pamd deleted file mode 100644 index edca995..0000000 --- a/system-auth.pamd +++ /dev/null @@ -1,16 +0,0 @@ -#%PAM-1.0 -auth required pam_env.so -auth sufficient pam_unix.so try_first_pass nullok -auth required pam_deny.so - -account required pam_unix.so - -password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= -password sufficient pam_unix.so try_first_pass use_authtok nullok yescrypt shadow -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so