diff options
author | Maxin B. John <maxin.john@intel.com> | 2016-05-25 17:07:39 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-05-30 15:58:12 +0100 |
commit | 87f0a826255e8e43a327e7b085fd5bc14b4f324c (patch) | |
tree | d39dbdf25d5e0b0690b3a39aecd5505d88b52bea /meta/recipes-extended/pam/libpam | |
parent | 52d130d9e9735af569f018fc9161a54ed198d2d4 (diff) | |
download | poky-87f0a826255e8e43a327e7b085fd5bc14b4f324c.tar.gz |
libpam: update to 1.3.0
1.2.1 -> 1.3.0
Remove upstreamed patch:
a) pam-no-innetgr.patch
Refreshed the following patches for 1.3.0:
a) crypt_configure.patch
b) pam-unix-nullok-secure.patch
(From OE-Core rev: ac512ff9fbe41428e3d71d3e943aaa871d8b155a)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/pam/libpam')
3 files changed, 60 insertions, 193 deletions
diff --git a/meta/recipes-extended/pam/libpam/crypt_configure.patch b/meta/recipes-extended/pam/libpam/crypt_configure.patch index bec82a5f10..917a8af64d 100644 --- a/meta/recipes-extended/pam/libpam/crypt_configure.patch +++ b/meta/recipes-extended/pam/libpam/crypt_configure.patch | |||
@@ -1,31 +1,40 @@ | |||
1 | From b86575ab4a0df07da160283459da270e1c0372a0 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Maxin B. John" <maxin.john@intel.com> | ||
3 | Date: Tue, 24 May 2016 14:11:09 +0300 | ||
4 | Subject: [PATCH] crypt_configure | ||
5 | |||
1 | This patch fixes a case where it find crypt defined in libc (musl) but | 6 | This patch fixes a case where it find crypt defined in libc (musl) but |
2 | not in specified libraries then it ends up assigning | 7 | not in specified libraries then it ends up assigning |
3 | |||
4 | LIBCRYPT="-l" which then goes into makefile cause all sort of problems | 8 | LIBCRYPT="-l" which then goes into makefile cause all sort of problems |
5 | e.g. | 9 | e.g. |
6 | 10 | ||
7 | ld: cannot find -l-m32 | 11 | ld: cannot find -l-m32 |
8 | | collect2: error: ld returned 1 exit status | 12 | | collect2: error: ld returned 1 exit status |
9 | 13 | The reason is that -l appears on commandline with | |
10 | The reason is that -l appears on commandline with out any library and | 14 | out any library and compiler treats the next argument as library name |
11 | compiler treats the next argument as library name whatever it is. | 15 | whatever it is. |
12 | |||
13 | 16 | ||
14 | Upstream-Status: Pending | 17 | Upstream-Status: Pending |
18 | |||
15 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | 19 | Signed-off-by: Khem Raj <raj.khem@gmail.com> |
20 | Signed-off-by: Maxin B. John <maxin.john@intel.com> | ||
21 | --- | ||
22 | configure.ac | 2 +- | ||
23 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
16 | 24 | ||
17 | Index: Linux-PAM-1.1.6/configure.in | 25 | diff --git a/configure.ac b/configure.ac |
18 | =================================================================== | 26 | index df39d07..e68d856 100644 |
19 | --- Linux-PAM-1.1.6.org/configure.ac | 27 | --- a/configure.ac |
20 | +++ Linux-PAM-1.1.6/configure.ac | 28 | +++ b/configure.ac |
21 | @@ -400,7 +400,9 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = | 29 | @@ -401,7 +401,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"], |
22 | [crypt_libs="crypt"]) | 30 | [crypt_libs="crypt"]) |
23 | 31 | ||
24 | BACKUP_LIBS=$LIBS | 32 | BACKUP_LIBS=$LIBS |
25 | -AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="") | 33 | -AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="") |
26 | +AC_SEARCH_LIBS([crypt],[$crypt_libs], | 34 | +AC_SEARCH_LIBS([crypt],[$crypt_libs], [test "$ac_cv_search_crypt" = "none required" || LIBCRYPT="$ac_cv_search_crypt"]) |
27 | + [test "$ac_cv_search_crypt" = "none required" || | ||
28 | + LIBCRYPT="$ac_cv_search_crypt"]) | ||
29 | AC_CHECK_FUNCS(crypt_r crypt_gensalt_r) | 35 | AC_CHECK_FUNCS(crypt_r crypt_gensalt_r) |
30 | LIBS=$BACKUP_LIBS | 36 | LIBS=$BACKUP_LIBS |
31 | AC_SUBST(LIBCRYPT) | 37 | AC_SUBST(LIBCRYPT) |
38 | -- | ||
39 | 2.4.0 | ||
40 | |||
diff --git a/meta/recipes-extended/pam/libpam/pam-no-innetgr.patch b/meta/recipes-extended/pam/libpam/pam-no-innetgr.patch deleted file mode 100644 index 5e551ac48f..0000000000 --- a/meta/recipes-extended/pam/libpam/pam-no-innetgr.patch +++ /dev/null | |||
@@ -1,97 +0,0 @@ | |||
1 | innetgr may not be there so make sure that when innetgr is not present | ||
2 | then we inform about it and not use it. | ||
3 | |||
4 | -Khem | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Scott Garman <scott.a.garman@intel.com> | ||
9 | |||
10 | Index: Linux-PAM-1.1.3/modules/pam_group/pam_group.c | ||
11 | =================================================================== | ||
12 | --- Linux-PAM-1.1.3.orig/modules/pam_group/pam_group.c | ||
13 | +++ Linux-PAM-1.1.3/modules/pam_group/pam_group.c | ||
14 | @@ -659,7 +659,11 @@ static int check_account(pam_handle_t *p | ||
15 | } | ||
16 | /* If buffer starts with @, we are using netgroups */ | ||
17 | if (buffer[0] == '@') | ||
18 | - good &= innetgr (&buffer[1], NULL, user, NULL); | ||
19 | +#ifdef HAVE_INNETGR | ||
20 | + good &= innetgr (&buffer[1], NULL, user, NULL); | ||
21 | +#else | ||
22 | + pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support"); | ||
23 | +#endif | ||
24 | /* otherwise, if the buffer starts with %, it's a UNIX group */ | ||
25 | else if (buffer[0] == '%') | ||
26 | good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]); | ||
27 | Index: Linux-PAM-1.1.3/modules/pam_time/pam_time.c | ||
28 | =================================================================== | ||
29 | --- Linux-PAM-1.1.3.orig/modules/pam_time/pam_time.c | ||
30 | +++ Linux-PAM-1.1.3/modules/pam_time/pam_time.c | ||
31 | @@ -555,9 +555,13 @@ check_account(pam_handle_t *pamh, const | ||
32 | } | ||
33 | /* If buffer starts with @, we are using netgroups */ | ||
34 | if (buffer[0] == '@') | ||
35 | - good &= innetgr (&buffer[1], NULL, user, NULL); | ||
36 | +#ifdef HAVE_INNETGR | ||
37 | + good &= innetgr (&buffer[1], NULL, user, NULL); | ||
38 | +#else | ||
39 | + pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support"); | ||
40 | +#endif | ||
41 | else | ||
42 | - good &= logic_field(pamh, user, buffer, count, is_same); | ||
43 | + good &= logic_field(pamh, user, buffer, count, is_same); | ||
44 | D(("with user: %s", good ? "passes":"fails" )); | ||
45 | |||
46 | /* here we get the time field */ | ||
47 | Index: Linux-PAM-1.1.3/modules/pam_succeed_if/pam_succeed_if.c | ||
48 | =================================================================== | ||
49 | --- Linux-PAM-1.1.3.orig/modules/pam_succeed_if/pam_succeed_if.c | ||
50 | +++ Linux-PAM-1.1.3/modules/pam_succeed_if/pam_succeed_if.c | ||
51 | @@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh, | ||
52 | } | ||
53 | /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */ | ||
54 | static int | ||
55 | -evaluate_innetgr(const char *host, const char *user, const char *group) | ||
56 | +evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) | ||
57 | { | ||
58 | +#ifdef HAVE_INNETGR | ||
59 | if (innetgr(group, host, user, NULL) == 1) | ||
60 | return PAM_SUCCESS; | ||
61 | +#else | ||
62 | + pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); | ||
63 | +#endif | ||
64 | + | ||
65 | return PAM_AUTH_ERR; | ||
66 | } | ||
67 | /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ | ||
68 | static int | ||
69 | -evaluate_notinnetgr(const char *host, const char *user, const char *group) | ||
70 | +evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) | ||
71 | { | ||
72 | +#ifdef HAVE_INNETGR | ||
73 | if (innetgr(group, host, user, NULL) == 0) | ||
74 | return PAM_SUCCESS; | ||
75 | +#else | ||
76 | + pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); | ||
77 | +#endif | ||
78 | return PAM_AUTH_ERR; | ||
79 | } | ||
80 | |||
81 | @@ -361,14 +370,14 @@ evaluate(pam_handle_t *pamh, int debug, | ||
82 | const void *rhost; | ||
83 | if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) | ||
84 | rhost = NULL; | ||
85 | - return evaluate_innetgr(rhost, user, right); | ||
86 | + return evaluate_innetgr(pamh, rhost, user, right); | ||
87 | } | ||
88 | /* (Rhost, user) is not in this group. */ | ||
89 | if (strcasecmp(qual, "notinnetgr") == 0) { | ||
90 | const void *rhost; | ||
91 | if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) | ||
92 | rhost = NULL; | ||
93 | - return evaluate_notinnetgr(rhost, user, right); | ||
94 | + return evaluate_notinnetgr(pamh, rhost, user, right); | ||
95 | } | ||
96 | /* Fail closed. */ | ||
97 | return PAM_SERVICE_ERR; | ||
diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch index 3241e82959..d2cc66882e 100644 --- a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch +++ b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch | |||
@@ -1,9 +1,11 @@ | |||
1 | From 9bdc197474795f2d000c2bc04f58f7cef8898f21 Mon Sep 17 00:00:00 2001 | 1 | From b6545b83f94c5fb7aec1478b8d458a1393f479c8 Mon Sep 17 00:00:00 2001 |
2 | From: Amarnath Valluri <amarnath.valluri@intel.com> | 2 | From: "Maxin B. John" <maxin.john@intel.com> |
3 | Date: Wed, 15 Jul 2015 13:07:20 +0300 | 3 | Date: Wed, 25 May 2016 14:12:25 +0300 |
4 | Subject: [PATCH] Debian patch to add a new 'nullok_secure' option to pam_unix, | 4 | Subject: [PATCH] pam_unix: support 'nullok_secure' option |
5 | which accepts users with null passwords only when the applicant is connected | 5 | |
6 | from a tty listed in /etc/securetty. | 6 | Debian patch to add a new 'nullok_secure' option to pam_unix, |
7 | which accepts users with null passwords only when the applicant is | ||
8 | connected from a tty listed in /etc/securetty. | ||
7 | 9 | ||
8 | Authors: Sam Hartman <hartmans@debian.org>, | 10 | Authors: Sam Hartman <hartmans@debian.org>, |
9 | Steve Langasek <vorlon@debian.org> | 11 | Steve Langasek <vorlon@debian.org> |
@@ -11,78 +13,31 @@ Authors: Sam Hartman <hartmans@debian.org>, | |||
11 | Upstream-Status: Pending | 13 | Upstream-Status: Pending |
12 | 14 | ||
13 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | 15 | Signed-off-by: Ming Liu <ming.liu@windriver.com> |
14 | |||
15 | v2: | ||
16 | - Forward ported from v1.1.6 to v1.2.1 | ||
17 | |||
18 | Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com> | 16 | Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com> |
17 | Signed-off-by: Maxin B. John <maxin.john@intel.com> | ||
19 | --- | 18 | --- |
20 | modules/pam_unix/Makefile.am | 3 ++- | 19 | modules/pam_unix/Makefile.am | 3 ++- |
21 | modules/pam_unix/README | 11 ++++++++++- | ||
22 | modules/pam_unix/pam_unix.8 | 9 ++++++++- | ||
23 | modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++- | 20 | modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++- |
24 | modules/pam_unix/support.c | 40 +++++++++++++++++++++++++++++++++++----- | 21 | modules/pam_unix/support.c | 40 +++++++++++++++++++++++++++++++++++----- |
25 | modules/pam_unix/support.h | 8 ++++++-- | 22 | modules/pam_unix/support.h | 8 ++++++-- |
26 | 6 files changed, 79 insertions(+), 11 deletions(-) | 23 | 4 files changed, 61 insertions(+), 9 deletions(-) |
27 | 24 | ||
28 | diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am | 25 | diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am |
29 | index 56ed591..9a372ac 100644 | 26 | index 56df178..2bba460 100644 |
30 | --- a/modules/pam_unix/Makefile.am | 27 | --- a/modules/pam_unix/Makefile.am |
31 | +++ b/modules/pam_unix/Makefile.am | 28 | +++ b/modules/pam_unix/Makefile.am |
32 | @@ -30,7 +30,8 @@ if HAVE_VERSIONING | 29 | @@ -30,7 +30,8 @@ if HAVE_VERSIONING |
33 | pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map | 30 | pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map |
34 | endif | 31 | endif |
35 | pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ | 32 | pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ |
36 | - @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) | 33 | - @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ |
37 | + @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \ | 34 | + @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ \ |
38 | + ../pam_securetty/tty_secure.lo | 35 | + ../pam_securetty/tty_secure.lo |
39 | 36 | ||
40 | securelib_LTLIBRARIES = pam_unix.la | 37 | securelib_LTLIBRARIES = pam_unix.la |
41 | 38 | ||
42 | diff --git a/modules/pam_unix/README b/modules/pam_unix/README | ||
43 | index 3935dba..7880d91 100644 | ||
44 | --- a/modules/pam_unix/README | ||
45 | +++ b/modules/pam_unix/README | ||
46 | @@ -67,7 +67,16 @@ nullok | ||
47 | |||
48 | The default action of this module is to not permit the user access to a | ||
49 | service if their official password is blank. The nullok argument overrides | ||
50 | - this default. | ||
51 | + this default and allows any user with a blank password to access the | ||
52 | + service. | ||
53 | + | ||
54 | +nullok_secure | ||
55 | + | ||
56 | + The default action of this module is to not permit the user access to a | ||
57 | + service if their official password is blank. The nullok_secure argument | ||
58 | + overrides this default and allows any user with a blank password to access | ||
59 | + the service as long as the value of PAM_TTY is set to one of the values | ||
60 | + found in /etc/securetty. | ||
61 | |||
62 | try_first_pass | ||
63 | |||
64 | diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 | ||
65 | index 339178b..a4bd906 100644 | ||
66 | --- a/modules/pam_unix/pam_unix.8 | ||
67 | +++ b/modules/pam_unix/pam_unix.8 | ||
68 | @@ -92,7 +92,14 @@ Turns off informational messages namely messages about session open and close vi | ||
69 | .RS 4 | ||
70 | The default action of this module is to not permit the user access to a service if their official password is blank\&. The | ||
71 | \fBnullok\fR | ||
72 | -argument overrides this default\&. | ||
73 | +argument overrides this default and allows any user with a blank password to access the service\&. | ||
74 | +.RE | ||
75 | +.PP | ||
76 | +\fBnullok_secure\fR | ||
77 | +.RS 4 | ||
78 | +The default action of this module is to not permit the user access to a service if their official password is blank\&. The | ||
79 | +\fBnullok_secure\fR | ||
80 | +argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&. | ||
81 | .RE | ||
82 | .PP | ||
83 | \fBtry_first_pass\fR | ||
84 | diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml | 39 | diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml |
85 | index a8b64bb..1ced6f4 100644 | 40 | index 1b318f1..be0330e 100644 |
86 | --- a/modules/pam_unix/pam_unix.8.xml | 41 | --- a/modules/pam_unix/pam_unix.8.xml |
87 | +++ b/modules/pam_unix/pam_unix.8.xml | 42 | +++ b/modules/pam_unix/pam_unix.8.xml |
88 | @@ -159,7 +159,24 @@ | 43 | @@ -159,7 +159,24 @@ |
@@ -112,10 +67,10 @@ index a8b64bb..1ced6f4 100644 | |||
112 | </listitem> | 67 | </listitem> |
113 | </varlistentry> | 68 | </varlistentry> |
114 | diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c | 69 | diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c |
115 | index abccd82..2361957 100644 | 70 | index fc8595e..29e3341 100644 |
116 | --- a/modules/pam_unix/support.c | 71 | --- a/modules/pam_unix/support.c |
117 | +++ b/modules/pam_unix/support.c | 72 | +++ b/modules/pam_unix/support.c |
118 | @@ -189,13 +189,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, | 73 | @@ -183,13 +183,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, |
119 | /* now parse the arguments to this module */ | 74 | /* now parse the arguments to this module */ |
120 | 75 | ||
121 | for (; argc-- > 0; ++argv) { | 76 | for (; argc-- > 0; ++argv) { |
@@ -141,7 +96,7 @@ index abccd82..2361957 100644 | |||
141 | } | 96 | } |
142 | } | 97 | } |
143 | 98 | ||
144 | @@ -566,6 +575,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, | 99 | @@ -560,6 +569,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, |
145 | if (child == 0) { | 100 | if (child == 0) { |
146 | static char *envp[] = { NULL }; | 101 | static char *envp[] = { NULL }; |
147 | const char *args[] = { NULL, NULL, NULL, NULL }; | 102 | const char *args[] = { NULL, NULL, NULL, NULL }; |
@@ -149,7 +104,7 @@ index abccd82..2361957 100644 | |||
149 | 104 | ||
150 | /* XXX - should really tidy up PAM here too */ | 105 | /* XXX - should really tidy up PAM here too */ |
151 | 106 | ||
152 | @@ -593,7 +603,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, | 107 | @@ -587,7 +597,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, |
153 | /* exec binary helper */ | 108 | /* exec binary helper */ |
154 | args[0] = CHKPWD_HELPER; | 109 | args[0] = CHKPWD_HELPER; |
155 | args[1] = user; | 110 | args[1] = user; |
@@ -167,7 +122,7 @@ index abccd82..2361957 100644 | |||
167 | args[2]="nullok"; | 122 | args[2]="nullok"; |
168 | } else { | 123 | } else { |
169 | args[2]="nonull"; | 124 | args[2]="nonull"; |
170 | @@ -678,6 +697,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) | 125 | @@ -672,6 +691,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) |
171 | if (on(UNIX__NONULL, ctrl)) | 126 | if (on(UNIX__NONULL, ctrl)) |
172 | return 0; /* will fail but don't let on yet */ | 127 | return 0; /* will fail but don't let on yet */ |
173 | 128 | ||
@@ -185,7 +140,7 @@ index abccd82..2361957 100644 | |||
185 | /* UNIX passwords area */ | 140 | /* UNIX passwords area */ |
186 | 141 | ||
187 | retval = get_pwd_hash(pamh, name, &pwd, &salt); | 142 | retval = get_pwd_hash(pamh, name, &pwd, &salt); |
188 | @@ -764,7 +794,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name | 143 | @@ -758,7 +788,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name |
189 | } | 144 | } |
190 | } | 145 | } |
191 | } else { | 146 | } else { |
@@ -195,46 +150,46 @@ index abccd82..2361957 100644 | |||
195 | 150 | ||
196 | if (retval == PAM_SUCCESS) { | 151 | if (retval == PAM_SUCCESS) { |
197 | diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h | 152 | diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h |
198 | index 3729ce0..43cdbea 100644 | 153 | index b4c279c..8da4a8e 100644 |
199 | --- a/modules/pam_unix/support.h | 154 | --- a/modules/pam_unix/support.h |
200 | +++ b/modules/pam_unix/support.h | 155 | +++ b/modules/pam_unix/support.h |
201 | @@ -99,8 +99,9 @@ typedef struct { | 156 | @@ -98,8 +98,9 @@ typedef struct { |
202 | #define UNIX_MIN_PASS_LEN 27 /* min length for password */ | ||
203 | #define UNIX_QUIET 28 /* Don't print informational messages */ | 157 | #define UNIX_QUIET 28 /* Don't print informational messages */ |
204 | #define UNIX_DES 29 /* DES, default */ | 158 | #define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */ |
205 | +#define UNIX_NULLOK_SECURE 30 /* NULL passwords allowed only on secure ttys */ | 159 | #define UNIX_DES 30 /* DES, default */ |
160 | +#define UNIX_NULLOK_SECURE 31 /* NULL passwords allowed only on secure ttys */ | ||
206 | /* -------------- */ | 161 | /* -------------- */ |
207 | -#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */ | 162 | -#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */ |
208 | +#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */ | 163 | +#define UNIX_CTRLS_ 32 /* number of ctrl arguments defined */ |
209 | 164 | ||
210 | #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) | 165 | #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) |
211 | 166 | ||
212 | @@ -118,7 +119,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = | 167 | @@ -117,7 +118,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = |
213 | /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0}, | 168 | /* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0}, |
214 | /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, | 169 | /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, |
215 | /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, | 170 | /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, |
216 | -/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, | 171 | -/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, |
217 | +/* UNIX__NONULL */ {NULL, _ALL_ON_^(02000000000), 01000, 0}, | 172 | +/* UNIX__NONULL */ {NULL, _ALL_ON_^(02000000000), 01000, 0}, |
218 | /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, | 173 | /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, |
219 | /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, | 174 | /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, |
220 | /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, | 175 | /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, |
221 | @@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = | 176 | @@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = |
222 | /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, | ||
223 | /* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, | 177 | /* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, |
178 | /* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, | ||
224 | /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, | 179 | /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, |
225 | +/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(01000), 02000000000, 0}, | 180 | +/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(01000), 02000000000, 0}, |
226 | }; | 181 | }; |
227 | 182 | ||
228 | #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) | 183 | #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) |
229 | @@ -171,6 +173,8 @@ extern int _unix_read_password(pam_handle_t * pamh | 184 | @@ -172,6 +174,8 @@ extern int _unix_read_password(pam_handle_t * pamh |
230 | ,const char *prompt2 | ||
231 | ,const char *data_name | 185 | ,const char *data_name |
232 | ,const void **pass); | 186 | ,const void **pass); |
233 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, | ||
234 | + const char *uttyname); | ||
235 | 187 | ||
188 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname); | ||
189 | + | ||
236 | extern int _unix_run_verify_binary(pam_handle_t *pamh, | 190 | extern int _unix_run_verify_binary(pam_handle_t *pamh, |
237 | unsigned int ctrl, const char *user, int *daysleft); | 191 | unsigned int ctrl, const char *user, int *daysleft); |
192 | #endif /* _PAM_UNIX_SUPPORT_H */ | ||
238 | -- | 193 | -- |
239 | 2.1.4 | 194 | 2.4.0 |
240 | 195 | ||