1 files changed, 37 insertions, 82 deletions
diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
index 3241e82959..d2cc66882e 100644
--- a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
+++ b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
@@ -1,9 +1,11 @@
-From 9bdc197474795f2d000c2bc04f58f7cef8898f21 Mon Sep 17 00:00:00 2001
+From b6545b83f94c5fb7aec1478b8d458a1393f479c8 Mon Sep 17 00:00:00 2001
-From: Amarnath Valluri <amarnath.valluri@intel.com>
+From: "Maxin B. John" <maxin.john@intel.com>
-Date: Wed, 15 Jul 2015 13:07:20 +0300
+Date: Wed, 25 May 2016 14:12:25 +0300
-Subject: [PATCH] Debian patch to add a new 'nullok_secure' option to pam_unix,
+Subject: [PATCH] pam_unix: support 'nullok_secure' option
- which accepts users with null passwords only when the applicant is connected
- from a tty listed in /etc/securetty.
+Debian patch to add a new 'nullok_secure' option to pam_unix,
+which accepts users with null passwords only when the applicant is
+connected from a tty listed in /etc/securetty.
 Authors: Sam Hartman <hartmans@debian.org>,
         Steve Langasek <vorlon@debian.org>
@@ -11,78 +13,31 @@ Authors: Sam Hartman <hartmans@debian.org>,
 Upstream-Status: Pending
 Signed-off-by: Ming Liu <ming.liu@windriver.com>
-v2:
-        - Forward ported from v1.1.6 to v1.2.1
 Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
+Signed-off-by: Maxin B. John <maxin.john@intel.com>
 ---
 modules/pam_unix/Makefile.am    |  3 ++-
- modules/pam_unix/README         | 11 ++++++++++-
- modules/pam_unix/pam_unix.8     |  9 ++++++++-
 modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++-
 modules/pam_unix/support.c      | 40 +++++++++++++++++++++++++++++++++++-----
 modules/pam_unix/support.h      |  8 ++++++--
- 6 files changed, 79 insertions(+), 11 deletions(-)
+ 4 files changed, 61 insertions(+), 9 deletions(-)
 diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
-index 56ed591..9a372ac 100644
+index 56df178..2bba460 100644
 --- a/modules/pam_unix/Makefile.am
 +++ b/modules/pam_unix/Makefile.am
 @@ -30,7 +30,8 @@ if HAVE_VERSIONING
   pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
 endif
 pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \
-       @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS)
+-       @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@
-+       @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \
+       @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ \
 +       ../pam_securetty/tty_secure.lo
 
 securelib_LTLIBRARIES = pam_unix.la
 
-diff --git a/modules/pam_unix/README b/modules/pam_unix/README
-index 3935dba..7880d91 100644
--- a/modules/pam_unix/README
-+++ b/modules/pam_unix/README
-@@ -67,7 +67,16 @@ nullok
- 
-     The default action of this module is to not permit the user access to a
-     service if their official password is blank. The nullok argument overrides
-    this default.
-+    this default and allows any user with a blank password to access the
-+    service.
-+
-+nullok_secure
-+
-+    The default action of this module is to not permit the user access to a
-+    service if their official password is blank. The nullok_secure argument
-+    overrides this default and allows any user with a blank password to access
-+    the service as long as the value of PAM_TTY is set to one of the values
-+    found in /etc/securetty.
- 
- try_first_pass
- 
-diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
-index 339178b..a4bd906 100644
--- a/modules/pam_unix/pam_unix.8
-+++ b/modules/pam_unix/pam_unix.8
-@@ -92,7 +92,14 @@ Turns off informational messages namely messages about session open and close vi
- .RS 4
- The default action of this module is to not permit the user access to a service if their official password is blank\&. The
- \fBnullok\fR
-argument overrides this default\&.
-+argument overrides this default and allows any user with a blank password to access the service\&.
-+.RE
-+.PP
-+\fBnullok_secure\fR
-+.RS 4
-+The default action of this module is to not permit the user access to a service if their official password is blank\&. The
-+\fBnullok_secure\fR
-+argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&.
- .RE
- .PP
- \fBtry_first_pass\fR
 diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
-index a8b64bb..1ced6f4 100644
+index 1b318f1..be0330e 100644
 --- a/modules/pam_unix/pam_unix.8.xml
 +++ b/modules/pam_unix/pam_unix.8.xml
 @@ -159,7 +159,24 @@
@@ -112,10 +67,10 @@ index a8b64bb..1ced6f4 100644
         </listitem>
       </varlistentry>
 diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
-index abccd82..2361957 100644
+index fc8595e..29e3341 100644
 --- a/modules/pam_unix/support.c
 +++ b/modules/pam_unix/support.c
-@@ -189,13 +189,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
+@@ -183,13 +183,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
        /* now parse the arguments to this module */
 
        for (; argc-- > 0; ++argv) {
@@ -141,7 +96,7 @@ index abccd82..2361957 100644
                        }
                }
 
-@@ -566,6 +575,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+@@ -560,6 +569,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
     if (child == 0) {
        static char *envp[] = { NULL };
        const char *args[] = { NULL, NULL, NULL, NULL };
@@ -149,7 +104,7 @@ index abccd82..2361957 100644
 
        /* XXX - should really tidy up PAM here too */
 
-@@ -593,7 +603,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+@@ -587,7 +597,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
        /* exec binary helper */
        args[0] = CHKPWD_HELPER;
        args[1] = user;
@@ -167,7 +122,7 @@ index abccd82..2361957 100644
          args[2]="nullok";
        } else {
          args[2]="nonull";
-@@ -678,6 +697,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
+@@ -672,6 +691,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
        if (on(UNIX__NONULL, ctrl))
                return 0;       /* will fail but don't let on yet */
 
@@ -185,7 +140,7 @@ index abccd82..2361957 100644
        /* UNIX passwords area */
 
        retval = get_pwd_hash(pamh, name, &pwd, &salt);
-@@ -764,7 +794,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
+@@ -758,7 +788,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
                        }
                }
        } else {
@@ -195,46 +150,46 @@ index abccd82..2361957 100644
 
        if (retval == PAM_SUCCESS) {
 diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
-index 3729ce0..43cdbea 100644
+index b4c279c..8da4a8e 100644
 --- a/modules/pam_unix/support.h
 +++ b/modules/pam_unix/support.h
-@@ -99,8 +99,9 @@ typedef struct {
+@@ -98,8 +98,9 @@ typedef struct {
- #define UNIX_MIN_PASS_LEN        27    /* min length for password */
 #define UNIX_QUIET              28     /* Don't print informational messages */
- #define UNIX_DES                 29     /* DES, default */
+ #define UNIX_NO_PASS_EXPIRY      29     /* Don't check for password expiration if not used for authentication */
-+#define UNIX_NULLOK_SECURE       30     /* NULL passwords allowed only on secure ttys */
+ #define UNIX_DES                 30     /* DES, default */
+#define UNIX_NULLOK_SECURE       31     /* NULL passwords allowed only on secure ttys */
 /* -------------- */
-#define UNIX_CTRLS_              30    /* number of ctrl arguments defined */
+-#define UNIX_CTRLS_              31    /* number of ctrl arguments defined */
-+#define UNIX_CTRLS_              31    /* number of ctrl arguments defined */
+#define UNIX_CTRLS_              32    /* number of ctrl arguments defined */
 
 #define UNIX_DES_CRYPT(ctrl)   (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
 
-@@ -118,7 +119,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
+@@ -117,7 +118,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
- /* UNIX_NOT_SET_PASS */    {"not_set_pass",    _ALL_ON_,                0100, 0},
+ /* UNIX_AUTHTOK_TYPE */    {"authtok_type=",   _ALL_ON_,                0100, 0},
 /* UNIX__PRELIM */         {NULL,              _ALL_ON_^(0600),         0200, 0},
 /* UNIX__UPDATE */         {NULL,              _ALL_ON_^(0600),         0400, 0},
 -/* UNIX__NONULL */         {NULL,              _ALL_ON_,               01000, 0},
-+/* UNIX__NONULL */         {NULL,              _ALL_ON_^(02000000000),   01000, 0},
+/* UNIX__NONULL */         {NULL,              _ALL_ON_^(02000000000), 01000, 0},
 /* UNIX__QUIET */          {NULL,              _ALL_ON_,               02000, 0},
 /* UNIX_USE_AUTHTOK */     {"use_authtok",     _ALL_ON_,               04000, 0},
 /* UNIX_SHADOW */          {"shadow",          _ALL_ON_,              010000, 0},
 @@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
- /* UNIX_MIN_PASS_LEN */    {"minlen=",         _ALL_ON_,         0400000000, 0},
 /* UNIX_QUIET */           {"quiet",           _ALL_ON_,         01000000000, 0},
+ /* UNIX_NO_PASS_EXPIRY */  {"no_pass_expiry",  _ALL_ON_,         02000000000, 0},
 /* UNIX_DES */             {"des",             _ALL_ON_^(0260420000),      0, 1},
-+/* UNIX_NULLOK_SECURE */   {"nullok_secure",   _ALL_ON_^(01000),  02000000000, 0},
+/* UNIX_NULLOK_SECURE */   {"nullok_secure",   _ALL_ON_^(01000), 02000000000, 0},
 };
 
 #define UNIX_DEFAULTS  (unix_args[UNIX__NONULL].flag)
-@@ -171,6 +173,8 @@ extern int _unix_read_password(pam_handle_t * pamh
+@@ -172,6 +174,8 @@ extern int _unix_read_password(pam_handle_t * pamh
-                        ,const char *prompt2
                        ,const char *data_name
                        ,const void **pass);
-+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
-+         const char *uttyname);
 
+extern int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname);
+
 extern int _unix_run_verify_binary(pam_handle_t *pamh,
                        unsigned int ctrl, const char *user, int *daysleft);
+ #endif /* _PAM_UNIX_SUPPORT_H */
 -- 
-2.1.4
+2.4.0

diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch index 3241e82959..d2cc66882e 100644 --- a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch +++ b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
@@ -1,9 +1,11 @@
1	From 9bdc197474795f2d000c2bc04f58f7cef8898f21 Mon Sep 17 00:00:00 2001	1	From b6545b83f94c5fb7aec1478b8d458a1393f479c8 Mon Sep 17 00:00:00 2001
2	From: Amarnath Valluri <amarnath.valluri@intel.com>	2	From: "Maxin B. John" <maxin.john@intel.com>
3	Date: Wed, 15 Jul 2015 13:07:20 +0300	3	Date: Wed, 25 May 2016 14:12:25 +0300
4	Subject: [PATCH] Debian patch to add a new 'nullok_secure' option to pam_unix,	4	Subject: [PATCH] pam_unix: support 'nullok_secure' option
5	which accepts users with null passwords only when the applicant is connected	5
6	from a tty listed in /etc/securetty.	6	Debian patch to add a new 'nullok_secure' option to pam_unix,
		7	which accepts users with null passwords only when the applicant is
		8	connected from a tty listed in /etc/securetty.
7		9
8	Authors: Sam Hartman <hartmans@debian.org>,	10	Authors: Sam Hartman <hartmans@debian.org>,
9	Steve Langasek <vorlon@debian.org>	11	Steve Langasek <vorlon@debian.org>
@@ -11,78 +13,31 @@ Authors: Sam Hartman <hartmans@debian.org>,
11	Upstream-Status: Pending	13	Upstream-Status: Pending
12		14
13	Signed-off-by: Ming Liu <ming.liu@windriver.com>	15	Signed-off-by: Ming Liu <ming.liu@windriver.com>
14
15	v2:
16	- Forward ported from v1.1.6 to v1.2.1
17
18	Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>	16	Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
		17	Signed-off-by: Maxin B. John <maxin.john@intel.com>
19	---	18	---
20	modules/pam_unix/Makefile.am \| 3 ++-	19	modules/pam_unix/Makefile.am \| 3 ++-
21	modules/pam_unix/README \| 11 ++++++++++-
22	modules/pam_unix/pam_unix.8 \| 9 ++++++++-
23	modules/pam_unix/pam_unix.8.xml \| 19 ++++++++++++++++++-	20	modules/pam_unix/pam_unix.8.xml \| 19 ++++++++++++++++++-
24	modules/pam_unix/support.c \| 40 +++++++++++++++++++++++++++++++++++-----	21	modules/pam_unix/support.c \| 40 +++++++++++++++++++++++++++++++++++-----
25	modules/pam_unix/support.h \| 8 ++++++--	22	modules/pam_unix/support.h \| 8 ++++++--
26	6 files changed, 79 insertions(+), 11 deletions(-)	23	4 files changed, 61 insertions(+), 9 deletions(-)
27		24
28	diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am	25	diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
29	index 56ed591..9a372ac 100644	26	index 56df178..2bba460 100644
30	--- a/modules/pam_unix/Makefile.am	27	--- a/modules/pam_unix/Makefile.am
31	+++ b/modules/pam_unix/Makefile.am	28	+++ b/modules/pam_unix/Makefile.am
32	@@ -30,7 +30,8 @@ if HAVE_VERSIONING	29	@@ -30,7 +30,8 @@ if HAVE_VERSIONING
33	pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map	30	pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
34	endif	31	endif
35	pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \	32	pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \
36	- @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS)	33	- @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@
37	+ @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \	34	+ @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ \
38	+ ../pam_securetty/tty_secure.lo	35	+ ../pam_securetty/tty_secure.lo
39		36
40	securelib_LTLIBRARIES = pam_unix.la	37	securelib_LTLIBRARIES = pam_unix.la
41		38
42	diff --git a/modules/pam_unix/README b/modules/pam_unix/README
43	index 3935dba..7880d91 100644
44	--- a/modules/pam_unix/README
45	+++ b/modules/pam_unix/README
46	@@ -67,7 +67,16 @@ nullok
47
48	The default action of this module is to not permit the user access to a
49	service if their official password is blank. The nullok argument overrides
50	- this default.
51	+ this default and allows any user with a blank password to access the
52	+ service.
53	+
54	+nullok_secure
55	+
56	+ The default action of this module is to not permit the user access to a
57	+ service if their official password is blank. The nullok_secure argument
58	+ overrides this default and allows any user with a blank password to access
59	+ the service as long as the value of PAM_TTY is set to one of the values
60	+ found in /etc/securetty.
61
62	try_first_pass
63
64	diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
65	index 339178b..a4bd906 100644
66	--- a/modules/pam_unix/pam_unix.8
67	+++ b/modules/pam_unix/pam_unix.8
68	@@ -92,7 +92,14 @@ Turns off informational messages namely messages about session open and close vi
69	.RS 4
70	The default action of this module is to not permit the user access to a service if their official password is blank\&. The
71	\fBnullok\fR
72	-argument overrides this default\&.
73	+argument overrides this default and allows any user with a blank password to access the service\&.
74	+.RE
75	+.PP
76	+\fBnullok_secure\fR
77	+.RS 4
78	+The default action of this module is to not permit the user access to a service if their official password is blank\&. The
79	+\fBnullok_secure\fR
80	+argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&.
81	.RE
82	.PP
83	\fBtry_first_pass\fR
84	diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml	39	diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
85	index a8b64bb..1ced6f4 100644	40	index 1b318f1..be0330e 100644
86	--- a/modules/pam_unix/pam_unix.8.xml	41	--- a/modules/pam_unix/pam_unix.8.xml
87	+++ b/modules/pam_unix/pam_unix.8.xml	42	+++ b/modules/pam_unix/pam_unix.8.xml
88	@@ -159,7 +159,24 @@	43	@@ -159,7 +159,24 @@
@@ -112,10 +67,10 @@ index a8b64bb..1ced6f4 100644
112	</listitem>	67	</listitem>
113	</varlistentry>	68	</varlistentry>
114	diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c	69	diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
115	index abccd82..2361957 100644	70	index fc8595e..29e3341 100644
116	--- a/modules/pam_unix/support.c	71	--- a/modules/pam_unix/support.c
117	+++ b/modules/pam_unix/support.c	72	+++ b/modules/pam_unix/support.c
118	@@ -189,13 +189,22 @@ int _set_ctrl(pam_handle_t pamh, int flags, int remember, int *rounds,	73	@@ -183,13 +183,22 @@ int _set_ctrl(pam_handle_t pamh, int flags, int remember, int *rounds,
119	/* now parse the arguments to this module */	74	/* now parse the arguments to this module */
120		75
121	for (; argc-- > 0; ++argv) {	76	for (; argc-- > 0; ++argv) {
@@ -141,7 +96,7 @@ index abccd82..2361957 100644
141	}	96	}
142	}	97	}
143		98
144	@@ -566,6 +575,7 @@ static int _unix_run_helper_binary(pam_handle_t pamh, const char passwd,	99	@@ -560,6 +569,7 @@ static int _unix_run_helper_binary(pam_handle_t pamh, const char passwd,
145	if (child == 0) {	100	if (child == 0) {
146	static char *envp[] = { NULL };	101	static char *envp[] = { NULL };
147	const char *args[] = { NULL, NULL, NULL, NULL };	102	const char *args[] = { NULL, NULL, NULL, NULL };
@@ -149,7 +104,7 @@ index abccd82..2361957 100644
149		104
150	/* XXX - should really tidy up PAM here too */	105	/* XXX - should really tidy up PAM here too */
151		106
152	@@ -593,7 +603,16 @@ static int _unix_run_helper_binary(pam_handle_t pamh, const char passwd,	107	@@ -587,7 +597,16 @@ static int _unix_run_helper_binary(pam_handle_t pamh, const char passwd,
153	/* exec binary helper */	108	/* exec binary helper */
154	args[0] = CHKPWD_HELPER;	109	args[0] = CHKPWD_HELPER;
155	args[1] = user;	110	args[1] = user;
@@ -167,7 +122,7 @@ index abccd82..2361957 100644
167	args[2]="nullok";	122	args[2]="nullok";
168	} else {	123	} else {
169	args[2]="nonull";	124	args[2]="nonull";
170	@@ -678,6 +697,17 @@ _unix_blankpasswd (pam_handle_t pamh, unsigned int ctrl, const char name)	125	@@ -672,6 +691,17 @@ _unix_blankpasswd (pam_handle_t pamh, unsigned int ctrl, const char name)
171	if (on(UNIX__NONULL, ctrl))	126	if (on(UNIX__NONULL, ctrl))
172	return 0; /* will fail but don't let on yet */	127	return 0; /* will fail but don't let on yet */
173		128
@@ -185,7 +140,7 @@ index abccd82..2361957 100644
185	/* UNIX passwords area */	140	/* UNIX passwords area */
186		141
187	retval = get_pwd_hash(pamh, name, &pwd, &salt);	142	retval = get_pwd_hash(pamh, name, &pwd, &salt);
188	@@ -764,7 +794,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name	143	@@ -758,7 +788,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
189	}	144	}
190	}	145	}
191	} else {	146	} else {
@@ -195,46 +150,46 @@ index abccd82..2361957 100644
195		150
196	if (retval == PAM_SUCCESS) {	151	if (retval == PAM_SUCCESS) {
197	diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h	152	diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
198	index 3729ce0..43cdbea 100644	153	index b4c279c..8da4a8e 100644
199	--- a/modules/pam_unix/support.h	154	--- a/modules/pam_unix/support.h
200	+++ b/modules/pam_unix/support.h	155	+++ b/modules/pam_unix/support.h
201	@@ -99,8 +99,9 @@ typedef struct {	156	@@ -98,8 +98,9 @@ typedef struct {
202	#define UNIX_MIN_PASS_LEN 27 /* min length for password */
203	#define UNIX_QUIET 28 /* Don't print informational messages */	157	#define UNIX_QUIET 28 /* Don't print informational messages */
204	#define UNIX_DES 29 /* DES, default */	158	#define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */
205	+#define UNIX_NULLOK_SECURE 30 /* NULL passwords allowed only on secure ttys */	159	#define UNIX_DES 30 /* DES, default */
		160	+#define UNIX_NULLOK_SECURE 31 /* NULL passwords allowed only on secure ttys */
206	/* -------------- */	161	/* -------------- */
207	-#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */	162	-#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
208	+#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */	163	+#define UNIX_CTRLS_ 32 /* number of ctrl arguments defined */
209		164
210	#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))	165	#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
211		166
212	@@ -118,7 +119,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =	167	@@ -117,7 +118,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
213	/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0},	168	/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
214	/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},	169	/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
215	/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},	170	/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
216	-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},	171	-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
217	+/* UNIX__NONULL */ {NULL, _ALL_ON_^(02000000000), 01000, 0},	172	+/* UNIX__NONULL */ {NULL, _ALL_ON_^(02000000000), 01000, 0},
218	/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},	173	/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
219	/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},	174	/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
220	/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},	175	/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
221	@@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =	176	@@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
222	/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
223	/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},	177	/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
		178	/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
224	/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},	179	/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
225	+/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(01000), 02000000000, 0},	180	+/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(01000), 02000000000, 0},
226	};	181	};
227		182
228	#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)	183	#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
229	@@ -171,6 +173,8 @@ extern int _unix_read_password(pam_handle_t * pamh	184	@@ -172,6 +174,8 @@ extern int _unix_read_password(pam_handle_t * pamh
230	,const char *prompt2
231	,const char *data_name	185	,const char *data_name
232	,const void **pass);	186	,const void **pass);
233	+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
234	+ const char *uttyname);
235		187
		188	+extern int _pammodutil_tty_secure(const pam_handle_t pamh, const char uttyname);
		189	+
236	extern int _unix_run_verify_binary(pam_handle_t *pamh,	190	extern int _unix_run_verify_binary(pam_handle_t *pamh,
237	unsigned int ctrl, const char user, int daysleft);	191	unsigned int ctrl, const char user, int daysleft);
		192	#endif /* _PAM_UNIX_SUPPORT_H */
238	--	193	--
239	2.1.4	194	2.4.0
240		195