!3 pam: update config

Merge pull request !3 from guoxiaoqi/next
2020-01-12 16:37:57 +08:00 · 2020-01-12 16:37:57 +08:00 · bb4e1eb22a
commit bb4e1eb22a
parent 5661d4c7c5 70bb4f2c51
8 changed files with 35 additions and 193 deletions
--- a/config-util.5
+++ b/config-util.5
@ -1,36 +0,0 @@
 .TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual"
 .SH NAME
 config-util \- Common PAM configuration file for configuration utilities
 .SH SYNOPSIS
 .B /etc/pam.d/config-util
 .sp 2
 .SH DESCRIPTION
 The purpose of this configuration file is to provide common 
 configuration file for all configuration utilities which must be run
 from the supervisor account and use the userhelper wrapper application.
 .sp
 The
 .BR config-util
 configuration file is included from all individual configuration
 files of such utilities with the help of the
 .BR include
 directive.
 There are not usually any other modules in the individual configuration
 files of these utilities.
 .sp
 It is possible for example to modify duration of the validity of the 
 authentication timestamp there. See
 .BR pam_timestamp(8)
 for details.
 .SH BUGS
 .sp 2
 None known.
 .SH "SEE ALSO"
 pam(8), config-util(5), pam_timestamp(8)
--- a/fingerprint-auth.pamd
+++ b/fingerprint-auth.pamd
@ -1,19 +0,0 @@
 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_fprintd.so
 auth        required      pam_deny.so
 account     required      pam_unix.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 password    required      pam_deny.so
 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 -session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
--- a/pam.spec
+++ b/pam.spec
@ -4,7 +4,7 @@
 %define _pamconfdir %{_sysconfdir}/pam.d
 Name: pam
 Version: 1.3.1
-Release: 7
+Release: 8
 Summary: Pluggable Authentication Modules for Linux
 License: BSD and GPLv2+
 URL: http://www.linux-pam.org/
@ -13,8 +13,6 @@ Source1: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Li
 Source5: other.pamd
 Source6: system-auth.pamd
 Source7: password-auth.pamd
 Source8: fingerprint-auth.pamd
 Source9: smartcard-auth.pamd
 Source10: config-util.pamd
 Source15: pamtmp.conf
 Source16: postlogin.pamd
@ -84,8 +82,6 @@ install -d -m 755 $RPM_BUILD_ROOT%{_pamconfdir}
 install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_pamconfdir}/other
 install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_pamconfdir}/system-auth
 install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/password-auth
 install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_pamconfdir}/fingerprint-auth
 install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_pamconfdir}/smartcard-auth
 install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util
 install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin
 install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd
@ -124,8 +120,6 @@ fi
 %config(noreplace) %{_pamconfdir}/other
 %config(noreplace) %{_pamconfdir}/system-auth
 %config(noreplace) %{_pamconfdir}/password-auth
 %config(noreplace) %{_pamconfdir}/fingerprint-auth
 %config(noreplace) %{_pamconfdir}/smartcard-auth
 %config(noreplace) %{_pamconfdir}/config-util
 %config(noreplace) %{_pamconfdir}/postlogin
 %{_pamlibdir}/libpam.so.*
@ -173,6 +167,9 @@ fi
 %changelog
 * Sun Jan 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.3.1-8
 - update config
 * Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.3.1-7
 - clean code
--- a/password-auth.pamd
+++ b/password-auth.pamd
@ -1,14 +1,24 @@
 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
-auth        sufficient    pam_unix.so try_first_pass nullok
+auth        required      pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60
 -auth        sufficient    pam_fprintd.so
 auth        sufficient    pam_unix.so nullok try_first_pass
 -auth        sufficient    pam_sss.so use_first_pass
 auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
 auth        sufficient    pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60
 auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
 auth        required      pam_deny.so
 account     required      pam_unix.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 1000 quiet
 -account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required      pam_permit.so
-password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    requisite     pam_pwquality.so try_first_pass local_users_only
-password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 -password    sufficient    pam_sss.so use_authtok
 password    required      pam_deny.so
 session     optional      pam_keyinit.so revoke
@ -16,3 +26,4 @@ session     required      pam_limits.so
 -session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 -session     optional      pam_sss.so
--- a/postlogin.5
+++ b/postlogin.5
@ -1,46 +0,0 @@
 .TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
 .SH NAME
 postlogin \- Common configuration file for PAMified services
 .SH SYNOPSIS
 .B /etc/pam.d/postlogin
 .sp 2
 .SH DESCRIPTION
 The purpose of this PAM configuration file is to provide a common
 place for all PAM modules which should be called after the stack
 configured in
 .BR system-auth
 or the other common PAM configuration files.
 .sp
 The
 .BR postlogin
 configuration file is included from all individual service configuration
 files that provide login service with shell or file access.
 .SH NOTES
 The modules in the postlogin configuration file are executed regardless
 of the success or failure of the modules in the
 .BR system-auth
 configuration file.
 .SH BUGS
 .sp 2
 Sometimes it would be useful to be able to skip the postlogin modules in
 case the substack of the
 .BR system-auth
 modules failed. Unfortunately the current Linux-PAM library does not
 provide any way how to achieve this.
 .SH "SEE ALSO"
 pam(8), config-util(5), system-auth(5)
 The three
 .BR Linux-PAM
 Guides, for
 .BR "system administrators" ", "
 .BR "module developers" ", "
 and
 .BR "application developers" ". "
--- a/smartcard-auth.pamd
+++ b/smartcard-auth.pamd
@ -1,19 +0,0 @@
 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
 auth        required      pam_deny.so
 account     required      pam_unix.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 password    optional      pam_pkcs11.so
 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 -session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
--- a/system-auth.5
+++ b/system-auth.5
@ -1,58 +0,0 @@
 .TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
 .SH NAME
 system-auth \- Common configuration file for PAMified services
 .SH SYNOPSIS
 .B /etc/pam.d/system-auth
 .B /etc/pam.d/password-auth
 .B /etc/pam.d/fingerprint-auth
 .B /etc/pam.d/smartcard-auth
 .sp 2
 .SH DESCRIPTION
 The purpose of these configuration files are to provide a common
 interface for all applications and service daemons calling into
 the PAM library.
 .sp
 The
 .BR system-auth
 configuration file is included from nearly all individual service configuration
 files with the help of the
 .BR substack
 directive.
 .sp
 The
 .BR password-auth
 .BR fingerprint-auth
 .BR smartcard-auth
 configuration files are for applications which handle authentication from
 different types of devices via simultaneously running individual conversations
 instead of one aggregate conversation.
 .SH NOTES
 Previously these common configuration files were included with the help
 of the
 .BR include
 directive. This limited the use of the different action types of modules.
 With the use of
 .BR substack
 directive to include these common configuration files this limitation
 no longer applies.
 .SH BUGS
 .sp 2
 None known.
 .SH "SEE ALSO"
 pam(8), config-util(5), postlogin(5)
 The three
 .BR Linux-PAM
 Guides, for
 .BR "system administrators" ", "
 .BR "module developers" ", "
 and
 .BR "application developers" ". "
--- a/system-auth.pamd
+++ b/system-auth.pamd
@ -1,14 +1,25 @@
 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
-auth        sufficient    pam_unix.so try_first_pass nullok
+auth        required      pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60
 -auth        sufficient    pam_fprintd.so
 auth        sufficient    pam_unix.so nullok try_first_pass
 -auth        sufficient    pam_sss.so use_first_pass
 auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
 auth        sufficient    pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60
 auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
 auth        required      pam_deny.so
 account     required      pam_unix.so
 account     required      pam_faillock.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 1000 quiet
 -account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required      pam_permit.so
-password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    requisite     pam_pwquality.so try_first_pass local_users_only
-password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 -password    sufficient    pam_sss.so use_authtok
 password    required      pam_deny.so
 session     optional      pam_keyinit.so revoke
@ -16,3 +27,4 @@ session     required      pam_limits.so
 -session     optional      pam_systemd.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 -session     optional      pam_sss.so