6 files changed, 66 insertions, 25 deletions
diff --git a/debian/local/Debian-PAM-MiniPolicy b/debian/local/Debian-PAM-MiniPolicy
index e51a0246..8cba0aee 100644
--- a/debian/local/Debian-PAM-MiniPolicy
+++ b/debian/local/Debian-PAM-MiniPolicy
@@ -83,11 +83,11 @@ those modules.  E.g., /etc/pam.d/login includes the line:
 therefore it must depend on libpam-modules, which provides
 /lib/security/pam_limits.so.
 
-Applications need to depend on libpam-runtime (>= 0.76-14) to
-guarantee that /etc/pam.d/common-* exist.
+Applications need to depend on libpam-runtime to guarantee that
+/etc/pam.d/common-* exist.
 
 Applications that use common-session-noninteractive must depend
-on libpam-runtime (>= 1.0.1-11) for this file.
+on libpam-runtime for this file.
 
 
 The pam_unix.so module allows programs to authenticate the uid of the
diff --git a/debian/local/common-password b/debian/local/common-password
index 963f1eb4..676b814c 100644
--- a/debian/local/common-password
+++ b/debian/local/common-password
@@ -6,14 +6,14 @@
 # used to change user passwords.  The default is pam_unix.
 
 # Explanation of pam_unix options:
-#
-# The "sha512" option enables salted SHA512 passwords.  Without this option,
-# the default is Unix crypt.  Prior releases used the option "md5".
-#
-# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
-# login.defs.
-#
-# See the pam_unix manpage for other options.
+# The "yescrypt" option enables
+#hashed passwords using the yescrypt algorithm, introduced in Debian
+#11.  Without this option, the default is Unix crypt.  Prior releases
+#used the option "sha512"; if a shadow password hash will be shared
+#between Debian 11 and older releases replace "yescrypt" with "sha512"
+#for compatibility .  The "obscure" option replaces the old
+#`OBSCURE_CHECKS_ENAB' option in login.defs.  See the pam_unix manpage
+#for other options.
 
 # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 # To take advantage of this, it is recommended that you configure any
diff --git a/debian/local/common-session b/debian/local/common-session
index 2e94d6c7..1cd4f1ae 100644
--- a/debian/local/common-session
+++ b/debian/local/common-session
@@ -3,8 +3,7 @@
 #
 # This file is included from other service-specific PAM config files,
 # and should contain a list of modules that define tasks to be performed
-# at the start and end of sessions of *any* kind (both interactive and
-# non-interactive).
+# at the start and end of interactive sessions.
 #
 # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 # To take advantage of this, it is recommended that you configure any
@@ -20,6 +19,8 @@ session	requisite			pam_deny.so
 # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around
 session	required			pam_permit.so
+# reset the umask for new sessions
+session optional			pam_umask.so
 # and here are more per-package modules (the "Additional" block)
 $session_additional
 # end of pam-auth-update config
diff --git a/debian/local/common-session-noninteractive b/debian/local/common-session-noninteractive
index 1dd1a172..d216f6ed 100644
--- a/debian/local/common-session-noninteractive
+++ b/debian/local/common-session-noninteractive
@@ -20,6 +20,8 @@ session	requisite			pam_deny.so
 # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around
 session	required			pam_permit.so
+# reset the umask for new sessions
+session optional			pam_umask.so
 # and here are more per-package modules (the "Additional" block)
 $session_nonint_additional
 # end of pam-auth-update config
diff --git a/debian/local/pam-auth-update b/debian/local/pam-auth-update
index 6d17ab72..4c288d7b 100644
--- a/debian/local/pam-auth-update
+++ b/debian/local/pam-auth-update
@@ -39,7 +39,7 @@ my $blanktemplate = 'libpam-runtime/no_profiles_chosen';
 my $titletemplate = 'libpam-runtime/title';
 my $confdir = '/etc/pam.d';
 my $savedir = '/var/lib/pam';
-my (%profiles, @sorted, @enabled, @conflicts, @new, %removals, %to_enable);
+my (%profiles, @sorted, @enabled, @conflicts, @new, %removals, %to_disable, %to_enable);
 my $force = 0;
 my $package = 0;
 my $priority = 'high';
@@ -47,25 +47,23 @@ my %md5sums = (
 	'auth' => ['8d4fe17e66ba25de16a117035d1396aa'],
 	'account' => ['3c0c362eaf3421848b679d63fd48c3fa'],
 	'password' => [
+	        '4d5c92d595a46b69cd61f18feb4c0574',
 		'50fce2113dfda83ac8bdd5a6e706caec',
 		'4bd7610f2e85f8ddaef79c7db7cb49eb',
 		'9ba753d0824276b44bcadfee1f87b6bc',
 	],
 	'session' => [
+        	'f297c731a467822cbd86e1283263e8a3',
 		'240fb92986c885b327cdb21dd641da8c',
 		'4a25673e8b36f1805219027d3be02cd2',
+                '9e633425b1878897695217ecaf75e204',
 	],
 	'session-noninteractive' => [
 		'ad2b78ce1498dd637ef36469430b6ac6',
+                '53c1ede0bf4c07879d3582d875917545',
 	],
 );
-
-opendir(DIR, $inputdir) || die "could not open config directory: $!";
-while (my $profile = readdir(DIR)) {
-	next if ($profile eq '.' || $profile eq '..' || $profile =~ m/~$/ || $profile =~ m/^#.+#$/);
-	%{$profiles{$profile}} = parse_pam_profile($inputdir . '/' . $profile);
-}
-closedir DIR;
+my @invalid_modules = ('pam_tally');
 
 # use a '--force' arg to specify that /etc/pam.d should be overwritten; 
 # used only on upgrades where the postinst has already determined that the
@@ -82,6 +80,11 @@ while ($#ARGV >= 0) {
 		$force = 1;
 	} elsif ($opt eq '--package') {
 		$package = 1;
+        } elsif ($opt eq '--root') {
+                my $rootdir = shift @ARGV;
+                $savedir = "${rootdir}$savedir";
+                $confdir = "${rootdir}$confdir";
+               $inputdir = "${rootdir}$inputdir";
 	} elsif ($opt eq '--remove') {
 		while ($#ARGV >= 0) {
 			last if ($ARGV[0] =~ /^--/);
@@ -89,6 +92,13 @@ while ($#ARGV >= 0) {
 		}
 		# --remove implies --package
 		$package = 1 if (keys(%removals));
+	} elsif ($opt eq '--disable') {
+		while ($#ARGV >= 0) {
+			last if ($ARGV[0] =~ /^--/);
+			$to_disable{shift @ARGV} = 1;
+		}
+		# --disable implies --package
+		$package = 1 if (keys(%to_disable));
 	} elsif ($opt eq '--enable') {
 		while ($#ARGV >= 0) {
 			last if ($ARGV[0] =~ /^--/);
@@ -99,6 +109,16 @@ while ($#ARGV >= 0) {
 	}
 }
 
+opendir(DIR, $inputdir) || die "could not open config directory: $!";
+while (my $profile = readdir(DIR)) {
+	next if ($profile eq '.' || $profile eq '..' || $profile =~ m/~$/ || $profile =~ m/^#.+#$/);
+	%{$profiles{$profile}} = parse_pam_profile($inputdir . '/' . $profile);
+	if (defined $profiles{$profile}{'disabled'} and $profiles{$profile}{'disabled'}) {
+		delete $profiles{$profile};
+	}
+}
+closedir DIR;
+
 $priority = 'medium' if ($package);
 
 x_loadtemplatefile('/var/lib/dpkg/info/libpam-runtime.templates','libpam-runtime');
@@ -137,15 +157,23 @@ if (-e $savedir . '/seen') {
 # filter out any options that are no longer available for any reason
 @enabled = grep { $profiles{$_} } @enabled;
 
+# add configs to enable
+push(@enabled,
+     grep { $to_enable{$_} } @sorted);
+
+# Disable anything explicitly disabled
+@enabled = grep {!$to_disable{$_} } @enabled;
+# And we've seen anything we disable
+foreach my $i (keys %to_disable) {
+        $seen{$i} = 1;
+}
+
 # an empty module set is an error, so in that case grab all the defaults
 if (!@enabled) {
 	%seen = ();
 	$priority = 'high' unless ($force);
 }
 
-# add configs to enable
-push(@enabled,
-     grep { $to_enable{$_} } @sorted);
 
 # add any previously-unseen configs
 push(@enabled,
@@ -702,11 +730,14 @@ sub parse_pam_profile
 			s/^\s+//;
 			s/\s+$//;
 			$profile{$fieldname} .= "\n$_" if ($_);
+                        if (grep { $profile{$fieldname} =~ /$_/} @invalid_modules) {
+                          $profile{'disabled'} = 1;
+                        }
 			$profile{$fieldname} =~ s/^[\n\s]+//;
 		}
 	}
 	close(PROFILE);
-	if (!defined($profile{'Session-Interactive-Only'})) {
+	if (!defined($profile{'Session-Interactive-Only'}) or $profile{'Session-Interactive-Only'} ne 'yes') {
 			$profile{'Session-noninteractive-Type'} = $profile{'Session-Type'};
 			$profile{'Session-noninteractive'} = $profile{'Session'};
 			$profile{'Session-noninteractive-Initial'} = $profile{'Session-Initial'};
diff --git a/debian/local/pam-auth-update.8 b/debian/local/pam-auth-update.8
index a5ebdbad..a31ec921 100644
--- a/debian/local/pam-auth-update.8
+++ b/debian/local/pam-auth-update.8
@@ -23,6 +23,10 @@ pam\-auth\-update - manage PAM configuration using packaged profiles
 .RB [ \-\-package " [" \-\-remove
 .IR profile " [" profile\fR... "]]]"
 .RB [ \-\-force ]
+.RB [ \-\-enable
+.IR profile " [" profile\fR... "]]"
+.RB [ \-\-disable
+.IR profile " [" profile\fR... "]]"
 .SH DESCRIPTION
 .I pam\-auth\-update
 is a utility that permits configuring the central authentication policy
@@ -68,6 +72,9 @@ Indicate that the caller is a package maintainer script; lowers the
 priority of debconf questions to `medium' so that the user is not
 prompted by default.
 .TP
+.B \-\-disable \fIprofile \fR[\fIprofile\fR...]
+Disable the specified profiles in system configuration.  This can be used from system administration scripts to disable profiles.
+.TP
 .B \-\-enable \fIprofile \fR[\fIprofile\fR...]
 Enable the specified profiles in system configuration. This is used to
 enable profiles that are not on by default.