summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* pam_unix: Document that MD5 password hash is used to store old passwords.Tomas Mraz2016-04-19
| | | | | modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used to store the old passwords when remember option is set.
* Project registered at Zanata (fedora.zanata.org) for translations.Tomas Mraz2016-04-14
| | | | | | | * zanata.xml: Configuration file for zanata client. * po/LINGUAS: Update languages as supported by Zanata. * po/Linux-PAM.pot: Updated from sources. * po/*.po: Updated from sources.
* pam_unix: Use pam_get_authtok() instead of direct pam_prompt() calls.Tomas Mraz2016-04-06
| | | | | | | | | | | | | | | | We have to drop support for not_set_pass option which is not much useful anyway. Instead we get proper support for authtok_type option. * modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty pe option. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas sword() call with equivalent pam_get_authtok() call. * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop support for not_set_pass. * modules/pam_unix/support.c (_unix_read_password): Remove. * modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE.
* pam_get_authtok(): Add authtok_type support to current password prompt.Tomas Mraz2016-04-06
| | | | | | * libpam/pam_get_authtok.c (pam_get_authtok_internal): When changing password, use different prompt for current password allowing for authtok_type to be displayed to the user.
* pam_unix: Make password expiration messages more user-friendly.Tomas Mraz2016-04-04
| | | | | * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password expiration messages more user-friendly.
* innetgr may not be there so make sure that when innetgr is not presentThorsten Kukuk2016-04-04
| | | | | | | | | | | then we inform about it and not use it. [ticket#46] * modules/pam_group/pam_group.c: ditto * modules/pam_succeed_if/pam_succeed_if.c: ditto * modules/pam_time/pam_time.c: ditto Signed-off-by: Khem Raj <raj.khem at gmail.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* build: fix build when crypt() is not part of crypt_libs [ticket#46]Thorsten Kukuk2016-04-04
| | | | | | * configure.ac: Don't set empty -l option in crypt check Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* build: use $host_cpu for lib64 directory handling [ticket#46]Thorsten Kukuk2016-04-04
| | | | | | * configure.ac: use $host_cpu for lib64 directory handling. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* Fix whitespace issuesDmitry V. Levin2016-04-01
| | | | | | | | | | | | | | | | Remove blank lines at EOF introduced by commit a684595c0bbd88df71285f43fb27630e3829121e, making the project free of warnings reported by git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD * libpam/pam_dynamic.c: Remove blank line at EOF. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise.
* Use TI-RPC functions if we compile and link against libtirpc.Thorsten Kukuk2016-04-01
| | | | | | | | The old SunRPC functions don't work with IPv6. * configure.ac: Set and restore CPPFLAGS * modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with rpcb_getaddr if available.
* PAM_EXTERN isn't needed anymore, but don't remove it to not break lot ofThorsten Kukuk2016-03-29
| | | | | | external code using it. * libpam/include/security/pam_modules.h: Readd PAM_EXTERN for compatibility
* Remove "--enable-static-modules" option and support fromThorsten Kukuk2016-03-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Linux-PAM. It was never official supported and was broken since years. * configure.ac: Remove --enable-static-modules option. * doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN. * doc/man/pam_sm_authenticate.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * doc/man/pam_sm_close_session.3.xml: Likewise. * doc/man/pam_sm_open_session.3.xml: Likewise. * doc/man/pam_sm_setcred.3.xml: Likewise. * libpam/Makefile.am: Remove STATIC_MODULES cases. * libpam/include/security/pam_modules.h: Remove PAM_STATIC parts. * libpam/pam_dynamic.c: Likewise. * libpam/pam_handlers.c: Likewise. * libpam/pam_private.h: Likewise. * libpam/pam_static.c: Remove file. * libpam/pam_static_modules.h: Remove header file. * modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts. * modules/pam_cracklib/pam_cracklib.c: Likewise. * modules/pam_debug/pam_debug.c: Likewise. * modules/pam_deny/pam_deny.c: Likewise. * modules/pam_echo/pam_echo.c: Likewise. * modules/pam_env/pam_env.c: Likewise. * modules/pam_exec/pam_exec.c: Likewise. * modules/pam_faildelay/pam_faildelay.c: Likewise. * modules/pam_filter/pam_filter.c: Likewise. * modules/pam_ftp/pam_ftp.c: Likewise. * modules/pam_group/pam_group.c: Likewise. * modules/pam_issue/pam_issue.c: Likewise. * modules/pam_keyinit/pam_keyinit.c: Likewise. * modules/pam_lastlog/pam_lastlog.c: Likewise. * modules/pam_limits/pam_limits.c: Likewise. * modules/pam_listfile/pam_listfile.c: Likewise. * modules/pam_localuser/pam_localuser.c: Likewise. * modules/pam_loginuid/pam_loginuid.c: Likewise. * modules/pam_mail/pam_mail.c: Likewise. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_motd/pam_motd.c: Likewise. * modules/pam_namespace/pam_namespace.c: Likewise. * modules/pam_nologin/pam_nologin.c: Likewise. * modules/pam_permit/pam_permit.c: Likewise. * modules/pam_pwhistory/pam_pwhistory.c: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_rootok/pam_rootok.c: Likewise. * modules/pam_securetty/pam_securetty.c: Likewise. * modules/pam_selinux/pam_selinux.c: Likewise. * modules/pam_sepermit/pam_sepermit.c: Likewise. * modules/pam_shells/pam_shells.c: Likewise. * modules/pam_stress/pam_stress.c: Likewise. * modules/pam_succeed_if/pam_succeed_if.c: Likewise. * modules/pam_tally/pam_tally.c: Likewise. * modules/pam_tally2/pam_tally2.c: Likewise. * modules/pam_time/pam_time.c: Likewise. * modules/pam_timestamp/pam_timestamp.c: Likewise. * modules/pam_tty_audit/pam_tty_audit.c: Likewise. * modules/pam_umask/pam_umask.c: Likewise. * modules/pam_userdb/pam_userdb.c: Likewise. * modules/pam_warn/pam_warn.c: Likewise. * modules/pam_wheel/pam_wheel.c: Likewise. * modules/pam_xauth/pam_xauth.c: Likewise. * modules/pam_unix/Makefile.am: Remove STATIC_MODULES part. * modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part. * modules/pam_unix/pam_unix_auth.c: Likewise. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/pam_unix_sess.c: Likewise. * modules/pam_unix/pam_unix_static.c: Removed. * modules/pam_unix/pam_unix_static.h: Removed. * po/POTFILES.in: Remove removed files. * tests/tst-dlopen.c: Remove PAM_STATIC part.
* Fix check for libtirpc and enhance check for libnsl to includeThorsten Kukuk2016-03-24
| | | | | | | new libnsl. * configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check * modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*
* Remove YP dependencies from pam_access, they were never usedThorsten Kukuk2016-03-23
| | | | | | | | and such not needed. * modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS * modules/pam_access/pam_access.c: Remove yp_get_default_domain case, it will never be used.
* Add checks for localtime() returning NULL.Tomas Mraz2016-03-04
| | | | | | | * modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r returning NULL. * modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning NULL.
* pam_unix: Silence warnings and fix a minor bug.Tomas Mraz2016-03-04
| | | | | | | | | Fixes a minor bug in behavior when is_selinux_enabled() returned negative value. * modules/pam_unix/passverify.c: Add parentheses to SELINUX_ENABLED macro. (unix_update_shadow): Safe cast forwho to non-const char *. * modules/pam_unix/support.c: Remove unused SELINUX_ENABLED macro.
* pam_env: Document the /etc/environment file.Tomas Mraz2016-02-17
| | | | | | | * modules/pam_env/Makefile.am: Add the environment.5 soelim stub. * modules/pam_env/pam_env.8.xml: Add environ(7) reference. * modules/pam_env/pam_env.conf.5.xml: Add environment alias name. Add a paragraph about /etc/environment. Add environ(7) reference.
* pam_unix: Add no_pass_expiry option to ignore password expiration.Tomas Mraz2016-02-17
| | | | | | | | | | | | * modules/pam_unix/pam_unix.8.xml: Document the no_pass_expiry option. * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): If no_pass_expiry is on and return value data is not set to PAM_SUCCESS then ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED returns. * modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Always set the return value data. (pam_sm_setcred): Test for likeauth option and use the return value data only if set. * modules/pam_unix/support.h: Add the no_pass_expiry option.
* pam_unix: Change the salt length for new hashes to 16 charactersTomas Mraz2016-01-25
| | | | | * modules/pam_unix/passverify.c (create_password_hash): Change the salt length for new hashes to 16 characters.
* Relax the conditions for fatal failure on auditing.Tomas Mraz2015-12-17
| | | | | | | The PAM library calls will not fail anymore for any uid if the return value from the libaudit call is -EPERM. * libpam/pam_audit.c (_pam_audit_writelog): Remove check for uid != 0.
* pam_tally2: Optionally log the tally count when checking.Tomas Mraz2015-12-16
| | | | | * modules/pam_tally2/pam_tally2.c (tally_parse_args): Add debug option. (tally_check): Always log the tally count with debug option.
* Docfix: pam handle is const in pam_syslog() and pam_vsyslog()Jakub Hrozek2015-10-02
| | | | * doc/man/pam_syslog.3.xml: Add const to pam handle in pam_syslog() and pam_vsyslog().
* pam_loginuid: Add syslog message if required auditd is not detected.Tomas Mraz2015-09-24
| | | | | * modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Add syslog message if required auditd is not detected.
* Allow links to be used instead of w3m for documentation regeneration.Tomas Mraz2015-09-04
| | | | * configure.ac: If w3m is not found check for links.
* Add missing space in pam_misc_setenv man page.Tomas Mraz2015-09-04
| | | | * doc/man/pam_misc_setenv.3.xml: Add a missing space.
* pam_rootok: use rootok permission instead of passwd permission in SELinux check.Tomas Mraz2015-08-12
| | | | | * modules/pam_rootok/pam_rootok.c (selinux_check_root): Use rootok instead of passwd permission.
* pam_timestamp: Avoid leaking file descriptor.Amarnath Valluri2015-08-05
| | | | | | | * modules/pam_timestamp/hmacsha1.c(hmac_key_create): close 'keyfd' when failed to own it. Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
* Release version 1.2.1Thorsten Kukuk2015-06-22
| | | | | | | | | | | | | | | | | | | | | | | | Security fix: CVE-2015-3238 If the process executing pam_sm_authenticate or pam_sm_chauthtok method of pam_unix is not privileged enough to check the password, e.g. if selinux is enabled, the _unix_run_helper_binary function is called. When a long enough password is supplied (16 pages or more, i.e. 65536+ bytes on a system with 4K pages), this helper function hangs indefinitely, blocked in the write(2) call while writing to a blocking pipe that has a limited capacity. With this fix, the verifiable password length will be limited to PAM_MAX_RESP_SIZE bytes (i.e. 512 bytes) for pam_exec and pam_unix. * NEWS: Update * configure.ac: Bump version * modules/pam_exec/pam_exec.8.xml: document limitation of password length * modules/pam_exec/pam_exec.c: limit password length to PAM_MAX_RESP_SIZE * modules/pam_unix/pam_unix.8.xml: document limitation of password length * modules/pam_unix/pam_unix_passwd.c: limit password length * modules/pam_unix/passverify.c: Likewise * modules/pam_unix/passverify.h: Likewise * modules/pam_unix/support.c: Likewise
* Update NEWS fileThorsten Kukuk2015-04-27
|
* Release version 1.2.0Thorsten Kukuk2015-04-27
| | | | | | | | * NEWS: Update * configure.ac: Bump version * libpam/Makefile.am: Bump version of libpam * libpam_misc/Makefile.am: Bump version of libpam_misc * po/*: Regenerate po files
* Fix some grammatical errors in documentation.Thorsten Kukuk2015-04-27
| | | | | | | | | | | | | | | | | Patch by Louis Sautier * doc/adg/Linux-PAM_ADG.xml: Fix gramatical errors. * doc/man/pam.3.xml: Likewise. * doc/man/pam_acct_mgmt.3.xml: Likewise. * doc/man/pam_chauthtok.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * modules/pam_limits/limits.conf.5.xml: Likewise. * modules/pam_mail/pam_mail.8.xml: Likewise. * modules/pam_rhosts/pam_rhosts.c: Likewise. * modules/pam_shells/pam_shells.8.xml: Likewise. * modules/pam_tally/pam_tally.8.xml: Likewise. * modules/pam_tally2/pam_tally2.8.xml: Likewise. * modules/pam_unix/pam_unix.8.xml: Likewise.
* Add "quiet" option to pam_unix to suppress informential infoThorsten Kukuk2015-04-23
| | | | | | | | | messages from session. * modules/pam_unix/pam_unix.8.xml: Document new option. * modules/pam_unix/support.h: Add quiet option. * modules/pam_unix/pam_unix_sess.c: Don't print LOG_INFO messages if 'quiet' option is set.
* Use crypt_r if available in pam_userdb and in pam_unix.Tomas Mraz2015-04-07
| | | | | | | * modules/pam_unix/passverify.c (create_password_hash): Call crypt_r() instead of crypt() if available. * modules/pam_userdb/pam_userdb.c (user_lookup): Call crypt_r() instead of crypt() if available.
* Support alternative "vendor configuration" files as fallback to /etcThorsten Kukuk2015-03-25
| | | | | | | | (Ticket#34, patch from ay Sievers <kay@vrfy.org>) * doc/man/pam.8.xml: document additonal config directory * libpam/pam_handlers.c: add /usr/lib/pam.d as config file fallback directory * libpam/pam_private.h: adjust defines
* pam_env: expand @{HOME} and @{SHELL} and enhance documentationThorsten Kukuk2015-03-25
| | | | | | | | (Ticket#24 and #29) * modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries * modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL} * modules/pam_env/pam_env.8.xml: Enhance documentation
* Clarify pam_access docs re PAM service names and X $DISPLAY value testing.Thorsten Kukuk2015-03-24
| | | | | | | | | (Ticket #39) * modules/pam_access/access.conf.5.xml * modules/pam_access/pam_access.8.xml Signed-off-by: Karl O. Pinc <kop at meme.com>
* Don't use sudo directory, the timestamp format is different (Ticket#32)Thorsten Kukuk2015-03-24
| | | | * modules/pam_timestamp/pam_timestamp.c: Change default timestamp directory.
* Enhance group.conf examples (Ticket#35)Thorsten Kukuk2015-03-24
| | | | * modules/pam_group/group.conf.5.xml: Enhance example by logic group entry.
* Document timestampdir option (Ticket#33)Thorsten Kukuk2015-03-24
| | | | * modules/pam_timestamp/pam_timestamp.8.xml: Add timestampdir option.
* Adjust documentation (Ticket#36)Thorsten Kukuk2015-03-24
| | | | | * libpam/pam_delay.c: Change 25% in comment to 50% as used in code. * doc/man/pam_fail_delay.3.xml: Change 25% to 50%
* Updated translations from Transifex.Tomas Mraz2015-02-18
| | | | * po/*.po: Updated translations from Transifex.
* build: raise gettext version requirementDmitry V. Levin2015-01-07
| | | | | | | | | | | | Raise gettext requirement to the latest oldstable version 0.18.3. This fixes the following automake warning: configure.ac:581: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged. configure.ac:581: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead, configure.ac:581: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files. * configure.ac (AM_GNU_GETTEXT_VERSION): Raise from 0.15 to 0.18.3. * po/Makevars: Update from gettext-0.18.3.
* build: adjust automake warning flagsRonny Chevalier2015-01-07
| | | | | | | Enable all automake warning flags except for the portability issues, since non portable features are used among the makefiles. * configure.ac (AM_INIT_AUTOMAKE): Add -Wall -Wno-portability.
* build: rename configure.in to configure.acDmitry V. Levin2015-01-07
| | | | | | | This fixes the following automake warning: aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in' * configure.in: Rename to configure.ac.
* Remove unmodified GNU gettext files installed by autopointDmitry V. Levin2015-01-07
| | | | | | | | | | | | | | | | | | These files are part of GNU gettext; we have not modified them, they are installed by autopoint which is called by autoreconf, so they had to be removed from this repository along with ABOUT-NLS, config.rpath, and mkinstalldirs files that were removed by commit Linux-PAM-1_1_5-7-g542ec8b. * po/Makefile.in.in: Remove. * po/Rules-quot: Likewise. * po/boldquot.sed: Likewise. * po/en@boldquot.header: Likewise. * po/en@quot.header: Likewise. * po/insert-header.sin: Likewise. * po/quot.sed: Likewise. * po/remove-potcdate.sin: Likewise. * po/.gitignore: Ignore these files.
* Update .gitignoreRonny Chevalier2015-01-06
| | | | * .gitignore: Ignore *.log and *.trs files.
* libpam: Only print "Password change aborted" when it's true.Luke Shumaker2015-01-02
| | | | | | | | | | | | | | | | pam_get_authtok() may be used any time that a password needs to be entered, unlike pam_get_authtok_{no,}verify(), which may only be used when changing a password; yet when the user aborts, it prints "Password change aborted." whether or not that was the operation being performed. This bug was non-obvious because none of the modules distributed with Linux-PAM use it for anything but changing passwords; pam_unix has its own utility function that it uses instead. As an example, the nss-pam-ldapd package uses it in pam_sm_authenticate(). libpam/pam_get_authtok.c (pam_get_authtok_internal): check that the password is trying to be changed before printing a message about the password change being aborted.
* build: extend cross compiling check to cover CPPFLAGS (ticket #21)Dmitry V. Levin2014-12-10
| | | | | | | | | | Use BUILD_CPPFLAGS variable to override CPPFLAGS where necessary in case of cross compiling, in addition to CC_FOR_BUILD, BUILD_CFLAGS, and BUILD_LDFLAGS variables introduced earlier to override CC, CFLAGS, and LDFLAGS, respectively. * configure.in (BUILD_CPPFLAGS): Define. * doc/specs/Makefile.am (CPPFLAGS): Define to @BUILD_CPPFLAGS@.
* Do not use yywrap (ticket #42)Dmitry V. Levin2014-12-09
| | | | | | | | | | | Our scanners do not really use yywrap. Explicitly disable yywrap so that no references to yywrap will be generated and no LEXLIB would be needed. * conf/pam_conv1/Makefile.am (pam_conv1_LDADD): Remove. * conf/pam_conv1/pam_conv_l.l: Enable noyywrap option. * doc/specs/Makefile.am (padout_LDADD): Remove. * doc/specs/parse_l.l: Enable noyywrap option.
* doc: fix a trivial typo in pam_authenticate return values (ticket #38)Kyle Manna2014-12-09
| | | | * doc/man/pam_authenticate.3.xml: Fix a typo in PAM_AUTHINFO_UNAVAIL.